What are you using to implement SNMPv3?

Reply
Highlighted
L2 Linker

What are you using to implement SNMPv3?

I'm taking on the task of setting up SNMPv3 on a firewall but will be starting from scratch with no tools, programs, scripts, etc. in place so I have a lot of flexibility (and also a lot of work ahead). I won't be doing traps but mostly looking at CPU and interface traffic. I would like to know what programs, etc. others are using so I can get an idea of what works well with Palo and where to begin.  Thanks!

Tags (2)

Accepted Solutions
Highlighted
Cyber Elite

Re: What are you using to implement SNMPv3?

@TLineberry

Ok, that's a reason.

Back to what you were asking, as also other software will need more ressources with v3, I think you should give PRTG a try: this software is able to do really a lot more than simple snmp queries (in case you need it sometime), nice design, easy overview over all your sensors, good reporting features, Map feature that allows you to create custom views for an even better overview (for example with your existing network layouts as interactive Map that shows you statusvalies of your devices and it's cheap compared to others.

 

Of course there are also good opensource software out there that you can get for free, but here others can maybe tell you more ... theres just one software that I remember that really does a great job in this category but does not look as ugly as most of the others ... and I hope I can remeber the name again ...  --> https://github.com/netdata/netdata

View solution in original post

Highlighted
L2 Linker

Re: What are you using to implement SNMPv3?

Solarwinds Orion monitors with SNMPv3 just fine.  Depending on the PANOS version, the current versions use SHA-1 for Auth, and AES-128 for Privilege authentication.

 

 

root@Expedition:~# apt-get install snmp
After this operation, 4,792 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
root@Expedition:~# which snmpwalk
/usr/bin/snmpwalk
root@Expedition:~# exit
logout
expedition@Expedition:~$ snmpwalk -v 3 -u snmpuser -l authPriv -a SHA -A AuthPassword -x AES -X PrivPassword 10.10.10.100

 

 

SNMPv3.png

 

 

I haven't restricted much with OID/Mask views.  If anyone has good resources on what constitutes a good SNMPv3 View on a PA...I'd sure be interested in your recipe.

View solution in original post


All Replies
Cyber Elite

Re: What are you using to implement SNMPv3?

Hello,

I would say anything that can use SNMv3 woukd be compatible. That said I have used PRTG and Solarwinds with snmpv3.

 

Regards,

Highlighted
Cyber Elite

Re: What are you using to implement SNMPv3?

Question heading in this direction: What are reasons to use SNMPv3 instead of v2 to monitor a Paloalto firewall (read only access, strictly controlled sources that are allowed to send queries, controlled network that make spoofing attacks almost impossible,...)?

Specially PRTG consumes a lot more ressources with v3 instead of v2 when there are thousands of sensors...

Highlighted
L2 Linker

Re: What are you using to implement SNMPv3?

Thank you both for the input! I have to use v3 to follow a baseline so I don’t have the option of v2 (unfortunately).
Highlighted
Cyber Elite

Re: What are you using to implement SNMPv3?

@TLineberry

Ok, that's a reason.

Back to what you were asking, as also other software will need more ressources with v3, I think you should give PRTG a try: this software is able to do really a lot more than simple snmp queries (in case you need it sometime), nice design, easy overview over all your sensors, good reporting features, Map feature that allows you to create custom views for an even better overview (for example with your existing network layouts as interactive Map that shows you statusvalies of your devices and it's cheap compared to others.

 

Of course there are also good opensource software out there that you can get for free, but here others can maybe tell you more ... theres just one software that I remember that really does a great job in this category but does not look as ugly as most of the others ... and I hope I can remeber the name again ...  --> https://github.com/netdata/netdata

View solution in original post

Highlighted
L2 Linker

Re: What are you using to implement SNMPv3?

Solarwinds Orion monitors with SNMPv3 just fine.  Depending on the PANOS version, the current versions use SHA-1 for Auth, and AES-128 for Privilege authentication.

 

 

root@Expedition:~# apt-get install snmp
After this operation, 4,792 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
root@Expedition:~# which snmpwalk
/usr/bin/snmpwalk
root@Expedition:~# exit
logout
expedition@Expedition:~$ snmpwalk -v 3 -u snmpuser -l authPriv -a SHA -A AuthPassword -x AES -X PrivPassword 10.10.10.100

 

 

SNMPv3.png

 

 

I haven't restricted much with OID/Mask views.  If anyone has good resources on what constitutes a good SNMPv3 View on a PA...I'd sure be interested in your recipe.

View solution in original post

Highlighted
L2 Linker

Re: What are you using to implement SNMPv3?

Thank you both (I tried to accept them both as solutions). This has been very helpful! 

Highlighted
L3 Networker

Re: What are you using to implement SNMPv3?

Hi @JW6224

 

I'm trying to fix SNMPv3 between PA3020 PANOS 8.1.1 and solarwinds orion without success.

 

once I change the netflow defult route it works for 10 minutes and stops, when I change back to default it do the same, works for 10 minutes and stops.

 

also for the orion side I see limtied information can't drill to more details by clicking on the IP address.

 

which PANOS you are using? and can you share the configuration or articles you were using?

 

thank you.

Highlighted
Cyber Elite

Re: What are you using to implement SNMPv3?

Hello,

Sounds like you might have two issues going on maybe. 

 

SNMP v3: To provide access to all management information, use the top-level OID 1.3.6.1, set the Mask to 0xf0, and set the matching Option to include.

 

https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-setup-oper...

 

Then in Solarwinds, you need to 'List Resources' for the PAN node and do a 'Force Refresh'. This should list everything for the PAN.

 

NETFLOW: Make sure you have the correct destination IP and port. Then in the 'service route configuration' make sure its going out the correct interface (management port by default) allong with any security policies to allow the traffic.

 

Hope that helps.

Highlighted
L3 Networker

Re: What are you using to implement SNMPv3?

Hi @OtakarKlier

 

I changed according to your reply and there was a little chnage.

 

There are still time gaps in the netflow data and it’s still not showing me end node talker data.

 

do you familiar with it?

 

Thank you.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!