07-12-2018 04:45 PM
Hi
I gave a rule that allows snmp-trap messages to my SNMPD server. for some reason PA complains that SNMP-TRAP needs SNMP-BASE.
Now if I add in SNMP-BASE this is going to open up port 161 where as trap uses 162.
So why do i need SNMP-BASE
07-15-2018 12:55 AM
@Alex_Samad wrote:So why do i need SNMP-BASE
... because of rare cases where paloalto isn't able to identify the snmp-trap right away. (Even if I don't really know in what situation this could be possible as snmp-traps mostly are one-packet connections. There aren't a lot of possibilities other than identify the application in just this one packet)
Anyway, if it works just with snmp-trap, then one possibility is to ignore the commit-warning or what I also did in this case, allow also snmp-base and manually add service 162/udp instead of application default.
There is also a feature request out there for a feature to suppress these commit warnings ...
07-15-2018 02:48 PM
thanks, think I will live with the warning seems counter intuitive to add snmp and then limit to 161.
Do you have the feature request number ?
07-16-2018 03:07 AM - edited 07-16-2018 03:08 AM
think I will live with the warning seems counter intuitive to add snmp
and then limit to 161.
Yes, it does take some getting used to. Remember that with PAN the point of basic policy is to FORGET about port and protocol just select the application you want. And PAN will detect that application EVEN IF it runs on different ports.
Thus if you know the app you are writting the rule for will always be on the standard port then you use this option to prevent that default behavior.
07-16-2018 03:08 AM
Seems counter intuitive to allow something I didn't want to allow just to stop a warning.
Currently the traps are getting through so .
07-16-2018 08:27 AM
Hello,
While you are opening another application, remmeber that it is just that, the application and not a port. Meaning that the firewall needs to identify the application and it wont just open that port for all traffic.
Hope that makes sense.
Regards,
07-16-2018 11:03 AM
The warning is more to do with how other applications function more so than this particular app-id. The only reason the warning is generated is because the app-id has 'snmp-base' as a dependent (ie: if you look at snmp-trap it states 'Depends on: snmp-base'.
While it can be argued that snmp-trap really doesn't require that snmp-base actually be allowed, and therefore snmp-trap really shouldn't have a dependency to snmp-base, it's more so that applications such as 'dropbox-downloading' depends on 'dropbox-base' and 'ssl' aren't effected and causes admins to leave out required applications.
This is one of the weird things where PA could likely add an option to 'Ignore Commit Warnings' or something similar to the app-id, or further properly identify that snmp-trap doesn't actually require snmp-base, but this simply hasn't been created yet.
I would do what @Remo mentioned and simply add the app-id and specify that the service can only be 162/udp. This clears up the commit warning and won't actually allow snmp-base traffic unless it happens to be identified on 162. Or just ignore it, you just run the risk of missing an important warning when that list starts to grow over time.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
