Configuring SNMPv3 Engine IDs in SonicOSX.
Description
SNMP (Simple Network Management Protocol) is a network protocol used over User Datagram Protocol (UDP) that allows network administrators to monitor the status of the SonicWall Security Appliance and receive notification of critical events as they occur on the network.
This KB describes features of SNMPV3 Engine IDs.
Packet security is provided through:
- Message Integrity: ensures a packet has not been tampered with in transit
- Authentication: verifies a message comes from a valid source
- Encryption: encodes packet contents to prevent it from being viewed by an unauthorized source.
SNMPv3 provides for both security models and security levels. A security model is an authentication strategy set up between a user and the group in which the user resides. The security level is the permitted level of security within a given security model. The security model and associated security level determine how an SNMP packet is handled. SNMPv3 provides extra levels of authentication and privacy, as well as additional authorization and access control.
Security Level, Authentication, and Encryption Based on SNMP Version show how security levels, authentication, and encryption are handled by the different versions of SNMP.
VERSION | LEVEL | AUTHENTICATION TYPE | ENCRYPTION | MEANS OF AUTHENTICATION |
v1 | noAuthNoPriv | Community String | No | Community string match |
| NoAuthNoPriv | Community String | No | Community string match |
V2C | noAuthNoPriv | Username | No | Username match |
authNoPriv | MD5 or SHA | No | Authentication is based on the HMAC-MD5 or HMSC-SRA algorithms. | |
v3 | authPriv | MD5 or SHA | DES or AES | Provides authentication is based on the HMAC-MD5 or HMSC-SRA algorithms. Provides DES 56-bit encryption in addition to authentication based on the CBC-DES (DES-56) standard, or AES 128-bit encryption, as well. |
SNMPv3 settings for the SNMPv3 Engine ID are configurable under the General menu of the Configure SNMP view dialog. The Engine ID is used to authorize a received SNMP packet. Only matching packet EngineIDs are processed.
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
Configuring SNMPv3 Engine IDs
If SNMPv3 is used, you can configure the SNMPv3 Engine ID and SNMP priority. Configuring the SNMPv3 Engine ID provides maximum security for SNMP management.
To configure SNMPv3 engine IDs
- Navigate to DEVICE | Settings | SNMP.
- If you have not configured SNMP for your system, follow the link Configuring SNMP in SonicOS.
- Click Advanced.
- Select Mandatory Require SNMPv3. This disables SNMPv1/v2 and allows only SNMPv3 access, which provides maximum security for SNMP management. If you select this option, you must specify an asset number on the General page before clicking OK.
- Enter the hexadecimal Engine ID number in the Engine ID
- SonicOSX automatically populates this field, but you can change it. This number is matched against received SNMP packets to authorize their processing; only packets whose Engine ID matches this number are processed.
- Optionally, enable Increase SNMP subsystem priority. Enabling this option causes the SNMP subsystem to always respond and operate at a higher system priority, also this option might affect the performance of the overall system.
- Click OK. The SNMPv3 security options are now used in processing packets.
Configuring Object IDs for SNMPv3 Views
The SNMPv3 View shows access settings for Users and Groups. You create settings for users and groups, and these security settings are not user-modifiable. The SNMPv3 View defines the Object IDs (OID) and Object ID Groups and is sometimes known as the SNMPv3 Access Object.
The SNMP View defines a collection of OIDs and OID groups. The initial set of default views cannot be changed or deleted. The default views reflect the most often used views, such as the root view, system view, IP, interfaces. The OIDs for these views are pre-assigned.
Additionally, you can create a custom view for specific users and groups.You can modify any views that you create. You cannot modify the ones the system creates.
To configure OIDs for SNMPv3 views
- Navigate to DEVICE| Settings | SNMP.
- Click View.
- On the View page, click + Add. The View Name dialog box is displayed.
- Enter a meaningful name in the View Name.
- Click Add OID to the View being created. The Add SNMP OID dialog is displayed.
- Enter a name in the OID Namefield and click OK.
The OIDs associated with the View Name are listed in the OID table. To delete an OID from the OID List, hover over the OID and click Delete.
- Add any more OIDs to associate with the View.
- Click OK. The new view is displayed on the View page.
