Configure SNMP 

Configure SNMP 

Enable SNMP on the appliance to monitor the appliance from your existing Network Management System. You can configure an SNMP agent on the appliance so that the SNMP manager can poll the appliance to get the status of the supported OIDs using v2c or v3 queries. For more information on the supported OIDs, see Standard OIDs and Custom OIDs.

The appliance can also send trap notifications to the trap receiver in your network when SNMP traps are configured on the appliance.

Prerequisites

The following settings need to be configured before an appliance can start responding to SNMP queries.

  1. Access the appliance console using ssh.
  2. Log in using the nsadmin/nsappliance credentials. An nsshell opens.
  3. Enter configure to enter the nsshell configure mode.
  4. Configure the SNMP agent. See Configuring SNMP Agent.
  5. Configure the SNMP traps. See Configuring SNMP Traps.

Configuring SNMP Agent

Configure the SNMP agent so that the appliance responds to SNMP queries from the SNMP manager. Run these commands:

set snmp agent enable true
set snmp agent syscontact <email address>
set snmp agent syslocation <location>

To poll the appliance using v2c queries, run:

set snmp agent v2c rocommunity-string <string value>
add snmp agent v2c allowed-network-list
set snmp agent v2c allowed-network-list 0 network <IP address of the SNMP agent>
save

To poll the appliance using v3 queries, run:

set snmp agent v3 engine-id <engine-id>
set snmp agent v3 usm auth username <username> key <passphrase> protocol [MD5|SHA]
set snmp agent v3 usm privacy protocol [AES|DES] key <passphrase>
save

The command descriptions are: 

CLI CommandDescription
set snmp agentenableEnable/Disable SNMP agent on the appliance. When set to true, the appliance must be configured as v2c or v3 agent.
syscontactSet the system contact information (admin email etc). For example, admin@localskope.local.
syslocationSet the system location. For example, "Los Altos HQ".
v2c rocommunity-stringProvide a string value. The string configured here will be used in snmpwalk/snmpget commands from the SNMP manager to access the information exposed. If the value does not match the one configured, the relevant information will not be returned. It is used as access control in SNMPv2.
v2c allowed-network-list(Optional) Provide the list of hosts/subnets.
v3 engine-id(Optional) Set the engine identifier of the SNMP agent in hex format. For example, 0x0102030405.
v3 usm authusernameSet the username to authenticate a user with the SNMP agent.
keySet the password required to connect with the SNMP agent.
protocolChoose a hash function, "MD5" or "SHA" to store the data exchanged between the SNMP agent on the appliance and the SNMP manager.
v3 usm privacyprotocol(Optional) Choose an encryption type, "AES" or "DES" to encrypt the traffic between the SNMP agent on the appliance and the SNMP manager.
key(Optional) Set the password required to access the encrypted data on the SNMP agent.

Configuring SNMP Traps

Configure SNMP traps on the appliance to send trap notifications to the SNMP trap receiver. Run these commands:

set snmp traps server <hostname or IP address>

To send SNMP v2c traps to the trap receiver, run:

set snmp traps v2c enable true
save

To send SNMP v3 traps to the trap receiver, run:

set snmp traps v3 enable true 
set snmp traps v3 use-agent-settings [true|false]
set snmp traps v3 engine-id <engine-id>
set snmp traps v3 usm auth username <username> key <passphrase> protocol [MD5|SHA]
set snmp traps v3 usm privacy protocol [AES|DES] key <passphrase>
save

The command descriptions are:

CLI CommandDescription
set snmp trapsserverProvide the hostname or IP address of the SNMP trap receiver so that the appliance can send v2c or v3 traps.
v2c enableWhen set to true, the appliance sends v2c trap notifications to the trap receiver.
v3enableWhen set to true, the appliance sends v3 trap notifications to the trap receiver.
use-agent-settingsSet to true if you want to use the same v3 usm authentication and privacy configurations as the SNMP agent. Else, configure v3 usm authentication and privacy for the trap client on appliance.
engine-idSet the engine identifier of the trap client. This is required if use-agent-settings is not set.
v3 usm authusernameSet the username to authenticate a user with the trap client.
key(Optional) Set the password required to connect with the trap client.
protocolChoose a hash function, "MD5" or "SHA" to store the data exchanged between the trap client on the appliance and the trap receiver.
v3 usm privacyprotocol(Optional) Choose an encryption type, "AES" or "DES" to encrypt the traffic between the trap client on the appliance and the trap receiver.
key(Optional) Set the password required to access the encrypted data on the appliance.

Standard OIDs

These are the standard OIDs.

OIDDescriptionValues
SNMPv2-MIB::sysDescrStandard system description.STRING: Linux lcsnmp 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64
DISMAN-EVENT-MIB::sysUpTimeInstanceTicks since snmp agent has been up.Timeticks: (2515) 0:00:25.15
SNMPv2-MIB::sysNameHostname can be used for this. By default SNMP agent picks up the hostname.Hostname set by CLI (set system hostname).
SNMPv2-MIB::sysContactStandard SNMP configuration parameter.Set by CLI: set snmp agent syscontact
SNMPv2-MIB::sysLocationStandard SNMP configuration parameter.Set by CLI: set snmp agent syslocation
SNMPv2-MIB::sysObjectIDStandard SNMP configuration parameter.OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
HOST-RESOURCES-MIB::hrSystemUptimeActual system up time.Timeticks: (381446115) 44 days, 3:34:21.15
UCD-SNMP-MIB::systemStatsSystem wide statistics.CLI command: snmpwalk -v 2c -c appliancecom172.18.78.228UCD-SNMP- MIB::systemStats
UCD-SNMP-MIB::memoryMemory usage statistics.CLI command: snmpwalk -v 2c -c appliancecom172.18.78.228UCD-SNMP- MIB::memory
UCD-SNMP-MIB::laTableCPU load average information.CLI command: snmpwalk -v 2c -c appliancecom 10.136.127.239 UCD-SNMP-MIB::laTable
UCD-SNMP-MIB::dskTableDisk watching information.CLI command: snmpwalk -v 2c -c appliancecom 10.136.127.239 UCD-SNMP-MIB::dskTable
IF-MIB::interfacesInterface information.CLI command: snmpwalk -v 2c -c appliancecom 10.136.127.239 IF-MIB::interfaces

Custom OIDs

The official Private Enterprise Number (PEN) assigned to Netskope from IANA (http://www.iana.org/ assignments/enterprise-numbers) is 48007.

OIDDescriptionValues
enabledServicesDifferent services that are enabled on the box. For example: Management Plane, OPLP, Forwarder, and so on.Possible values are: Management-Plane, Tap, Forwarder, Forward-Proxy, DNS-Proxy, PAC-Server, Log-Processing, OPLP, and Database. Sample output: [DNS-Proxy,PAC-Server,OPLP]
dataplaneStatusMirroring DP health check. configure> set dataplane healthcheck enable true.Integer values are: 1 = Up, 2 = Down, and 3 = Unknown
managementplaneStatusIf the appliance is connected to Management Plane or not. If connected, detailed monitoring status is available through the Management Plane.Integer values are: 1 = Up, 2 = Down, and 3 = Unknown
lastConnectedToMPThe last time when there was a successful connection to the MP.String as date-time. For example: "Thu, 02 Jun 2016 21:28:27"
deviceStatusRepresents the health of the appliance (as reported by the monitoring framework).

If the device is a management plane appliance, the status represents the health of the services like Zookeeper, Kafka and Mongo.

If the device is not management plane appliance, it represents the status of log management or any other relevant service for that mode.

Integer values are: 1 = Good, 2 = Bad 3 = Unknown
oplpStatusThe status for the On-Premises Log Parser (OPLP).Integer values are: 1 = Up, 2 = Down
dpopStatusThe status for the Dataplane On-Premises Appliance (DPoP).Integer values are: 1 = Up, 2 = Down
haStateThe state for high availability (HA).
The result is the same as CLI (show dataplane ha environment).
Integer values are: 1 = Master, 2 = Backup, 3 = Fault, 4 = Unknown

SNMP Traps

Setup an SNMP traps receiver on your SNMP server to receive SNMP traps notifications from the appliance. The appliance uses the following SNMP traps notification OIDs.

OIDDescriptionValues
mpConnectionNotifWhenever the management plane connection status changes, a notification will be sent to the trap server.N/A
deviceStatusNotifWhenever the device status changes, a notification will be sent to the trap server.N/A
cpuUsageNotifWhenever CPU usage is higher than 90%, a notification will be sent to the trap server.Integer values are: 1 = Normal, 2 = High

Make sure the daemon that receives the SNMP traps (snmptrapd) is running.

To set up the traps receiver,

  1. On your SNMP server, go to the directory you want to use as your working directory. For example, cd /Users/snmpuser/.
  2. Create a config file for snmptrapd (snmptrapd.conf), which just has one line.
    cat snmptrapd.conf 
    disableAuthorization yes
  3. Start the snmptrapd.
    sudo snmptrapd -f -Lo -c snmptrapd.conf
  4. Note this system’s IP address, which should be reachable from the appliance you want to send the traps from.
  5. On the appliance, configure that IP address as snmp traps server and make sure SNMP is enabled.
    set snmp traps server <hostname or IP address>
  6. When the management plane connection state changes, you should see a notification on the SNMP server similar to:
    2016-09-29 18:19:24 <UNKNOWN> [UDP: [192.168.64.36]:55034->[0.0.0.0]:0]:
    DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (28067711) 3 days, 5:57:57.11  
    SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.48007.5    
    SNMPv2-SMI::enterprises.48007.5.1 = INTEGER: 0
    

    Note the value after INTEGER: is 0, which reflects the current state of the management plane connection. Refer to managementplaneStatus in the Custom OIDs table for more value descriptions.

Share this Doc

Configure SNMP 

Or copy link

In this topic ...