HOW TO: Configure SNMPv2c on Juniper SRX Firewall
This article details the process for setting up SNMP for monitoring of the Juniper SRX firewalls.
SNMP versions 1, 2c, and 3 are supported by Juniper SRX Firewalls. For simplicity, I’ll just demonstrate using SNMP v2c, which only leverages the community string for authentication.
NOTE: SNMP v2 is not encrypted so it is not the most secure solution, but it is fast to deploy. SNMP v3 is recommended for security, but SNMPv3 is much more extensive and requires a bunch of different concepts.
Configuring SNMP Management
First, let’s configure SNMP so the server can poll SRX using SNMP GET messages.
To configure SNMP v2c, we will require SNMP-server IP (which will poll the SRX firewall using community), Community strings and authorization type (read-only or read-write).
In this example, we’ll restrict SNMP access from the snmp-server IP 192.168.50.171 using read-only Community SNMP-COMM-2c.
set snmp community SNMP-COMM-2c clients 192.168.50.171/32
set snmp community SNMP-COMM-2c authorization read-only
Configuring SNMP Traps
SNMP traps provide an efficient way to signal to the snmp-server when certain conditions are reached on the SRX. Note that SRX traps are always sent from SRX to the snmp server.
To configure an SNMP trap, you need to define both, what to trigger the trap on and where to send it with the appropriate community string.
To understand, what to trigger the trap? Junos has certain trap categories as follows.
Categories
|
Meaning
|
---|---|
authentication chassis chassis-cluster configuration link otn-alarms remote-operations rmon-alarm routing services sonet-alarms startup vrrp-events |
Authentication failures Chassis or environment notifications Clustering notifications Configuration notifications Link up-down transitions OTN alarm trap subcategories Remote operations RMON rising and falling alarms Routing protocol notifications Services notifications SONET alarm trap subcategories System warm and cold starts VRRP notifications |
For this example, we’ll limit the type of traps that are sent to just Chassis, Chassis-Cluster, link, and Startup rather than sending all SNMP traps. Send the traps using trap-groups named Desired-Traps to server 192.168.50.171.
set snmp trap-group Desired-Traps categories chassis
set snmp trap-group Desired-Traps categories chassis-cluster
set snmp trap-group Desired-Traps categories link
set snmp trap-group Desired-Traps categories startup
!
set snmp trap-group Desired-Traps version v2 targets 192.168.50.171
Note that we grouped some required snmp trap categories as part of trap-groups (named Desired-Traps, in this example) and then apply that trap-group to snmp-server IP where traps will be sent.
I hope you enjoy this article. Please feel free leave a comment or feedback.