Configure SNMP
Configure SNMP
Enable SNMP on the appliance to monitor the appliance from your existing Network Management System. You can configure an SNMP agent on the appliance so that the SNMP manager can poll the appliance to get the status of the supported OIDs using v2c or v3 queries. For more information on the supported OIDs, see Standard OIDs and Custom OIDs.
The appliance can also send trap notifications to the trap receiver in your network when SNMP traps are configured on the appliance.
Prerequisites
The following settings need to be configured before an appliance can start responding to SNMP queries.
- Access the appliance console using ssh.
- Log in using the
nsadmin/nsappliance
credentials. An nsshell opens. - Enter
configure
to enter the nsshell configure mode. - Configure the SNMP agent. See Configuring SNMP Agent.
- Configure the SNMP traps. See Configuring SNMP Traps.
Configuring SNMP Agent
Configure the SNMP agent so that the appliance responds to SNMP queries from the SNMP manager. Run these commands:
set snmp agent enable true set snmp agent syscontact <email address> set snmp agent syslocation <location>
To poll the appliance using v2c queries, run:
set snmp agent v2c rocommunity-string <string value> add snmp agent v2c allowed-network-list set snmp agent v2c allowed-network-list 0 network <IP address of the SNMP agent> save
To poll the appliance using v3 queries, run:
set snmp agent v3 engine-id <engine-id> set snmp agent v3 usm auth username <username> key <passphrase> protocol [MD5|SHA] set snmp agent v3 usm privacy protocol [AES|DES] key <passphrase> save
The command descriptions are:
CLI Command | Description | ||
---|---|---|---|
set snmp agent | enable | Enable/Disable SNMP agent on the appliance. When set to true , the appliance must be configured as v2c or v3 agent. |
|
syscontact | Set the system contact information (admin email etc). For example, admin@localskope.local. | ||
syslocation | Set the system location. For example, "Los Altos HQ". | ||
v2c rocommunity-string | Provide a string value. The string configured here will be used in snmpwalk /snmpget commands from the SNMP manager to access the information exposed. If the value does not match the one configured, the relevant information will not be returned. It is used as access control in SNMPv2. |
||
v2c allowed-network-list | (Optional) Provide the list of hosts/subnets. | ||
v3 engine-id | (Optional) Set the engine identifier of the SNMP agent in hex format. For example, 0x0102030405. | ||
v3 usm auth | username | Set the username to authenticate a user with the SNMP agent. | |
key | Set the password required to connect with the SNMP agent. | ||
protocol | Choose a hash function, "MD5" or "SHA" to store the data exchanged between the SNMP agent on the appliance and the SNMP manager. | ||
v3 usm privacy | protocol | (Optional) Choose an encryption type, "AES" or "DES" to encrypt the traffic between the SNMP agent on the appliance and the SNMP manager. | |
key | (Optional) Set the password required to access the encrypted data on the SNMP agent. |
Configuring SNMP Traps
Configure SNMP traps on the appliance to send trap notifications to the SNMP trap receiver. Run these commands:
set snmp traps server <hostname or IP address>
To send SNMP v2c traps to the trap receiver, run:
set snmp traps v2c enable true save
To send SNMP v3 traps to the trap receiver, run:
set snmp traps v3 enable true set snmp traps v3 use-agent-settings [true|false] set snmp traps v3 engine-id <engine-id> set snmp traps v3 usm auth username <username> key <passphrase> protocol [MD5|SHA] set snmp traps v3 usm privacy protocol [AES|DES] key <passphrase> save
The command descriptions are:
CLI Command | Description | ||
---|---|---|---|
set snmp traps | server | Provide the hostname or IP address of the SNMP trap receiver so that the appliance can send v2c or v3 traps. | |
v2c enable | When set to true , the appliance sends v2c trap notifications to the trap receiver. |
||
v3 | enable | When set to true , the appliance sends v3 trap notifications to the trap receiver. |
|
use-agent-settings | Set to true if you want to use the same v3 usm authentication and privacy configurations as the SNMP agent. Else, configure v3 usm authentication and privacy for the trap client on appliance. |
||
engine-id | Set the engine identifier of the trap client. This is required if use-agent-settings is not set. |
||
v3 usm auth | username | Set the username to authenticate a user with the trap client. | |
key | (Optional) Set the password required to connect with the trap client. | ||
protocol | Choose a hash function, "MD5" or "SHA" to store the data exchanged between the trap client on the appliance and the trap receiver. | ||
v3 usm privacy | protocol | (Optional) Choose an encryption type, "AES" or "DES" to encrypt the traffic between the trap client on the appliance and the trap receiver. | |
key | (Optional) Set the password required to access the encrypted data on the appliance. |
Standard OIDs
These are the standard OIDs.
OID | Description | Values |
---|---|---|
SNMPv2-MIB::sysDescr | Standard system description. | STRING: Linux lcsnmp 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 |
DISMAN-EVENT-MIB::sysUpTimeInstance | Ticks since snmp agent has been up. | Timeticks: (2515) 0:00:25.15 |
SNMPv2-MIB::sysName | Hostname can be used for this. By default SNMP agent picks up the hostname. | Hostname set by CLI (set system hostname ). |
SNMPv2-MIB::sysContact | Standard SNMP configuration parameter. | Set by CLI: set snmp agent syscontact |
SNMPv2-MIB::sysLocation | Standard SNMP configuration parameter. | Set by CLI: set snmp agent syslocation |
SNMPv2-MIB::sysObjectID | Standard SNMP configuration parameter. | OID: NET-SNMP-MIB::netSnmpAgentOIDs.10 |
HOST-RESOURCES-MIB::hrSystemUptime | Actual system up time. | Timeticks: (381446115) 44 days, 3:34:21.15 |
UCD-SNMP-MIB::systemStats | System wide statistics. | CLI command: snmpwalk -v 2c -c appliancecom172.18.78.228UCD-SNMP- MIB::systemStats |
UCD-SNMP-MIB::memory | Memory usage statistics. | CLI command: snmpwalk -v 2c -c appliancecom172.18.78.228UCD-SNMP- MIB::memory |
UCD-SNMP-MIB::laTable | CPU load average information. | CLI command: snmpwalk -v 2c -c appliancecom 10.136.127.239 UCD-SNMP-MIB::laTable |
UCD-SNMP-MIB::dskTable | Disk watching information. | CLI command: snmpwalk -v 2c -c appliancecom 10.136.127.239 UCD-SNMP-MIB::dskTable |
IF-MIB::interfaces | Interface information. | CLI command: snmpwalk -v 2c -c appliancecom 10.136.127.239 IF-MIB::interfaces |
Custom OIDs
The official Private Enterprise Number (PEN) assigned to Netskope from IANA (http://www.iana.org/ assignments/enterprise-numbers) is 48007.
OID | Description | Values |
---|---|---|
enabledServices | Different services that are enabled on the box. For example: Management Plane, OPLP, Forwarder, and so on. | Possible values are: Management-Plane , Tap , Forwarder , Forward-Proxy , DNS-Proxy , PAC-Server , Log-Processing , OPLP , and Database . Sample output: [DNS-Proxy,PAC-Server,OPLP] |
dataplaneStatus | Mirroring DP health check. configure> set dataplane healthcheck enable true . | Integer values are: 1 = Up, 2 = Down, and 3 = Unknown |
managementplaneStatus | If the appliance is connected to Management Plane or not. If connected, detailed monitoring status is available through the Management Plane. | Integer values are: 1 = Up, 2 = Down, and 3 = Unknown |
lastConnectedToMP | The last time when there was a successful connection to the MP. | String as date-time. For example: "Thu, 02 Jun 2016 21:28:27" |
deviceStatus | Represents the health of the appliance (as reported by the monitoring framework). If the device is a management plane appliance, the status represents the health of the services like Zookeeper, Kafka and Mongo. If the device is not management plane appliance, it represents the status of log management or any other relevant service for that mode. | Integer values are: 1 = Good, 2 = Bad 3 = Unknown |
oplpStatus | The status for the On-Premises Log Parser (OPLP). | Integer values are: 1 = Up, 2 = Down |
dpopStatus | The status for the Dataplane On-Premises Appliance (DPoP). | Integer values are: 1 = Up, 2 = Down |
haState | The state for high availability (HA). The result is the same as CLI ( show dataplane ha environment ). | Integer values are: 1 = Master, 2 = Backup, 3 = Fault, 4 = Unknown |
SNMP Traps
Setup an SNMP traps receiver on your SNMP server to receive SNMP traps notifications from the appliance. The appliance uses the following SNMP traps notification OIDs.
OID | Description | Values |
---|---|---|
mpConnectionNotif | Whenever the management plane connection status changes, a notification will be sent to the trap server. | N/A |
deviceStatusNotif | Whenever the device status changes, a notification will be sent to the trap server. | N/A |
cpuUsageNotif | Whenever CPU usage is higher than 90%, a notification will be sent to the trap server. | Integer values are: 1 = Normal, 2 = High |
Make sure the daemon that receives the SNMP traps (snmptrapd
) is running.
To set up the traps receiver,
- On your SNMP server, go to the directory you want to use as your working directory. For example,
cd /Users/snmpuser/
. - Create a config file for
snmptrapd
(snmptrapd.conf
), which just has one line.cat snmptrapd.conf disableAuthorization yes
- Start the
snmptrapd
.sudo snmptrapd -f -Lo -c snmptrapd.conf
- Note this system’s IP address, which should be reachable from the appliance you want to send the traps from.
- On the appliance, configure that IP address as
snmp traps server
and make sure SNMP is enabled.set snmp traps server <hostname or IP address>
- When the management plane connection state changes, you should see a notification on the SNMP server similar to:
2016-09-29 18:19:24 <UNKNOWN> [UDP: [192.168.64.36]:55034->[0.0.0.0]:0]: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (28067711) 3 days, 5:57:57.11 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.48007.5 SNMPv2-SMI::enterprises.48007.5.1 = INTEGER: 0
Note the value after
INTEGER:
is0
, which reflects the current state of the management plane connection. Refer tomanagementplaneStatus
in the Custom OIDs table for more value descriptions.