HOW TO: Configure SNMPv2c on Juniper SRX Firewall

September 13, 2016October 22, 2016 Ashutosh Patel 2605 Views 0 Comments Juniper, SNMP, SRX

https://netfixpro.com/snmpv2c-configuration-on-juniper-srx-firewall/

This article details the process for setting up SNMP for monitoring of the Juniper SRX firewalls.

SNMP versions 1, 2c, and 3 are supported by Juniper SRX Firewalls. For simplicity, I’ll just demonstrate using SNMP v2c, which only leverages the community string for authentication.

NOTE: SNMP v2 is not encrypted so it is not the most secure solution, but it is fast to deploy. SNMP v3 is recommended for security, but SNMPv3 is much more extensive and requires a bunch of different concepts.

Configuring SNMP Management

First, let’s configure SNMP so the server can poll SRX using SNMP GET messages.

To configure SNMP v2c, we will require SNMP-server IP (which will poll the SRX firewall using community), Community strings and authorization type (read-only or read-write).

In this example, we’ll restrict SNMP access from the snmp-server IP 192.168.50.171 using read-only Community SNMP-COMM-2c.

set snmp community SNMP-COMM-2c clients 192.168.50.171/32
set snmp community SNMP-COMM-2c authorization read-only

Configuring SNMP Traps

SNMP traps provide an efficient way to signal to the snmp-server when certain conditions are reached on the SRX. Note that SRX traps are always sent from SRX to the snmp server.

To configure an SNMP trap, you need to define both, what to trigger the trap on and where to send it with the appropriate community string.

To understand, what to trigger the trap? Junos has certain trap categories as follows.

Categories	Meaning
authentication chassis chassis-cluster configuration link otn-alarms remote-operations rmon-alarm routing services sonet-alarms startup vrrp-events	Authentication failures Chassis or environment notifications Clustering notifications Configuration notifications Link up-down transitions OTN alarm trap subcategories Remote operations RMON rising and falling alarms Routing protocol notifications Services notifications SONET alarm trap subcategories System warm and cold starts VRRP notifications

Categories

Meaning

authentication

chassis

chassis-cluster

configuration

link

otn-alarms

remote-operations

rmon-alarm

routing

services

sonet-alarms

startup

vrrp-events

Authentication failures

Chassis or environment notifications

Clustering notifications

Configuration notifications

Link up-down transitions

OTN alarm trap subcategories

Remote operations

RMON rising and falling alarms

Routing protocol notifications

Services notifications

SONET alarm trap subcategories

System warm and cold starts

VRRP notifications

For this example, we’ll limit the type of traps that are sent to just Chassis, Chassis-Cluster, link, and Startup rather than sending all SNMP traps. Send the traps using trap-groups named Desired-Traps to server 192.168.50.171.

set snmp trap-group Desired-Traps categories chassis
set snmp trap-group Desired-Traps categories chassis-cluster
set snmp trap-group Desired-Traps categories link
set snmp trap-group Desired-Traps categories startup
!
set snmp trap-group Desired-Traps version v2 targets 192.168.50.171

Note that we grouped some required snmp trap categories as part of trap-groups (named Desired-Traps, in this example) and then apply that trap-group to snmp-server IP where traps will be sent.

I hope you enjoy this article. Please feel free leave a comment or feedback.

https://netfixpro.com/snmpv2c-configuration-on-juniper-srx-firewall/

Ashutosh Patel

Ashutosh Patel is the Author and editor of netfixpro.com. He currently works as a Network Security Architect. Follow him on following social media to know more about him.