search cancel

Measuring Network Throughput on ProxySG and Implementing and testing SNMP from CLI

book

Article ID: 240985

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Customer reports that they are having connectivity issues with their device and they urgently need to know if there's any way to know what is the actual throughput of the whole device and per interface.

Resolution

Yes. With SNMP, the throughput of the network interfaces can be measured.

Simple Network Management Protocol (SNMP) is used in network management systems to monitor network devices for health or status conditions that require administrative attention.

There are a few key resource dimensions that establish the health and performance characteristics of the ProxySG appliance. Symantec recommends that the following metrics be monitored on the ProxySG appliance:

• CPU Utilization
• Connection Counts (client worker count)
• Memory Pressure
• Network Throughput

Network Throughput 

Monitoring the rate at which the traffic (number of input and output bytes) over a particular interface is approaching the maximum bandwidth supported by that interface allows the administrator to determine when the bandwidth capacity of an interface will be exceeded.

Example
snmpwalk -c public -v2c 10.169.3.20 SNMPv2-
SMI::enterprises.3417.2.11.3.1.1
SNMPv2-SMI::enterprises.3417.2.11.3.1.1.1.0 = Counter64: 0
SNMPv2-SMI::enterprises.3417.2.11.3.1.1.2.0 = Counter64: 0
SNMPv2-SMI::enterprises.3417.2.11.3.1.1.3.0 = Counter64: 0
SNMPv2-SMI::enterprises.3417.2.11.3.1.1.4.0 = Counter64: 0
SNMPv2-SMI::enterprises.3417.2.11.3.1.1.5.0 = Counter64: 0
SNMPv2-SMI::enterprises.3417.2.11.3.1.1.6.0 = Gauge32: 0
SNMPv2-SMI::enterprises.3417.2.11.3.1.1.7.0 = Gauge32: 0
SNMPv2-SMI::enterprises.3417.2.11.3.1.1.8.0 = Gauge32: 0
SNMPv2-SMI::enterprises.3417.2.11.3.1.1.9.0 = Counter64: 0
SNMPv2-SMI::enterprises.3417.2.11.3.1.1.10.0 = Counter64: 0
snmpwalk -c public -v2c 10.169.3.20 SNMPv2-
SMI::enterprises.3417.2.11.3.1.2
SNMPv2-SMI::enterprises.3417.2.11.3.1.2.1.0 = Counter64: 0
SNMPv2-SMI::enterprises.3417.2.11.3.1.2.2.0 = Counter64: 0
SNMPv2-SMI::enterprises.3417.2.11.3.1.2.3.0 = Counter64: 0
SNMPv2-SMI::enterprises.3417.2.11.3.1.2.4.0 = Counter64: 0
snmpwalk -c public -v2c 10.169.3.20 SNMPv2-
SMI::enterprises.3417.2.11.3.1.3
SNMPv2-SMI::enterprises.3417.2.11.3.1.3.1.0 = Gauge32: 0
SNMPv2-SMI::enterprises.3417.2.11.3.1.3.2.0 = Gauge32: 0
SNMPv2-SMI::enterprises.3417.2.11.3.1.3.3.0 = Gauge32: 0
SNMPv2-SMI::enterprises.3417.2.11.3.1.3.4.0 = Gauge32: 0
SNMPv2-SMI::enterprises.3417.2.11.3.1.3.5.0 = Gauge32: 0
SNMPv2-SMI::enterprises.3417.2.11.3.1.3.6.0 = Gauge32: 0

In this example, the first snmpwalk command has sgProxyHttpClient (OID .1.3.6.1.4.1.3417.2.11.3.1.1) of the sgProxyHttp group as an argument, and the
output lists all the leaf nodes beneath that OID.

The second snmpwalk command has sgProxyHttpServer (OID .1.3.6.1.4.1.3417.2.11.3.1.2) of the same sgProxyHttp group as an argument, and the output lists all the leaf nodes beneath that OID.

Finally, the last snmpwalk command has sgProxyHttpConnections (OID .1.3.6.1.4.1.3417.2.11.3.1.3) of the same group as an argument, and the output lists all the leaf nodes beneath that OID.

Refer to BLUECOAT-SG-PROXY-MIB.txt for details.

For more details on Critical Resource Monitoring of the ProxySG using SNMP, please refer to the Tech. doc. with the URL below.

https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/web-and-network-security/proxysg/common/SNMP.pdf

Additional doc.: https://knowledge.broadcom.com/external/article/167676/download-snmp-management-information-bas.html

For detailed guidance on configuring SNMP on ProxySG, please refer to the solution steps below.

There are several ways to proactively monitor a ProxySG appliance. One of the best ways is to use an RRD tool like Cacti which uses the Simple Network Management Protocol (SNMP) to periodically poll the Object IDentifiers (OID) found in the ProxySG Management Information Base (MIB) to create historical graphs. The ProxySG enterprise MIB can be downloaded from the appliance GUI or from the BlueTouch Online (BTO) website.

Note: The ProxySG appliance supports all SNMP versions, SNMPv1,
 SNMPv2 and SNMPv3

With ProxySG, to download SNMP Management Information Base (MIB) files for ProxySG/Advanced Secure Gateway, refer to the Tech. Article with the URL below, for the requisite guidance.

https://knowledge.broadcom.com/external/article/167676/download-snmp-management-information-bas.html

From BTO log in and click on the "Downloads" tab at the top of the page. Under the appropriate SGOS/CacheOS version select "ProxySG MIBs". Follow the prompts to download and save the file so it can be used or viewed as required.


This article will walk through the steps required to create and test an SNMPv2 Community with an Access Control List (ACL), an SNMPv3 User with Authentication and Privacy, and finally a destination host to send Syslog messages to. It will not cover any setup or configuration of remote systems.    


1. Creating a Read-Only SNMPv2 Community with an ACL

     #conf t

     #(config)snmp

     #(config snmp)create community test

     #(config snmp)edit community test

     #(config snmp community test)authorization mode read-only

     #(config snmp community test)authorization access-list

     #(config snmp community access test)add 10.10.11.1                    -----> Adding a single host

     #(config snmp community access test)add 10.10.10.0/24              -----> Adding a subnet

     #(config snmp community access test)enable

     #(config snmp community access test)exit

     #(config snmp community test)


At this point, an SNMP utility should be able to do a SNMPGET/WALK/NEXT, etc. assuming it is within the ACL subnet and it has the right community configured. This can be tested using the net-snmp utility found in many different operating systems.
See example below for Linux OS:


     <command> <version> <community> <host> <oid>
     snmpget -v2c -c test 10.10.10.10 .1.3.6.1.4.1.14501.3.2.1.2.1.0  


Additionally, a trap receiver can be added so the ProxySG/CacheFlow will be able to send a trap to a remote host any time a health state changes.

     #(config snmp community test)add trap snmpv2c udp 10.10.12.2:162

     #(config snmp community test)view
     test:
         Read-only access:
             10.10.10.0/24
             10.10.11.1
         Trap: SNMPv2c UDP 10.10.12.2, port 162

     #(config snmp community test)exit



A trap receiver should now be able to receive traps from the ProxySG. This can be tested by using the built-in command below:

     #(config snmp)test-trap ColdStart


2. Creating a Read-Only SNMPv3 user with Authentication and Privacy

     #conf t

     #(config)snmp

     #(config snmp)create user test

     #(config snmp)edit user test

     #(config snmp user test)authorization mode read-only

     #(config snmp user test)authentication mode sha

     #(config snmp user test)authentication passphrase 12345678             -----> Must be a minimum of 8 characters

     #(config snmp user test)privacy mode aes

     #(config snmp user test)privacy passphrase 87654321                         -----> Must be a minimum of 8 characters


At this point an SNMPv3 utility should be able to do a SNMPGET/WALK/NEXT etc. if it is configured with the proper security settings. This can be tested using the net-snmp utility found in many different operating systems.
See example below for Linux OS:

     <command> <version> <user> <authentication-mode> <authentication-passphrase> <privacy-mode> <privacy-passphrase> <security-level> <host> <oid> 
     snmpget -v3 -u test -a sha -A 12345678 -x aes -X 87654321 -l authPriv 10.169.3.166 .1.3.6.1.4.1.14501.3.2.1.2.1.0


Additionally, a trap receiver can be added so the ProxySG will be able to send a trap to a remote host any time a health state changes.

     #(config snmp user test)add trap udp 10.10.12.2:162

     #(config snmp user test)view
     test:
         Authentication: SHA, passphrase is set.
         Privacy: AES, passphrase is set.
         Read-only access.
         Trap: UDP 10.10.12.2, port 162

     #(config snmp user test)exit


A trap receiver should now be able to receive traps from the ProxySG if configured with the proper security settings. This can be tested by using the built-in command below:


     #(config snmp)test-trap ColdStart

     #(config snmp)exit


3. Creating a Syslog destination

     #(config)syslog add 10.10.12.2

     #(config)syslog facility daemon

     #(config)syslog view
     Settings:
       Event level: severe + configuration + policy + informational
       Event log size: 10 megabytes
       If log reaches maximum size, overwrite earlier events
       Syslog LogHosts:
         10.10.12.2
       Syslog notification: enabled
       Syslog facility: daemon


To verify syslog messages are being received use the built-in command below:

     #(config)syslog test-message hello-world