Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Junos] Example - Configuring SNMPv3

2

0
Article ID: KB22048 KB Last Updated: 11 Jul 2020Version: 6.0 Summary:

In contrast to SNMPv1 and SNMPv2, SNMP version 3 (SNMPv3) supports authentication and privacy (encryption) for the communication between the SNMP server and the managed devices. SNMPv3 uses the User-Based Security Model (USM) for message security (encryption and authentication if required). It also uses the View-Based Access Control Model (VACM) for access control, determining what information from the managed devices, specific users or group of users can access. For more information regarding SNMPv3 support in the SRX, refer to SNMPv3 Overview.

This configuration example contains the SNMP related commands needed to read and write information to and from the Junos device via the SNMPv3 protocol. It does not include configuration related to SNMPv3 traps/notifications that are unsolicited messages sent from the Junos device to the SNMP server upon the occurrence of certain events.

In this article, four users will be created with the characteristics mentioned below. In addition, these users will be grouped and provided with full access to the Junos device's information.

  • User “NOAUTH” will not use any encryption nor authentication when polling information from the the Junos device via SNMP.
  • User “AUTHNOPRIV” will use authentication but no encryption when polling information from the the Junos device via SNMP.
  • User “AUTHPRIV” will use both, authentication and encryption, when polling information from the the Junos device via SNMP.
  • User “NOSNMPV3” will be created for backwards compatibility with SNMPv2 protocol and because of this, it will only support authentication via a community string shared in clear text.
Note: The SNMPv3 configuration in this example also applies to other Junos devices; however, the configuration for the zones is only needed if the device is SRX. For switches/routers, make sure that you have opened SNMP in the lo0 filter.
Solution:

Topology

Configuration

  1. Create users.

    set snmp v3 usm local-engine user NOAUTH authentication-none

set snmp v3 usm local-engine user AUTHNOPRIV authentication-md5 authentication-password JTACTEST
set snmp v3 usm local-engine user AUTHNOPRIV privacy-none

set snmp v3 usm local-engine user AUTHPRIV authentication-md5 authentication-password JTACTEST
set snmp v3 usm local-engine user AUTHPRIV privacy-des privacy-password JTACTEST

    Note: user “NOSNMPV3” is not a SNMPv3 user and will not use the USM security model; there is no need to create it under this hierarchy.
     

  2. Group all four users in a group named SNMPV3GROUP.

    set snmp v3 vacm security-to-group security-model v2c security-name NOSNMPV3 group SNMPV3GROUP
set snmp v3 vacm security-to-group security-model usm security-name NOAUTH group SNMPV3GROUP
set snmp v3 vacm security-to-group security-model usm security-name AUTHNOPRIV group SNMPV3GROUP
set snmp v3 vacm security-to-group security-model usm security-name AUTHPRIV group SNMPV3GROUP
    Note: User “NOSNMPV3” is included in this group because they will share the same access privileges as the other users. However, it's security-model is V2C and not USM like the other users.
     

  3. Create SNMP view that specifies that the users will be able to access all the Junos device's OIDs. For more information about SNMP views, refer to Configuring MIB Views.

    set snmp view SNMPVIEW oid .1 include
     
  4. Specify that users of group SNMPV3GROUP will have read and write access to the information specified in view SNMPVIEW. 
    set snmp v3 vacm access group SNMPV3GROUP default-context-prefix security-model any security-level none read-view SNMPVIEW
set snmp v3 vacm access group SNMPV3GROUP default-context-prefix security-model any security-level none write-view SNMPVIEW
set snmp v3 vacm access group SNMPV3GROUP default-context-prefix security-model any security-level authentication read-view SNMPVIEW
set snmp v3 vacm access group SNMPV3GROUP default-context-prefix security-model any security-level authentication write-view SNMPVIEW
set snmp v3 vacm access group SNMPV3GROUP default-context-prefix security-model any security-level privacy read-view SNMPVIEW
set snmp v3 vacm access group SNMPV3GROUP default-context-prefix security-model any security-level privacy write-view SNMPVIEW

    Note: The above configuration specifies the read/write permission based on the following security-levels:

    • none: users part of group SNMPV3GROUP that do not use encryption nor authentication.
    • authentication: users part of group SNMPV3GROUP that use authentication only.
    • privacy: users part of group SNMPV3GROUP that use encryption and authentication.

  5. Specify the community that will be used by user NOSNMPV3 that does not support SNMPv3 and will use SNMPv2.

    set snmp v3 snmp-community SNMPV3COMMUNITY community-name JTACCOMMUNITY
set snmp v3 snmp-community SNMPV3COMMUNITY security-name NOSNMPV3
  6. [If Junos device in an SRX] Enable SNMP protocol under Host-Inbound-Traffic in the security-zone where the SNMP messages are received by the SRX. For more information about Host-Inbound-Traffic, refer to Controlling Inbound Traffic Based on Traffic Types 
    set security zones security-zone JTACZONE host-inbound-traffic system-services snmp
Verification

For verification purposes, the shell of a Junos Space server was used to poll the sysDescr OID from the configured the Junos device. This is included for illustration purposes:

  • SNMPv2 user:

    # snmpwalk -v 2c -c JTACCOMMUNITY 10.85.32.64 sysDescr
SNMPv2-MIB::sysDescr.0 = STRING: Juniper Networks, Inc. srx345 internet router, kernel JUNOS 15.1X49-D100.6, Build date: 2017-06-28 07:44:20 UTC Copyright (c) 1996-2017 Juniper Networks, Inc.

  • SNMPv3 user without authentication nor encryption:

    # snmpwalk -v 3 -l noAuthNoPriv -u NOAUTH 10.85.32.64 sysDescr
SNMPv2-MIB::sysDescr.0 = STRING: Juniper Networks, Inc. srx345 internet router, kernel JUNOS 15.1X49-D100.6, Build date: 2017-06-28 07:44:20 UTC Copyright (c) 1996-2017 Juniper Networks, Inc.
  • SNMPv3 user with authentication but no encryption: 
    # snmpwalk -v 3 -l authNopriv -u AUTHNOPRIV -a md5 -A JTACTEST 10.85.32.64 sysDescr
SNMPv2-MIB::sysDescr.0 = STRING: Juniper Networks, Inc. srx345 internet router, kernel JUNOS 15.1X49-D100.6, Build date: 2017-06-28 07:44:20 UTC Copyright (c) 1996-2017 Juniper Networks, Inc.
  • SNMPv3 user with authentication and encryption: 
    # snmpwalk -v 3 -l authPriv -u AUTHPRIV -a md5 -A JTACTEST -x des -X JTACTEST 10.85.32.64 sysDescr
SNMPv2-MIB::sysDescr.0 = STRING: Juniper Networks, Inc. srx345 internet router, kernel JUNOS 15.1X49-D100.6, Build date: 2017-06-28 07:44:20 UTC Copyright (c) 1996-2017 Juniper Networks, Inc.

  • Packet capture of a SNMPv3 communication without encryption nor authentication.

  • Packet capture of a SNMPv3 communication with encryption and authentication.

Troubleshooting

If the communication between the SNMP server and the Junos device is not working, verify the following information:

set security policies from-zone Untrust to-zone Trust policy ALLOW-SNMP match source-address any
set security policies from-zone Untrust to-zone Trust policy ALLOW-SNMP match destination-address INTERNAL-ADDRESS
set security policies from-zone Untrust to-zone Trust policy ALLOW-SNMP match application SNMP
set security policies from-zone Untrust to-zone Trust policy ALLOW-SNMP then permit
 
set security address-book global address INTERNAL-ADDRESS 10.85.32.64/32
 
set applications application SNMP protocol udp
set applications application SNMP destination-port 161
 
#delete snmp
#commit
# run start shell
% rm /var/db/snmp_engine.db
% cli
> edit
# rollback 1
# set smnp engine-id local 30:b6:4f:02:29:06
# commit

  1. Is there IP connectivity between the SNMP server and the Junos device? A ping test can be used to confirm this information.

  2. Is SNMP configured under Host-Inbound-Traffic for the correct Security-Zone/Interface as shown in the configuration step #7.

  3. Is the SNMP session seen on the SRX?  

    root@SRX# run show security flow session source-prefix [SNMP Server Address]
    Session ID: 1234, Policy name: self-policy/1, Timeout: 1750, Valid
      In: 10.85.42.144/33758 --> 10.85.32.64/161;udp, If: ge-0/0/0.0, Pkts: 2, Bytes: 92 
      Out: 10.85.32.64/161 --> 10.85.42.144/33758;udp, If: local, Pkts: 1, Bytes: 52

  4. Confirm that there is not a firewall filter applied on the loopback interface nor the physical interface receiving the SNMP traffic, which is dropping the SNMP messages.

  5. If the interface that is receiving the traffic is not the interface to which the SNMP packets are destined to, a security-policy is required to allow SNMP messages to reach the destination interface.

  6. Is the Junos device reachable via an interface in a custom routing-instance? If so, the routing-instance of the interface receiving the SNMP requests needs to be included in the SNMPv3 configuration; refer to KB27284.

  7. The SNMPv3 authentication key is calculated based on the user's password and the value of the engine ID. If suspected that the authentication is failing, a fixed Engine ID can be configured and the passwords re-configured to generate new keys in the following way:

    • Delete SNMP configuration and commit:
    • Delete the current SNMP Engine ID from shell. Then, in configuration mode, rollback to the previous SNMP configuration and add the local Engine ID. A MAC address of any of the local interfaces can be used as the new Engine ID value:

                    Note: Refer to KB27191 to understand how this could affect the SNMP communication in chassis cluster.

  8. Gather SNMP traceoptions for further debugging:  

    # set snmp traceoptions file snmp.tr
    # set snmp traceoptions file size 5m
    # set snmp traceoptions file files 5
    # set snmp traceoptions file world-readable
    # set snmp traceoptions flag all
    # commit

    After the configuration is committed, try the SNMP query and then review the logs:

                          > show log snmp.tr
Modification History:
2020-07-11: Added note for non-SRX devices and replaced SRX with Junos device.
2020-03-27: â€‹Article reviewed for accuracy; it is valid and accurate
 

Related Links

 Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search