CLI: Example for Configuring the Device to Communicate with an NMS Using SNMPv1
This section provides an example on how to enable the FW to communicate with an NMS using SNMPv1 and to send trap messages to the NMS.
Networking Requirements
As shown in Figure 1, the FW connects to the NMS. Because of the small network scale and high security requirement, the administrator hopes that the NMS uses SNMPv1 to manage the FW to meet the following requirements:
- The NMS can manage all nodes on the FW.
- The FW can send trap messages to the NMS.
- The contact information of the FW administrator must be specified on the FW so that the NMS administrator can notify the FW administrator of the faults that occur on the FW.
Configuration Roadmap
The configuration roadmap is as follows:
Set IP addresses for interfaces on the FW, assign the interfaces to security zones, and configure the interface access management function to allow the SNMP protocol to pass.
If the interface access management function is not used, you need to configure related security policies. Before disabling interface access management, configure security policies for remote management protocols to prevent the failure to remotely manage the FW.
- Set the SNMP version on the FW to SNMPv1.
- Set the SNMP community name on the FW.
- Configure the SNMP trap function on the FW.
- Configure SNMP administrator contact information on the FW.
- Configure the NMS.
Procedure
- Set an IP address for interface GE0/0/0 on the FW, assign the interface to a security zone, and configure interface access management.
# Set an IP address for interface GE0/0/0 and configure interface access management.
<FW> system-view [FW] interface GigabitEthernet 0/0/0 [FW-GigabitEthernet0/0/0] ip address 1.1.1.2 24 [FW-GigabitEthernet0/0/0] service-manage snmp permit [FW-GigabitEthernet0/0/0] quit
# Add interface GE0/0/0 to a security zone.
[FW] firewall zone dmz [FW-zone-dmz] add interface GigabitEthernet 0/0/0 [FW-zone-dmz] quit
# Configure a security policy.
[FW] security-policy [FW-policy-security] rule name local_dmz [FW-policy-security-rule-local_dmz] source-zone local [FW-policy-security-rule-local_dmz] destination-zone dmz [FW-policy-security-rule-local_dmz] source-address 1.1.1.2 24 [FW-policy-security-rule-local_dmz] service snmptrap [FW-policy-security-rule-local_dmz] action permit [FW-policy-security-rule-local_dmz] quit [FW-policy-security] quit
- Configure the SNMP version on the FW.
[FW] snmp-agent sys-info version v1 Warning: SNMPv1/SNMPv2c is not secure, and it is recommended to use SNMPv3. - Set the SNMP community name on the FW.
[FW] snmp-agent community write cipher private@123 - Configure the SNMP trap function on the FW.
[FW] snmp-agent target-host trap address udp-domain 1.1.1.1 params securityname private@123 v1 [FW] snmp-agent trap enable Warning: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y
- Configure SNMP administrator contact information on the FW.
[FW] snmp-agent sys-info contact call Operator at 010-12345678 - Configure the NMS.
You need to refer to the configuration guide of the NMS that is deployed. The NMS authentication parameters must be consistent with those on the FW. Otherwise, the NMS may fail to manage the FW.
Configuration Scripts
# interface GigabitEthernet0/0/0 ip address 1.1.1.2 255.255.255.0 service-manage snmp permit # firewall zone dmz set priority 50 add interface GigabitEthernet0/0/0 # security-policy rule name local_dmz source-zone local destination-zone dmz source-address 1.1.1.2 24 service snmptrap action permit # snmp-agent snmp-agent local-engineid 800007DB03DCD2FC2616AE snmp-agent community write cipher %^%#bge!SaO<d)7.R;B)NaMHp&ZD9S,OUF@"v^-YoEo+9m9n"-v4qD&wg:2&#)9LmNLt132fqVleQvCqUaRS%^%# snmp-agent sys-info contact call Operator at 010-12345678 snmp-agent sys-info version v1 v3 snmp-agent target-host trap address udp-domain 1.1.1.1 params securityname cipher %^%#YwU|MS4tjR_Da)F_ump/fV06Xs6w>R[pS^GC.*gX%^%# snmp-agent trap enable # return