- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-12-2019 02:58 AM
Target is to forward the PA device status to a monitoring tool (Cacti). But "Cacti" respond SNMP error. Both v2 and v3 show the same error. Other devices (C2960) from the same subnet of PA has no problem.
Below is the PA settings
SNMPv3
Name: Test
SNMP Manager: <IP_of_Cacti>
User: testuser
EngineID: <leave_blank> (I have 2 PA form an HA)
Auth Password: abcd1234
Priv Password: efgh5678
Below is the config when add device in Cacti
SNMP Version: Version 3
SNMP Username (v3): testuser
SNMP Password (v3): abcd1234
SNMP Auth Protocol (v3): SHA
SNMP Privacy Passphrase (v3): efgh5678
SNMP Privacy Protocol (v3): AES
SNMP Context (v3): <leave_blank>
SNMP Engine ID (v3): <leave_blank>
SNMP Port: 161
SNMP Timeout: 500 milliseconds
Maximum OIDs Per Get Request: 10
08-13-2019 03:19 AM
Those are all standard settings for SNMPv3.
View:
This is critical due to SNMPv3 utilizing a VACM to control access to specific objects.
OID:
Simply specifying the Object Identifier you actually want to utilize in the VACM.
Option:
Include or Exclude are your only options.
Mask:
You need to define which node of the OID to match for the VACM.
If you simply want everything to go to Cacti simply set the OID as ".1", and the mask as "0x80" will give you the full MIB treem everything will then match your VACM settings.
08-12-2019 08:27 AM
Is SNMP allowed on the mgmt interface:?
08-12-2019 06:46 PM
Hello Mkyk,
You are correct. I didn't allow SNMP in mgmt interface. Also didn't configure "SNMP Setup" in "Device>Setup>Operations". Now work for SNMPv2. But still no go for SNMPv3.
In "SNMP Setup" in "Device>Setup>Operations>SNMP Setup". After choose "v3". There are several settings unfamiliar to me. No idea about "View", "OID", "Option" and "Mask". Any hints please?
08-13-2019 03:19 AM
Those are all standard settings for SNMPv3.
View:
This is critical due to SNMPv3 utilizing a VACM to control access to specific objects.
OID:
Simply specifying the Object Identifier you actually want to utilize in the VACM.
Option:
Include or Exclude are your only options.
Mask:
You need to define which node of the OID to match for the VACM.
If you simply want everything to go to Cacti simply set the OID as ".1", and the mask as "0x80" will give you the full MIB treem everything will then match your VACM settings.
08-14-2019 07:13 PM
Bingo!
I use those OID in http://www.oidview.com/mibs/25461/PAN-COMMON-MIB.html before.
Change to OID = .1, and Mask = 0x80 works
12-26-2022 05:10 AM
GP authentication issue on MAC devices.
Mac environment we are sending a SCEP certificate to authenticate "Pandora Wifi", what we are seeing Global Protect is automatically taking that certificate details to authenticate and failing. As a workaround, we are removing the scep certificate from user device for some time, So that user can sign in Global Protect. is there a way in Global Protect so that we can configure not to automatically use that Scep cert as login preference.Mac environment we are sending a SCEP certificate to authenticate "Pandora Wifi", what we are seeing Global Protect is automatically taking that certificate details to authenticate and failing. As a workaround, we are removing the scep certificate from user device for some time, So that user can sign in Global Protect. is there a way in Global Protect so that we can configure not to automatically use that Scep cert as login preference.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!