Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Need help about PAN-OS 8 SNMP settings

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Need help about PAN-OS 8 SNMP settings

L3 Networker

Target is to forward the PA device status to a monitoring tool (Cacti). But "Cacti" respond SNMP error. Both v2 and v3 show the same error. Other devices (C2960) from the same subnet of PA has no problem.

 

Below is the PA settings

SNMPv3

Name: Test

SNMP Manager: <IP_of_Cacti>

User: testuser

EngineID: <leave_blank> (I have 2 PA form an HA)

Auth Password: abcd1234

Priv Password: efgh5678

 

Below is the config when add device in Cacti

SNMP Version: Version 3

SNMP Username (v3): testuser

SNMP Password (v3): abcd1234

SNMP Auth Protocol (v3): SHA

SNMP Privacy Passphrase (v3): efgh5678

SNMP Privacy Protocol (v3): AES

SNMP Context (v3): <leave_blank>

SNMP Engine ID (v3): <leave_blank>

SNMP Port: 161

SNMP Timeout: 500 milliseconds

Maximum OIDs Per Get Request: 10

2 accepted solutions

Accepted Solutions

L3 Networker

Is SNMP allowed on the mgmt interface:?

 

SNMP.PNG

View solution in original post

@jeremylo,

Those are all standard settings for SNMPv3. 

View: 
This is critical due to SNMPv3 utilizing a VACM to control access to specific objects.

OID:

Simply specifying the Object Identifier you actually want to utilize in the VACM.

Option:

Include or Exclude are your only options. 

Mask:

You need to define which node of the OID to match for the VACM. 

 

 

If you simply want everything to go to Cacti simply set the OID as ".1", and the mask as "0x80" will give you the full MIB treem everything will then match your VACM settings. 

View solution in original post

5 REPLIES 5

L3 Networker

Is SNMP allowed on the mgmt interface:?

 

SNMP.PNG

Hello Mkyk,

You are correct. I didn't allow SNMP in mgmt interface. Also didn't configure "SNMP Setup" in "Device>Setup>Operations". Now work for SNMPv2. But still no go for SNMPv3.

In "SNMP Setup" in "Device>Setup>Operations>SNMP Setup". After choose "v3". There are several settings unfamiliar to me. No idea about "View", "OID", "Option" and "Mask". Any hints please?

@jeremylo,

Those are all standard settings for SNMPv3. 

View: 
This is critical due to SNMPv3 utilizing a VACM to control access to specific objects.

OID:

Simply specifying the Object Identifier you actually want to utilize in the VACM.

Option:

Include or Exclude are your only options. 

Mask:

You need to define which node of the OID to match for the VACM. 

 

 

If you simply want everything to go to Cacti simply set the OID as ".1", and the mask as "0x80" will give you the full MIB treem everything will then match your VACM settings. 

Bingo!

I use those OID in http://www.oidview.com/mibs/25461/PAN-COMMON-MIB.html before.

Change to OID = .1, and Mask = 0x80 works

L2 Linker

GP authentication issue on MAC devices.

Mac environment we are sending a SCEP certificate to authenticate "Pandora Wifi", what we are seeing Global Protect is automatically taking that certificate details to authenticate and failing. As a workaround, we are removing the scep certificate from user device for some time, So that user can sign in Global Protect. is there a way in Global Protect so that we can configure not to automatically use that Scep cert as login preference.Mac environment we are sending a SCEP certificate to authenticate "Pandora Wifi", what we are seeing Global Protect is automatically taking that certificate details to authenticate and failing. As a workaround, we are removing the scep certificate from user device for some time, So that user can sign in Global Protect. is there a way in Global Protect so that we can configure not to automatically use that Scep cert as login preference.

  • 2 accepted solutions
  • 7999 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!