SNMP is a protocol for monitoring and managing devices or components within a network. SNMP supports three primary monitoring methods: getting, walking, and trapping. An SNMPGET allows a remote monitor or manager to fetch a particular monitored element. An SNMPWALK allows a remote monitor or manager to fetch a range of values within a class. An SNMP trap allows a monitored entity to generate a notification that is sent to a remote monitor based on certain conditions. This article will focus on configuring the Gateway appliance to allow remote monitors to be queried via getting and walking.
By default the gateway has SNMP installed AND enabled but it only listens on 127.0.01 (lo0) so to poll it you need to open up SNMP to the outside world.
In order to validate this you simply need to run,
# snmpwalk -v 1 -Ou 127.0.0.1 -c layer7 1
Version Gateway 10.x and Gateway 11
Leveraging SNMP requires the following changes:
1) Configuring the Firewall
# cd /etc/sysconfig/
# vi iptables
** In VI search for 161
** You will see 2 rules you need to uncomment as below remove the #
[0:0] -A INPUT -i ssg_eth0 -p tcp -m tcp --dport 161 -j ACCEPT
[0:0] -A INPUT -i ssg_eth0 -p udp -m udp --dport 161 -j ACCEPT
** Save the file
2) Setting the initialization parameters
A configuration file prevents the SNMP daemon from listening on any interface besides the loopback interface via UDP. Execute the following procedure to bind the daemon to all interfaces over UDP:
An example configuration file is illustrated as follows:
# snmpd command line options
OPTIONS="-LS0-6d -Lf /dev/null -p /var/run/snmpd.pid"
3) Setting the hosts allow
Allowing external requestors to access the SNMP daemon
Access to the SNMP daemon is restricted by an access control list. This list must be modified to allow external hosts access to this daemon.
An abridged configuration file is illustrated as follows:
4) a/b Setting desired configuration options
NOTE: Only 4a OR 4b is required and its strongly suggested just to use method 4a.
4a) Simple setup
# vi /etc/snmp/snmpd.conf
** search for ro
*** Remove 127.0.0.1 from the rocommunity as below as its an acl which only allows localhost to authenticate.
*** Note this community as its the password in the snmp walk command.
**** Reboot for all changes to take affect.
# reboot -n
**** After reboot validate you can snmpwalk using eth0
# snmpwalk -v 1 -Ou <YourHostnameHere> -c layer7 1
4b) Complex setup with Privlieged separation
There are several configuration options that should be set in order to secure the SNMP implementation on the Gateway appliance. It consists of the following goals:
To make these changes, open up the SNMP daemon configuration file (located at /etc/snmp/snmpd.conf) in a text editor. The applicable portions of an example configuration file is displayed below with the applicable changes in bold face.
Specifying an acceptable IP address or range
SNMP requires specifying an IP address or IP range (in CIDR notation) and assign it to a community. The values of sec.name, source, and community can be modified. An example is as follows:
# First, map the community name "public" into a "security name"
# sec.name source community
#com2sec notConfigUser default public
com2sec myNetwork 172.16/12 ca
Attaching the address or range to a security group
A named security group must be created that specifies the SNMP security version to use and assign a named IP address or range to the group. The values of groupName and securityModel can be modified. The value of securityName should reflect the value of sec.name set previously. An example is as follows:
# Second, map the security name into a group name:
# groupName securityModel securityName
#group notConfigGroup v1 notConfigUser
#group notConfigGroup v2c notConfigUser
group myGroup v1 myNetwork
group myGroup v2c myNetwork
Allowing the security group to access a particular view
A view specifies a container restricting what system information can be accessed. This section permits a group to access a specific view. The values of name, and subtree mask can be modified but should be set as follows. An example is as follows:
# Third, create a view for us to let the group have rights to:
# Open up the whole tree for ro, make the RFC 1213 required ones rw.
# name incl/excl subtree mask(optional)
#view roview included .1
#view rwview included system.sysContact
#view rwview included system.sysName
#view rwview included system.sysLocation
view systemview included system
view systemview included .18.104.22.168.4.1.17304
Note that in this step you should add to the view the root nodes for the MIBs you want to be able to view. In the above example, the CA APIM MIB is added to the view in the second uncommented line. If you also want to see the subtree containing system information (CPU, Memory, disk usage) add the following subtree mask to the view: .22.214.171.124.4.1.2021.
Permitting read-only access to that view
A relationship must be configured between a security group and a view. This relationship controls what information is accessible by which entities. The value of group should reflect the value of groupName set previously. The value of read should reflect the value of name set in the previous step. An example is as follows:
# Finally, grant the group read-only access to the systemview view.
# group context sec.model sec.level prefix read write notif
#access notConfigGroup "" any noauth exact roview rwview none
access myGroup "" any noauth exact systemview none none
Completing the configuration
All configuration files that have been modified should be saved after they are edited. The Gateway appliance should be restarted after saving. The changes will manifest after the restart completes and the SNMP daemon initializes.
Debian additional info/steps
Debian based gateway 11 appliance there is a change in the following step the following file does not exist /etc/sysconfig/snmpd
Need to change the file below file:
and replace -Lsd with -LS0-6d
Regarding Memory usage this is not part of our MIB this is 3rd party agent for UCD-SNMP-MIB
Link to addiction OID related to third party MIB
Example of all available memory regarding memory
# snmpwalk -v 2c -c layer7 <gatewayHostName.DomainName> .126.96.36.199.4.1.2021.4
UCD-SNMP-MIB::memIndex.0 = INTEGER: 0
UCD-SNMP-MIB::memErrorName.0 = STRING: swap
UCD-SNMP-MIB::memTotalSwap.0 = INTEGER: 2097148 kB
UCD-SNMP-MIB::memAvailSwap.0 = INTEGER: 1525544 kB
UCD-SNMP-MIB::memTotalReal.0 = INTEGER: 6109244 kB
UCD-SNMP-MIB::memAvailReal.0 = INTEGER: 405276 kB
UCD-SNMP-MIB::memTotalFree.0 = INTEGER: 1930820 kB
UCD-SNMP-MIB::memMinimumSwap.0 = INTEGER: 16000 kB
UCD-SNMP-MIB::memShared.0 = INTEGER: 7448 kB
UCD-SNMP-MIB::memBuffer.0 = INTEGER: 192968 kB
UCD-SNMP-MIB::memCached.0 = INTEGER: 755160 kB
UCD-SNMP-MIB::memTotalSwapX.0 = Counter64: 2097148 kB
UCD-SNMP-MIB::memAvailSwapX.0 = Counter64: 1525544 kB
UCD-SNMP-MIB::memTotalRealX.0 = Counter64: 6109244 kB
UCD-SNMP-MIB::memAvailRealX.0 = Counter64: 405276 kB
UCD-SNMP-MIB::memTotalFreeX.0 = Counter64: 1930820 kB
UCD-SNMP-MIB::memMinimumSwapX.0 = Counter64: 16000 kB
UCD-SNMP-MIB::memSharedX.0 = Counter64: 7448 kB
UCD-SNMP-MIB::memBufferX.0 = Counter64: 192968 kB
UCD-SNMP-MIB::memCachedX.0 = Counter64: 755160 kB
UCD-SNMP-MIB::memSwapError.0 = INTEGER: noError(0)
UCD-SNMP-MIB::memSwapErrorMsg.0 = STRING: