Hello,
what is the best way to set up the SNMP traps?
I have followed the instructions so far with a Sophos XG Firewall. So far the test is OK and the test swings back and forth to "bad" but the "reply" value is always empty.
Can you configure here if an alert occurs that you can see what triggers it?
The IP in the filter has to be the IP of the firewall itself and not that of the server running the Active RMA, right?
This is currently the notification by email:
Test : Sophos XG SNMP Trap
Comments:
Method: SNMP trap
State : Bad
Date : 06/28/2023 09:11:00
reply :
Recurrences: 1
Last status: OK
Total tests: 4911
Alive ratio : 99.67%
Dead ratio: 0.33%
Folder: firewall
Regards
Best Practice for SNMP Traps
I think its better to contact Sophos XG Firewall support team. We have no idea how exactly it works and what problems may arise.
I assume you have manual that comes with this device? Any useful monitoring tips in the manual?
Do you have MIB file(s) provided by manufacturer?
I found some MIB file probably correct one, there are some useful trap messages listed:
1.3.6.1.4.1.21067.2.1.4.1 - high Cpu Usage
1.3.6.1.4.1.21067.2.1.4.2.1 - hig hConf DiskUsage
1.3.6.1.4.1.21067.2.1.4.2.2 - high Sig DiskUsage
1.3.6.1.4.1.21067.2.1.4.2.3 - high Report DiskUsage
1.3.6.1.4.1.21067.2.1.4.3.1 - high Phys Mem Usage
1.3.6.1.4.1.21067.2.1.4.3.2 - high Swap Mem Usage
1.3.6.1.4.1.21067.2.1.4.4.1 - http virus
1.3.6.1.4.1.21067.2.1.4.4.2 - smtp virus
1.3.6.1.4.1.21067.2.1.4.4.3 - pop3 virus
1.3.6.1.4.1.21067.2.1.4.4.4 - imap4 virus
1.3.6.1.4.1.21067.2.1.4.4.5 - ftp virus
1.3.6.1.4.1.21067.2.1.4.7.1 - syn flood
1.3.6.1.4.1.21067.2.1.4.7.2 - tcp flood
1.3.6.1.4.1.21067.2.1.4.7.3 - udp flood
1.3.6.1.4.1.21067.2.1.4.7.4 - icmp flood
Also you may use SNMP Get test to check some parameters
1.3.6.1.4.1.21067.2.1.2.2.1.0 - cpu load (%)
1.3.6.1.4.1.21067.2.1.2.3.2.0 - disk usage (%)
1.3.6.1.4.1.21067.2.1.2.4.2.0 - memory usage
1.3.6.1.4.1.21067.2.1.2.4.4.0 - swap usage
Also you should decide what to do. Set Bad status, trigger some alerts, then
- switch to Ok status if no new "bad" messages received
- or keep Bad status until manual acknowledgement
HostMonitor offers various options
Display
This option defines what information will be displayed in the Reply field of the test item. Choose one of the following options:
- Agent address
. . Represents IP address of the host that have sent the message
- Trap type
Represents type of the trap. It provides information about generic type and enterprise specific number. Generic type could be one of the following:
...
- Enterprise
. . Enterprise field contains an OBJECT IDENTIFIER which names the device that have sent the trap
- OID
. . Variable name (OID)
- Counter
. . Variable value
-Relative value
. . Relative value of the variable. This is could be useful when you check incoming trap messages for some specific variable and compare current value of the variable with its previous value (see "Message contains OID" option in the Trap Filter dialog). Depending on the test settings HostMonitor may display:
simple difference between current and previous value (if you use "increases by", "decreases by" or "changes by" compare option)
relative difference as a percentage of previous value (if you use "increases by (%)", "decreases by (%)" or "changes by (%)" compare option)
average increase/decrease of the counter per second since previous message (if you use "increases /sec", "decreases /sec" or "changes /sec" compare option)
- OID & Value
. . Display variable name (OID) and variable value
Also you may use Tune up Reply test option and expression with variables like
%EnterpriseName%
%EnterpriseNameShort%
%EnterpriseDescription%
%MibName%
%MibNameShort%
%MibDescription%
Using the database of compiled MIB files HostMonitor may translate such OIDs from its numeric form to a MIB name. If you need to extend the database by including information about MIBs supported by some specific SNMP enabled device, use MIB Browser
https://www.ks-soft.net/hostmon.eng/mib ... /index.htm
Same variables can be used by actions, so HostMonitor may resolve vaiables, check MIB database, find event description and send you e-mail with details
Regards
Alex
I assume you have manual that comes with this device? Any useful monitoring tips in the manual?
Do you have MIB file(s) provided by manufacturer?
I found some MIB file probably correct one, there are some useful trap messages listed:
1.3.6.1.4.1.21067.2.1.4.1 - high Cpu Usage
1.3.6.1.4.1.21067.2.1.4.2.1 - hig hConf DiskUsage
1.3.6.1.4.1.21067.2.1.4.2.2 - high Sig DiskUsage
1.3.6.1.4.1.21067.2.1.4.2.3 - high Report DiskUsage
1.3.6.1.4.1.21067.2.1.4.3.1 - high Phys Mem Usage
1.3.6.1.4.1.21067.2.1.4.3.2 - high Swap Mem Usage
1.3.6.1.4.1.21067.2.1.4.4.1 - http virus
1.3.6.1.4.1.21067.2.1.4.4.2 - smtp virus
1.3.6.1.4.1.21067.2.1.4.4.3 - pop3 virus
1.3.6.1.4.1.21067.2.1.4.4.4 - imap4 virus
1.3.6.1.4.1.21067.2.1.4.4.5 - ftp virus
1.3.6.1.4.1.21067.2.1.4.7.1 - syn flood
1.3.6.1.4.1.21067.2.1.4.7.2 - tcp flood
1.3.6.1.4.1.21067.2.1.4.7.3 - udp flood
1.3.6.1.4.1.21067.2.1.4.7.4 - icmp flood
Also you may use SNMP Get test to check some parameters
1.3.6.1.4.1.21067.2.1.2.2.1.0 - cpu load (%)
1.3.6.1.4.1.21067.2.1.2.3.2.0 - disk usage (%)
1.3.6.1.4.1.21067.2.1.2.4.2.0 - memory usage
1.3.6.1.4.1.21067.2.1.2.4.4.0 - swap usage
CorrectThe IP in the filter has to be the IP of the firewall itself and not that of the server running the Active RMA, right?
First you should decide what messages are important and what messages should be ignored and setup filter.So far the test is OK and the test swings back and forth to "bad" but the "reply" value is always empty.
Also you should decide what to do. Set Bad status, trigger some alerts, then
- switch to Ok status if no new "bad" messages received
- or keep Bad status until manual acknowledgement
If device provides such information.Can you configure here if an alert occurs that you can see what triggers it?
HostMonitor offers various options
Display
This option defines what information will be displayed in the Reply field of the test item. Choose one of the following options:
- Agent address
. . Represents IP address of the host that have sent the message
- Trap type
Represents type of the trap. It provides information about generic type and enterprise specific number. Generic type could be one of the following:
...
- Enterprise
. . Enterprise field contains an OBJECT IDENTIFIER which names the device that have sent the trap
- OID
. . Variable name (OID)
- Counter
. . Variable value
-Relative value
. . Relative value of the variable. This is could be useful when you check incoming trap messages for some specific variable and compare current value of the variable with its previous value (see "Message contains OID" option in the Trap Filter dialog). Depending on the test settings HostMonitor may display:
simple difference between current and previous value (if you use "increases by", "decreases by" or "changes by" compare option)
relative difference as a percentage of previous value (if you use "increases by (%)", "decreases by (%)" or "changes by (%)" compare option)
average increase/decrease of the counter per second since previous message (if you use "increases /sec", "decreases /sec" or "changes /sec" compare option)
- OID & Value
. . Display variable name (OID) and variable value
Also you may use Tune up Reply test option and expression with variables like
%EnterpriseName%
%EnterpriseNameShort%
%EnterpriseDescription%
%MibName%
%MibNameShort%
%MibDescription%
Using the database of compiled MIB files HostMonitor may translate such OIDs from its numeric form to a MIB name. If you need to extend the database by including information about MIBs supported by some specific SNMP enabled device, use MIB Browser
https://www.ks-soft.net/hostmon.eng/mib ... /index.htm
Same variables can be used by actions, so HostMonitor may resolve vaiables, check MIB database, find event description and send you e-mail with details
Regards
Alex
