Configure SNMP Settings for a Cloud-Managed Firebox
Applies To: Cloud-managed Fireboxes
SNMP (Simple Network Management Protocol) is used to monitor devices on your network. SNMP uses management information bases (MIBs) to define what information and events are monitored. You must set up a separate software application to collect and manage SNMP data.
You can configure your Firebox to accept SNMP polls from an SNMP management station. Your device reports information to the SNMP management station such as the traffic count from each interface, device uptime, the number of TCP packets received and sent, and when each network interface was last modified.
- For more information about SNMP, go to About SNMP.
- For more information about SNMP MIBS, go to About Management Information Bases (MIBs) and Enterprise MIB File Details.
- To download the WatchGuard Enterprise MIB files and import the MIB files to your SNMP management station, go to WatchGuard Enterprise MIB files.
An SNMP trap is an event notification your Firebox sends to an SNMP management station. The trap identifies when a specific condition occurs, such as a value that is more than its predefined threshold.
An SNMP inform request is similar to a trap, but the receiver sends a response. If your Firebox does not get a response, it sends the inform request again until the SNMP management station sends a response.
Your Firebox can send an SNMP trap when traffic is filtered by a policy. For more information, go to Send an SNMP Trap for a Policy.
To configure the SNMP settings for a cloud-managed Firebox:
- In WatchGuard Cloud, select Configure > Devices.
- Select a cloud-managed Firebox.
- Click Device Configuration.
- Click the Device Settings widget.
The Device Settings page opens.
- Select the SNMP tab.
The SNMP settings page opens.
- Enable SNMP.
When you enable SNMP, the Firebox automatically creates a WatchGuard SNMP system policy to enable your device to receive SNMP polls from an SNMP management station located on your internal network.
You can disable this system policy and create a new policy based on your specific network requirements and the location of your SNMP management station. You should limit the source for the policy to the address of your SNMP management station.
- From the Version drop-down list, select the SNMP version number.
- v1/v2c — SNMP v1 is the original version that provides low security because the community strings are communicated in plain text. SNMP v2c is similar to v1 with improvements to device management and network interface polling.
- v3 — SNMP v3 is the latest and most secure SNMP protocol version that enables you to use authentication and encryption to protect SNMP data.
Make sure your Firebox SNMP configuration matches the configuration on your SNMP management station.
- If you select SNMP v1/v2c, type the Read-Only Community String your device uses when it connects to the SNMP management station. This community string is transmitted in plain text and is not encrypted.
- If you select SNMP v3, configure these settings if your SNMP management station uses authentication:
- User Name — Type a user name to authenticate with the SNMP management station.
- Authentication Protocol — Select the authentication protocol for communication to the SNMP management station (SHA1, MD5, or None). The default is MD5.
- Authentication Password — If you enable the SHA1 or MD5 authentication protocol, type an authentication password. The password must be 8 to 255 characters in length.
- Privacy Protocol — SNMP v3 enables you to optionally encrypt messages for privacy. Select DES (Data Encryption Standard) to encrypt traffic or None to not encrypt SNMP traffic.
- Privacy Password — Type a password to encrypt outgoing messages and decrypt incoming messages. The password must be 8 to 255 characters in length.
- To send trap messages for Firebox events to an SNMP trap management station, select the SNMP trap version to use (v2Inform, v3Inform, v1Trap, v2Trap, v3Trap, or Disabled). SNMP v1/v2c does not support v3Trap or v3Inform.
- To enable NAT for all SNMP connections through your Firebox, select the Use NAT for connections through the SNMP application layer gateway check box.
- In the Management Stations section, add the IP address of your SNMP management stations that receive SNMP traps.
- Select the types of Notification Traps to send to the SNMP management station:
- Firebox feature key — Send an SNMP trap when a feature key is expired or expires soon.
- Blocked Sites and Blocked Ports — Send an SNMP trap for blocked site and blocked port events.
- Intrusion Prevention — Send an SNMP trap when IPS generates an alarm.
- BOVPN — Send an SNMP trap for BOVPN events.
- Multi-WAN — Send an SNMP trap for multi-WAN events.
- FireCluster — Send an SNMP trap for FireCluster events.
- Click Save.
Send an SNMP Trap for a Policy
Your Firebox can send an SNMP trap when traffic is filtered by a policy. You must have at least one SNMP management station configured to enable SNMP traps.
To configure a policy to send an SNMP trap:
- In WatchGuard Cloud, select Configure > Devices.
- Select a Firebox.
- Select Device Configuration > Firewall Policies.
- Select an existing policy or add a new policy.
The Policy Configuration page appears. - Select the Advanced tab.
- In the Notification section, select the SNMP check box.
- Click Save.
Add a Cloud-Managed Firebox to WatchGuard Cloud
Add a Cloud-Managed FireCluster