search cancel

ASG/ProxySG/SGVA SNMPv3 configuration with localized key

book

Article ID: 175019

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS Secure Web Gateway Virtual Appliance

Issue/Introduction

Under one of the following situations you may want to use SNMPv3 with localized key:

  1. ASG/ProxySG/SGVA is running FIPS mode and only allowed SNMP configuration is - SNMPv3 with localized key.
  2. ASG/ProxySG/SGVA is running in non FIPS mode but SNMPv3 with localized key is preferred over passphrase.

Resolution

To generate the localized key for SNMPv3 an external script/tool is required.There are many tools/scripts available using python/perl script for snmp key generation. Also Linux/Ubuntu offers  an utility called "snmpkey" which can be used as well. Following example is with 'snmpkey'

1. First below information needs to be collected from  ASG/ProxySG/SGVA device . 

  • SNMPv3 engine ID (Available under Maintenance --> SNMP --> SNMP General)
  • SNMPv3 authentication protocol (md5|sha) and privacy protocol  (des|aes)  (Available under Maintenance --> SNMPv3 Users --> upon user account creation)

Below is an example of a SNMPv3 user configuration on SG

 

2. By opening an CLI prompt Linux / ubuntu  system and typing 'snmpkey' will confirm whether this utility is present or not and appropriate command format for 'snmpkey'

$ snmpkey

Usage: snmpkey <authProto> <password> <authEngineID> [<privProto> [<password>]]
       <authProto> = md5|sha
       <privProto> = des|3des|aes

An actual command with all the parameters will generate outputs like below  

$ snmpkey md5 asdf1234 80000D590430303131333133323737 des 1234asdf
authKey: 0xd3f0196261d1a6e4360a7746578a5037
privKey: 0x88be50740eff8aad1329eff711f212ec

As an example auth password was used here asdf1234 and privacy password was used 1234asdf. The output here is the localized key that can be used on the SG

3. Copy over the authKey & privKey from the previous step but without the beginning '0x'. Navigate under proxySG --> Maintenance --> SNMP --> SNMPv3 users --> edit the user account that was created in step 1 . Then set the authKey and privKey from step 2 under Set Localized Keys --> engine ID 'self' --> edit 

 

4. At this step SNMPv3 is ready to test with localized key. There are many SNMP tools/utility available online.Following is an example of testing snmpv3 using 'snmpwalk'

$ SnmpWalk -r:10.169.102.82 -v:3 -sn:bcoat -aw:asdf1234 -ap:MD5 -pp:DES -pw:1234asdf -os:.1.3.6.1.4.1.3417.2.4.1.1.1.4.1 -op:.1.3.6.1.4.1.3417.2.4.1.1.1.4.2

OID=.1.3.6.1.4.1.3417.2.4.1.1.1.4.2, Type=Integer, Value=11

Total: 1

Here -aw and -pw are auth and privacy passwords, which were pre-defined in step 2 while generating localized  key. In this test if the configuration is successful, this will return CPU utilization via OID .1.3.6.1.4.1.3417.2.4.1.1.1.4.2 over SNMPv3 using localization key. 

Attachments