Netskope Help

Configure SNMP 

Enable SNMP on the appliance to monitor the appliance from your existing Network Management System. You can configure an SNMP agent on the appliance so that the SNMP manager can poll the appliance to get the status of the supported OIDs using v2c or v3 queries. For more information on the supported OIDs, see Standard OIDs and Custom OIDs.

The appliance can also send trap notifications to the trap receiver in your network when SNMP traps are configured on the appliance.

Prerequisites

The following settings need to be configured before an appliance can start responding to SNMP queries.

  1. Access the appliance console using ssh.

  2. Log in using the nsadmin/nsappliance credentials. An nsshell opens.

  3. Enter configure to enter the nsshell configure mode.

  4. Configure the SNMP agent. See Configuring SNMP Agent.

  5. Configure the SNMP traps. See Configuring SNMP Traps.

Configuring SNMP Agent

Configure the SNMP agent so that the appliance responds to SNMP queries from the SNMP manager. Run these commands:

set snmp agent enable true
set snmp agent syscontact <email address>
set snmp agent syslocation <location>

To poll the appliance using v2c queries, run:

set snmp agent v2c rocommunity-string <string value>
add snmp agent v2c allowed-network-list
set snmp agent v2c allowed-network-list 0 network <IP address of the SNMP agent>
save

To poll the appliance using v3 queries, run:

set snmp agent v3 engine-id <engine-id>
set snmp agent v3 usm auth username <username> key <passphrase> protocol [MD5|SHA]
set snmp agent v3 usm privacy protocol [AES|DES] key <passphrase>
save

The command descriptions are: 

CLI Command

Description

set snmp agent

enable

Enable/Disable SNMP agent on the appliance. When set to true, the appliance must be configured as v2c or v3 agent.

syscontact

Set the system contact information (admin email etc). For example, admin@localskope.local.

syslocation

Set the system location. For example, "Los Altos HQ".

v2c rocommunity-string

Provide a string value. The string configured here will be used in snmpwalk/snmpget commands from the SNMP manager to access the information exposed. If the value does not match the one configured, the relevant information will not be returned. It is used as access control in SNMPv2.

v2c allowed-network-list

(Optional) Provide the list of hosts/subnets.

v3 engine-id

(Optional) Set the engine identifier of the SNMP agent in hex format. For example, 0x0102030405.

v3 usm auth

username

Set the username to authenticate a user with the SNMP agent.

key

Set the password required to connect with the SNMP agent.

protocol

Choose a hash function, "MD5" or "SHA" to store the data exchanged between the SNMP agent on the appliance and the SNMP manager.

v3 usm privacy

protocol

(Optional) Choose an encryption type, "AES" or "DES" to encrypt the traffic between the SNMP agent on the appliance and the SNMP manager.

key

(Optional) Set the password required to access the encrypted data on the SNMP agent.

Configuring SNMP Traps

Configure SNMP traps on the appliance to send trap notifications to the SNMP trap receiver. Run these commands:

set snmp traps server <hostname or IP address>

To send SNMP v2c traps to the trap receiver, run:

set snmp traps v2c enable true
save

To send SNMP v3 traps to the trap receiver, run:

set snmp traps v3 enable true 
set snmp traps v3 use-agent-settings [true|false]
set snmp traps v3 engine-id <engine-id>
set snmp traps v3 usm auth username <username> key <passphrase> protocol [MD5|SHA]
set snmp traps v3 usm privacy protocol [AES|DES] key <passphrase>
save

The command descriptions are:

CLI Command

Description

set snmp traps

server

Provide the hostname or IP address of the SNMP trap receiver so that the appliance can send v2c or v3 traps.

v2c enable

When set to true, the appliance sends v2c trap notifications to the trap receiver.

v3

enable

When set to true, the appliance sends v3 trap notifications to the trap receiver.

use-agent-settings

Set to true if you want to use the same v3 usm authentication and privacy configurations as the SNMP agent. Else, configure v3 usm authentication and privacy for the trap client on appliance.

engine-id

Set the engine identifier of the trap client. This is required if use-agent-settings is not set.

v3 usm auth

username

Set the username to authenticate a user with the trap client.

key

(Optional) Set the password required to connect with the trap client.

protocol

Choose a hash function, "MD5" or "SHA" to store the data exchanged between the trap client on the appliance and the trap receiver.

v3 usm privacy

protocol

(Optional) Choose an encryption type, "AES" or "DES" to encrypt the traffic between the trap client on the appliance and the trap receiver.

key

(Optional) Set the password required to access the encrypted data on the appliance.

Standard OIDs

These are the standard OIDs.

OID

Description

Values

SNMPv2-MIB::sysDescr

Standard system description.

STRING: Linux lcsnmp 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64

DISMAN-EVENT-MIB::sysUpTimeInstance

Ticks since snmp agent has been up.

Timeticks: (2515) 0:00:25.15

SNMPv2-MIB::sysName

Hostname can be used for this. By default SNMP agent picks up the hostname.

Hostname set by CLI (set system hostname).

SNMPv2-MIB::sysContact

Standard SNMP configuration parameter.

Set by CLI: set snmp agent syscontact

SNMPv2-MIB::sysLocation

Standard SNMP configuration parameter.

Set by CLI: set snmp agent syslocation

SNMPv2-MIB::sysObjectID

Standard SNMP configuration parameter.

OID: NET-SNMP-MIB::netSnmpAgentOIDs.10

HOST-RESOURCES-MIB::hrSystemUptime

Actual system up time.

Timeticks: (381446115) 44 days, 3:34:21.15

UCD-SNMP-MIB::systemStats

System wide statistics.

CLI command: snmpwalk -v 2c -c appliancecom172.18.78.228UCD-SNMP- MIB::systemStats

UCD-SNMP-MIB::memory

Memory usage statistics.

CLI command: snmpwalk -v 2c -c appliancecom172.18.78.228UCD-SNMP- MIB::memory

Custom OIDs

The official Private Enterprise Number (PEN) assigned to Netskope from IANA (http://www.iana.org/ assignments/enterprise-numbers) is 48007.

OID

Description

Values

enabledServices

Different services that are enabled on the box. For example: Management Plane, OPLP, Forwarder, and so on.

Possible values are: Management-Plane, Tap, Forwarder, Forward-Proxy, DNS-Proxy, PAC-Server, Log-Processing, OPLP, and Database. Sample output: [DNS-Proxy,PAC-Server,OPLP]

dataplaneStatus

Mirroring DP health check. configure> set dataplane healthcheck enable true.

Integer values are: 1 = Down, 2 = Up, and 3 = Unknown

managementplaneStatus

If the appliance is connected to Management Plane or not. If connected, detailed monitoring status is available through the Management Plane.

Integer values are: 1 = Connected, 2 = Disconnected/Error condition, 3 = On Appliance, 4 = Unknown

lastConnectedToMP

The last time when there was a successful connection to the MP.

String as date-time. For example: "Thu, 02 Jun 2016 21:28:27"

deviceStatus

Represents the health of the appliance (as reported by the monitoring framework).

If the device is a management plane appliance, the status represents the health of the services like Zookeeper, Kafka and Mongo.

If the device is not management plane appliance, it represents the status of log management or any other relevant service for that mode.

Integer values are: 1 = Good, 2 = Bad 3 = Unknown

Here's the Netskope MIB file:

NETSKOPE-APPLIANCE-MIB DEFINITIONS ::= BEGIN
IMPORTS
    OBJECT-TYPE, NOTIFICATION-TYPE, enterprises, MODULE-IDENTITY
          FROM SNMPv2-SMI
    NOTIFICATION-GROUP, OBJECT-GROUP, MODULE-COMPLIANCE
          FROM SNMPv2-CONF
;
netskopeApplianceMIB MODULE-IDENTITY
  LAST-UPDATED "200006140000Z"
  ORGANIZATION "Netskope"
  CONTACT-INFO "nauman@netskope.com"
  DESCRIPTION "Netskope Custom OIDs"
  REVISION "200006140000Z"
  DESCRIPTION "MIB file to represent state of Netskope Appliance"
  ::= {netskopeAppliance 6}
netskopeAppliance  OBJECT IDENTIFIER ::= {enterprises 48007}
netskopeApplianceMIBNotifs OBJECT IDENTIFIER ::= {netskopeApplianceMIB 0}
netskopeApplianceMIBNotifsGroups OBJECT IDENTIFIER ::= {netskopeApplianceMIB 1}
netskopeApplianceMIBObjects OBJECT IDENTIFIER ::= {netskopeApplianceMIB 2}
netskopeApplianceMIBGroups OBJECT IDENTIFIER ::= {netskopeApplianceMIB 3}
-- [= = = Administrative/Conformance = = =]
netskopeApplianceMIBConformance OBJECT IDENTIFIER ::= {netskopeApplianceMIB 4}
-- [= = = OIDs section = = =]
enabledServices OBJECT-TYPE
  SYNTAX OCTET STRING (SIZE(0..1024))
  MAX-ACCESS read-only
  STATUS current
  DESCRIPTION "Description of the modes the appliance is running in.
         Example: [DNS-Proxy,OPLP]"
  ::= {netskopeApplianceMIBObjects 1}
dataplaneStatus OBJECT-TYPE
  SYNTAX INTEGER { up(1), down(2), unknown(3) }
  MAX-ACCESS read-only
  STATUS current
  DESCRIPTION "Status of dataplane if applicable"
  ::= {netskopeApplianceMIBObjects 2}
managementplaneStatus OBJECT-TYPE
  SYNTAX INTEGER { up(1), down(2), onbox(3), unknown(4) }
  MAX-ACCESS read-only
  STATUS current
  DESCRIPTION "Status of the appliance connection to MP.
         Returns 2 if the box itself is the Management Plane."
  ::= {netskopeApplianceMIBObjects 3}
lastConnectedToMP OBJECT-TYPE
  SYNTAX OCTET STRING (SIZE(0..256))
  MAX-ACCESS read-only
  STATUS current
  DESCRIPTION "Timestamp when connection was made to MP last time.
         Example: Sun, 26 Jun 2016 20:13:16"
  ::= {netskopeApplianceMIBObjects 4}
deviceStatus OBJECT-TYPE
  SYNTAX INTEGER { good(1), bad(2), unknown(3) }
  MAX-ACCESS read-only
  STATUS current
  DESCRIPTION "Status of the appliance as seen by the MP."
  ::= {netskopeApplianceMIBObjects 5}
-- [= = = Grouping OIDs = = =]
netskopeApplianceGroup OBJECT-GROUP
  OBJECTS {
        enabledServices,
        dataplaneStatus,
        managementplaneStatus,
        lastConnectedToMP,
        deviceStatus
      }
  STATUS current
  DESCRIPTION "Group of Netskope Appliance OIDs"
  ::= {netskopeApplianceMIBGroups 1}
-- [= = = Traps/Notifications section = = =]
mpConnectionNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "MP Connection State Notification
        1 = Connected
        2 = Disconnected
        3 = The device itself is MP
        4 = Unknown"
  ::= {netskopeApplianceMIBNotifs 1}
deviceStatusNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "Device State Change Notification
        1 = Healthy
        2 = Unhealthy: one or more services/functionality may be affected
        3 = Unknown"
  ::= {netskopeApplianceMIBNotifs 2}
deviceRebootedNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "Device Rebooted Notification
         1 = Device rebooted"
  ::= {netskopeApplianceMIBNotifs 3}
storageRootNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "Root partition usage Notification.
         1 = Normal
         2 = Medium
         3 = High"
  ::= {netskopeApplianceMIBNotifs 4}
storageMysqlNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "Mysql partition usage Notification.
        1 = Normal
        2 = Medium
        3 = High"
  ::= {netskopeApplianceMIBNotifs 5}
storageMongoInfraNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "Mongo Infrastructure partition usage Notification.
        1 = Normal
        2 = Medium
        3 = High"
  ::= {netskopeApplianceMIBNotifs 6}
storageLogNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "Log processor partition usage Notification.
        1 = Normal
        2 = Medium
        3 = High"
  ::= {netskopeApplianceMIBNotifs 7}
storageKafkaBrokerNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "Kafka Broker partition usage Notification.
        1 = Normal
        2 = Medium
        3 = High"
  ::= {netskopeApplianceMIBNotifs 8}
storageMongoEventNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "Mongo Event parition usage Notification.
        1 = Normal
        2 = Medium
        3 = High"
  ::= {netskopeApplianceMIBNotifs 9}
reportjobWorkerNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "Report job worker status Notification.
        1 = Running
        2 = Not Running"
  ::= {netskopeApplianceMIBNotifs 10}
reportjobSchedulerNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "Report job scheduler status Notification.
        1 = Running
        2 = Not Running"
  ::= {netskopeApplianceMIBNotifs 11}
cfgagentConnectionNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "Config agent connection status Notification.
        1 = Connection restored"
  ::= {netskopeApplianceMIBNotifs 12}
mysqlNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "Mysql status Notification.
        1 = Running
        2 = Not Running"
  ::= {netskopeApplianceMIBNotifs 13}
eventflowNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "Event flow from device Notification.
        1 = Restored
        2 = Affected"
  ::= {netskopeApplianceMIBNotifs 14}
filesNotUploaded24hNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "File upload status Notification.
        1 = Success
        2 = At least 5 files not uploaded within last 24 hours"
  ::= {netskopeApplianceMIBNotifs 15}
filesNotUploaded48hNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "File upload status Notification.
        1 = Success
        2 = At least 5 files not uploaded within last 48 hours"
  ::= {netskopeApplianceMIBNotifs 16}
filesNotPicked24hNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "File picked status Notification.
        1 = Success
        2 = At least 1 file not uploaded within last 24 hours"
  ::= {netskopeApplianceMIBNotifs 17}
filesNotPicked48hNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "File picked status Notification.
        1 = Success
        2 = At least 1 files not uploaded within last 48 hours"
  ::= {netskopeApplianceMIBNotifs 18}
queryServiceStatusNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "Query service status Notification.
        1 = Running
        2 = Not running"
  ::= {netskopeApplianceMIBNotifs 19}
eventServiceStatusNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "Event service status Notification.
        1 = Running
        2 = Not running"
  ::= {netskopeApplianceMIBNotifs 20}
mongoSStatusNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "MongoS status Notification.
        1 = Running
        2 = Not running"
  ::= {netskopeApplianceMIBNotifs 21}
mongoDBStatusNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "MongoDB status Notification.
        1 = Running
        2 = Not running"
  ::= {netskopeApplianceMIBNotifs 22}
threatfeedAgeNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "Threatfeed age status Notification.
        1 = Up to date
        2 = Outdated"
  ::= {netskopeApplianceMIBNotifs 23}
authProxyStatusNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "Auth Proxy status Notification.
        1 = Running
        2 = Not running"
  ::= {netskopeApplianceMIBNotifs 24}
noEventsFromDeviceNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "Event generation status Notification.
        1 = Events from device are being successfully sent
        2 = Events from device not received during last 24 hrs"
  ::= {netskopeApplianceMIBNotifs 25}
noMetricsFromDeviceNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "Metrics generation status Notification.
        1 = Metrics from device are being successfully sent
        2 = Metrics from device are not received during last 6 hrs"
  ::= {netskopeApplianceMIBNotifs 26}
storageSecurestoreNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "SecureStore partition usage Notification.
        1 = Normal
        2 = Medium
        3 = High"
  ::= {netskopeApplianceMIBNotifs 27}
storageUpgradeNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "Upgrade partition usage Notification.
        1 = Normal
        2 = Medium
        3 = High"
  ::= {netskopeApplianceMIBNotifs 28}
callhomeConnectivityNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "Callhome service Connectivity Notification
         1 = Reachable
         2 = Not Reachable"
  ::= {netskopeApplianceMIBNotifs 29}
downloaderConnectivityNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "Downloader Connectivity Notification
         1 = Reachable
         2 = Not Reachable"
  ::= {netskopeApplianceMIBNotifs 30}
configsvcConnectivityNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "Config service Connectivity Notification
         1 = Reachable
         2 = Not Reachable"
  ::= {netskopeApplianceMIBNotifs 31}
uploadConnectivityNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "Upload Connectivity Notification
         1 = Reachable
         2 = Not Reachable"
  ::= {netskopeApplianceMIBNotifs 32}
loguploadConnectivityNotif NOTIFICATION-TYPE
  STATUS current
  DESCRIPTION "Logupload Connectivity Notification
         1 = Reachable
         2 = Not Reachable"
  ::= {netskopeApplianceMIBNotifs 33}
-- [= = = Grouping Traps/Notifications = = =]
netskopeApplianceNotifGroup NOTIFICATION-GROUP
  NOTIFICATIONS {
        mpConnectionNotif,
        deviceStatusNotif,
        deviceRebootedNotif,
        storageRootNotif,
        storageMysqlNotif,
        storageMongoInfraNotif,
        storageLogNotif,
        storageKafkaBrokerNotif,
        storageMongoEventNotif,
        reportjobWorkerNotif,
        reportjobSchedulerNotif,
        cfgagentConnectionNotif,
        mysqlNotif,
        eventflowNotif,
        filesNotUploaded24hNotif,
        filesNotUploaded48hNotif,
        filesNotPicked24hNotif,
        filesNotPicked48hNotif,
        queryServiceStatusNotif,
        eventServiceStatusNotif,
        mongoSStatusNotif,
        mongoDBStatusNotif,
        threatfeedAgeNotif,
        authProxyStatusNotif,
        noEventsFromDeviceNotif,
        noMetricsFromDeviceNotif,
        storageSecurestoreNotif,
        storageUpgradeNotif,
        callhomeConnectivityNotif,
        downloaderConnectivityNotif,
        configsvcConnectivityNotif,
        uploadConnectivityNotif,
        loguploadConnectivityNotif
      }
  STATUS current
  DESCRIPTION "Group for Netskope Appliance Notifications"
  ::= {netskopeApplianceMIBNotifsGroups 1}
-- [= = = Conformance Information = = =]
netskopeApplianceMIBCompliances
  OBJECT IDENTIFIER ::= {netskopeApplianceMIBConformance 1}
netskopeApplianceMIBCompliance MODULE-COMPLIANCE
  STATUS current
  DESCRIPTION "The compliance statement for Netskope Appliance"
  MODULE -- this module
  MANDATORY-GROUPS {
        netskopeApplianceGroup,
        netskopeApplianceNotifGroup
       }
  ::= { netskopeApplianceMIBCompliances 1}
END
SNMP Traps

Setup an SNMP traps receiver on your SNMP server to receive SNMP traps notifications from the appliance. The appliance uses the following SNMP traps notification OIDs.

OID

Description

Values

mpConnectionNotif

Whenever the management plane connection status changes, a notification will be sent to the trap server.

N/A

deviceStatusNotif

Whenever the device status changes, a notification will be sent to the trap server.

N/A

Make sure the daemon that receives the SNMP traps (snmptrapd) is running.

To set up the traps receiver,

  1. On your SNMP server, go to the directory you want to use as your working directory. For example, cd /Users/snmpuser/.

  2. Create a config file for snmptrapd (snmptrapd.conf), which just has one line.

    cat snmptrapd.conf 
    disableAuthorization yes
  3. Start the snmptrapd.

    sudo snmptrapd -f -Lo -c snmptrapd.conf
  4. Note this system's IP address, which should be reachable from the appliance you want to send the traps from.

  5. On the appliance, configure that IP address as snmp traps server and make sure SNMP is enabled.

    set snmp traps server <hostname or IP address>
  6. When the management plane connection state changes, you should see a notification on the SNMP server similar to:

    2016-09-29 18:19:24 <UNKNOWN> [UDP: [192.168.64.36]:55034->[0.0.0.0]:0]:
    DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (28067711) 3 days, 5:57:57.11  
    SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.48007.5    
    SNMPv2-SMI::enterprises.48007.5.1 = INTEGER: 0
    

    Note the value after INTEGER: is 0, which reflects the current state of the management plane connection. Refer to managementplaneStatus in the Custom OIDs table for more value descriptions.