SNMP

This chapter describes common SNMP counters and traps that are commonly used to monitor the Cisco Firepower Threat Defense.

About SNMP

SNMP is an application-layer protocol that facilitates the exchange of management information between network devices and is part of the TCP/IP protocol suite. The Firepower Threat Defense provides support for network monitoring using SNMP Versions 1, 2c, and 3, and support the use of all three versions simultaneously. The SNMP agent running on the Firepower Threat Defense interface lets you monitor the network devices through network management systems (NMSes), such as HP OpenView. The Firepower Threat Defense supports SNMP read-only access through issuance of a GET request. SNMP write access is not allowed, so you cannot make changes with SNMP. In addition, the SNMP SET request is not supported.

You can configure the Firepower Threat Defense to send traps, which are unsolicited messages from the managed device to the management station for certain events (event notifications) to an NMS, or you can use the NMS to browse the Management Information Bases (MIBs) on the security devices. MIBs are a collection of definitions, and the Firepower Threat Defense maintain a database of values for each definition. Browsing a MIB means issuing a series of GET-NEXT or GET-BULK requests of the MIB tree from the NMS to determine values.

An SNMP agent notifies the designated management stations if events occur that are predefined to require a notification, for example, when a link in the network goes up or down. The notification it sends includes an SNMP OID, which identifies itself to the management stations. The agent also replies when a management station asks for information.

SNMP Terminology

The following table lists the terms that are commonly used when working with SNMP.

Table 1. SNMP Terminology

Term

Description

Agent

The SNMP server running on the Firepower Threat Defense. The SNMP agent has the following features:

  • Responds to requests for information and actions from the network management station.

  • Controls access to its Management Information Base, the collection of objects that the SNMP manager can view or change.

  • Does not allow SET operations.

Browsing

Monitoring the health of a device from the network management station by polling required information from the SNMP agent on the device. This activity may include issuing a series of GET-NEXT or GET-BULK requests of the MIB tree from the network management station to determine values.

Management Information Bases (MIBs)

Standardized data structures for collecting information about packets, connections, buffers, failovers, and so on. MIBs are defined by the product, protocols, and hardware standards used by most network devices. SNMP network management stations can browse MIBs and request specific data or events be sent as they occur.

Network management stations (NMSs)

The PCs or workstations set up to monitor SNMP events and manage devices.

Object identifier (OID)

The system that identifies a device to its NMS and indicates to users the source of information monitored and displayed.

Trap

Predefined events that generate a message from the SNMP agent to the NMS. Events include alarm conditions such as linkup, linkdown, coldstart, warmstart, authentication, or syslog messages.

MIBs and Traps

MIBs are either standard or enterprise-specific. Standard MIBs are created by the IETF and documented in various RFCs. A trap reports significant events occurring on a network device, most often errors or failures. SNMP traps are defined in either standard or enterprise-specific MIBs. Standard traps are created by the IETF and documented in various RFCs. SNMP traps are compiled into the ASA software.

If needed, you can also download RFCs, standard MIBs, and standard traps from the following locations:

http://www.ietf.org/

Browse the SNMP Object Navigator to look up Cisco MIBs, traps, and OIDs from the following location:

https://snmp.cloudapps.cisco.com/Support/SNMP/do/BrowseOID.do?local=en

In addition, download Cisco OIDs by FTP from the following location:

ftp://ftp.cisco.com/pub/mibs/oid/oid.tar.gz

Supported Tables and Objects in MIBs

The following sections list the supported tables and objects for the specified MIBs.

Remote Access VPN Polling

Table 2. CISCO-REMOTE-ACCESS-MONITOR-MIB

Counter

OID

Description

Active Sessions

crasNumSessions

(1.3.6.1.4.1.9.9.392.1.3.1)

The number of currently active sessions.

Users

crasNumUsers

(1.3.6.1.4.1.9.9.392.1.3.3)

The number of users who have active sessions.

Peak Sessions

crasNumPeakSessions

(1.3.6.1.4.1.9.9.392.1.3.41)

The number of peak RA sessions since system up.

Site-to-Site VPN Tunnel Polling

Table 3. CISCO-REMOTE-ACCESS-MONITOR-MIB

Counter

OID

Description

LAN to LAN Sessions

crasL2LNumSessions

(1.3.6.1.4.1.9.9.392.1.3.29)

The number of currently active LAN to LAN sessions.

Peak LAN to LAN Sessions

crasL2LPeakConcurrentSessions

(1.3.6.1.4.1.9.9.392.1.3.31)

The number of peak concurrent LAN to LAN sessions since the system is up.

Connection Polling

Table 4. CISCO-FIREWALL-MIB

Counter

OID

Description

Active Connections

cfwConnectionActive

(1.3.6.1.4.1.9.9.147.1.2.2.2.1.3.40.6)

The number of connections currently in use by the entire firewall.

Peak Connections

cfwConnectionPeak

(1.3.6.1.4.1.9.9.147.1.2.2.2.1.3.40.7)

The highest number of connections in use at any one time since system startup.

Connections Per Second

cfwConnectionPerSecond

(1.3.6.1.4.1.9.9.147.1.2.2.3)

The current connections per second rate on the firewall.

Peak Connections Per Second

cfwConnectionPerSecondPeak

(1.3.6.1.4.1.9.9.147.1.2.2.4)

The highest number of connections per second on the firewall since system startup.

NAT Translation Polling

Table 5. CISCO-NAT-EXT-MIB

Counter

OID

Description

Active Translations

cneAddrTranslationNumActive

(1.3.6.1.4.1.9.9.532.1.1.1.1)

The total number of address translation entries that are currently available in the NAT device. This indicates the aggregate of the translation entries created from both the static and dynamic address translation mechanisms.

Peak Active Translations

cneAddrTranslationNumPeak

(1.3.6.1.4.1.9.9.532.1.1.1.2)

The maximum number of address translation entries that are active at any one time since the system startup. This indicates the high watermark of address translation entries that are active at any one time since the system startup.

This object includes the translation entries created from both the static and dynamic address translation mechanisms.

Routing Table Entries Polling

Table 6. IP-FORWARD-MIB

Counter

OID

Description

Active Translations

inetCidrRouteNumber

(1.3.6.1.2.1.4.24.6)

The total number of current inetCidrRouteTable entries that valid.

Interface Duplex Status Polling

Table 7. CISCO-IF-EXTENSION-MIB

Counter

OID

Description

Duplex Status

cieIfDuplexCfgStatus

(1.3.6.1.4.1.9.9.276.1.1.2.1.20)

This object specifies the configured duplex status on the given interface.

Detected Duplex Status

cieIfDuplexDetectStatus

(1.3.6.1.4.1.9.9.276.1.1.2.1.21)

This object specifies the detected duplex status on the given interface.

Snort 3 Intrusion Event Rate Polling

Table 8. CISCO-UNIFIED-FIREWALL-MIB

Counter

OID

Description

Snort 3 Intrusion Event Rate

cufwAaicIntrusionEvtRate

(1.3.6.1.4.1.9.9.491.1.5.3.2.1)

The rate at which intrusion events were recorded by Snort on this firewall averaged over the last 300 seconds.

BGP Peer-Flap Trap Notification

Table 9. BGP4-MIB

Counter

OID

Description

BGP Peer-flap

bgpBackwardTransition

(1.3.6.1.4.1.9.9.491.1.5.3.2.1)

The BGPBackwardTransition Event is generatedwhen the BGP FSM moves from a higher numbered state to a lower numbered state.