[ScreenOS] Configuring SNMPV3 traps on ScreenOS

SNMP V3 overview on ScreenOS:

SNMPV3 is supported from ScreenOS 6.3 or later on the SSG/ISG/Netscreen platform.
The SNMPv3 architecture introduces the User-based Security Model (USM) for message security.
View-based Access Control Model (VACM) is used for access control.
The architecture supports the concurrent use of different security, access control, and message processing models.

SNMPV3 on ScreenOS supports:

SNMPV1 and SNMPV2c polling and traps, which make use of the community-based security model
SNMPV3, which makes use of the User Security model
SNMPV3 traps
View Access Control Model for access control

Procedure to configure the SNMPV3 agent to send SNMPV3 traps:

Pre-configuration
- Configure the SNMP Engine.
- Create a USM user. In the following example, the configured USM user is firewall.
Configuring a Trap Filter

The view defines a filter for both SNMP polling and traps. However, to further segregate (include/exclude) traps, you have the option of setting a filter for the traps. The settings are similar to that of VACM View.

Via the WebGUI:

Go to Configuration > Report Settings > SNMPv3 > Filter > New Filter:

Via the CLI:

set snmpv3 filter include-all oid .1 mask ff type include set snmpv3 filter include-only-netscreen-traps oid .1.3.6.1.4.1.3224.1 mask fe type include

In the above example, two trap filters are configured:

include-all: To include all traps (generic and specific)
include-only-netscreen-trap

Configuring the SNMPV3 target

A. Configure the Target Parameters database.

Via the WebGUI:

Go to Configuration > Report Settings > SNMPv3 > Target > New Target Parameter:

Via the CLI:

set snmpv3 target-param snmpv3_target filter include-all sec-model usm sec-level priv user firewall

set snmpv3 target-param snmpv3_target_only_auth filter include-only-netscreen-traps sec-model usm sec-level auth user firewall

Parameters of Access Group:

Target Parameter Name
Security Model: SNMP V1 or SNMP V2C or USM (which is used in SNMP V3)

Security Level:

PRIV: Encrypt and Authenticate SNMP message
AUTH: Only Authenticate SNMP message
None: By default, the security level is none. If the selected security model is USM, then you get the option to select the security level as PRIV or AUTH.

User Name: Name of USM user; used with USM Model and SNMP V3

Community: Community string; used with SNMPV1 and SNMPV2c

In the above example, there are two access groups:

snmpv3_target: For sending traps/notifications (trap oids are defined in view and filtered in Trap filter) with the trap messages being encrypted and authenticated by using the USM model
snmpv3-target-only-auth: For sending traps/notifications (trap oids are defined in view and filtered in Trap filter) with the trap messages authenticated only by using the USM model

B. Configure the Target Address.

Via the WebGUI:

Go to Configuration > Report Settings > SNMPv3 > Trap > New Target Address:

Via the CLI:

set snmpv3 target snmpv3_TRAP address 10.209.192.231/32 port 162 target-param snmpv3_target

Parameters:

Target Name: Specify the name of the target.
Target IPv4 Address/Netmask: Specify the IPv4 address and netmask.
Target IPv6 Address/Netmask: Specify the IPv6 address and netmask. You can type both the IPv4 and IPv6 IP addresses. The system sends the trap to the target, if the mask is 32 for IPv4 addresses or 128 for IPv6 addresses.
Trap Port: Specify the trap port.
Target Parameter: Specify the target parameter.
Taglist: Specify a tag for the target from the taglist. You can specify no more than eight tags to a target. Each community has a tag. When an SNMPv1 or SNMPv2 request is received, the system checks whether the source is a valid target with the assigned tag of the community

Knowledge Base

SNMP V3 overview on ScreenOS:

SNMPV3 on ScreenOS supports:

Procedure to configure the SNMPV3 agent to send SNMPV3 traps: