I have no control on the SNMP Server so unable to enforce policy.
As per security requirements I want to block / deny SNMP SET packets passing through Palo Alto firewalls as well as targeted to the Palo Alto firewall management plane. However I want to allow SNMP Get from specific SNMP Server and allow Traps to SNMP Server. I was wondering if it possible to achieve?
anything going through the firewall can be controlled via securiotypolicy and anything accessing the management plane can be controlled through the mgmt ACL
SNMP traps have their own application, so that should be easy, i'm not sure about snmp set... you could possibly look into creating a custom app or custom threat with some strings to match a set command
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!