Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Configuring SNMPV3 traps on ScreenOS

0

0

Article ID: KB22685 KB Last Updated: 13 Dec 2018Version: 3.0
Summary:

This article provides information about configuring SNMPV3 traps on ScreenOS.

 

Symptoms:

Configuring SNMPV3 traps on ScreenOS via the WebUI and the Command Line Interface (CLI).

 

Solution:

SNMP V3 overview on ScreenOS:

  • SNMPV3 is supported from ScreenOS 6.3 or later on the SSG/ISG/Netscreen platform.

  • The SNMPv3 architecture introduces the User-based Security Model (USM) for message security.

  • View-based Access Control Model (VACM) is used for access control.

  • The architecture supports the concurrent use of different security, access control, and message processing models.

 

SNMPV3 on ScreenOS supports:

  • SNMPV1 and SNMPV2c polling and traps, which make use of the community-based security model

  • SNMPV3, which makes use of the User Security model

  • SNMPV3 traps

  • View Access Control Model for access control

 

Procedure to configure the SNMPV3 agent to send SNMPV3 traps:

  1. Pre-configuration
    • Configure the SNMP Engine.

    • Create a USM user. In the following example, the configured USM user is firewall.

  2. Configuring a Trap Filter

The view defines a filter for both SNMP polling and traps. However, to further segregate (include/exclude) traps, you have the option of setting a filter for the traps. The settings are similar to that of VACM View.

Via the WebGUI:

Go to Configuration > Report Settings > SNMPv3 > Filter > New Filter:

 

Via the CLI:

set snmpv3 filter include-all oid .1 mask ff type include
set snmpv3 filter include-only-netscreen-traps oid .1.3.6.1.4.1.3224.1 mask fe type include

In the above example, two trap filters are configured:

  • include-all: To include all traps (generic and specific)

  • include-only-netscreen-trap

  1. Configuring the SNMPV3 target

A. Configure the Target Parameters database.

Via the WebGUI:

Go to Configuration > Report Settings > SNMPv3 > Target > New Target Parameter:

 

Via the CLI:

set snmpv3 target-param snmpv3_target filter include-all sec-model usm sec-level priv user firewall

set snmpv3 target-param snmpv3_target_only_auth filter include-only-netscreen-traps sec-model usm sec-level auth user firewall

Parameters of Access Group:

  • Target Parameter Name

  • Security Model: SNMP V1 or SNMP V2C or USM (which is used in SNMP V3)

Security Level:

  • PRIV: Encrypt and Authenticate SNMP message

  • AUTH: Only Authenticate SNMP message

  • None: By default, the security level is none. If the selected security model is USM, then you get the option to select the security level as PRIV or AUTH.

User Name: Name of USM user; used with USM Model and SNMP V3

Community: Community string; used with SNMPV1 and SNMPV2c

In the above example, there are two access groups:

  • snmpv3_target: For sending traps/notifications (trap oids are defined in view and filtered in Trap filter) with the trap messages being encrypted and authenticated by using the USM model

  • snmpv3-target-only-auth: For sending traps/notifications (trap oids are defined in view and filtered in Trap filter) with the trap messages authenticated only by using the USM model

B. Configure the Target Address.

Via the WebGUI:

Go to Configuration > Report Settings > SNMPv3 > Trap > New Target Address:

 

Via the CLI:

set snmpv3 target snmpv3_TRAP address 10.209.192.231/32 port 162 target-param snmpv3_target

Parameters:

  • Target Name: Specify the name of the target.

  • Target IPv4 Address/Netmask: Specify the IPv4 address and netmask.

  • Target IPv6 Address/Netmask: Specify the IPv6 address and netmask. You can type both the IPv4 and IPv6 IP addresses. The system sends the trap to the target, if the mask is 32 for IPv4 addresses or 128 for IPv6 addresses.

  • Trap Port: Specify the trap port.

  • Target Parameter: Specify the target parameter.

  • Taglist: Specify a tag for the target from the taglist. You can specify no more than eight tags to a target. Each community has a tag. When an SNMPv1 or SNMPv2 request is received, the system checks whether the source is a valid target with the assigned tag of the community

 

Modification History:

2018-12-13: Updated set snmpv3 target-param snmpv3_target filter include-all sec-model usm sec-level priv user netscreen

to

set snmpv3 target-param snmpv3_target filter include-all sec-model usm sec-level priv user firewall

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search