SRX

 View Only
last person joined: 19 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

Configuring SNMP traps on Edge devices whose management ip's are public.

  • 1.  Configuring SNMP traps on Edge devices whose management ip's are public.

    Posted 02-26-2020 04:59

    Hi Team,

     

    We are trying to configure SNMP traps on all devices. Traps are working fine when the devices are below SRX 240 firewall (trust zone or same network).

     

    But the issue comes when edge devices initiate a trap from untrust to trust zone.

     

    snmp configuration on Edge devices : 

    *consider following example

    trap-options {
    source-address 14.x.x.1;
    }
    trap-group Zabbix-trap {
    version v2;
    destination-port 162;
    categories {
    authentication;
    remote-operations;
    configuration;
    }
    targets {
    14.x.x.2;
    }
    }

     

    configuration on core firewall :


    set security nat destination pool Zabbix_Trap address 192.168.10.2/32
    set security nat destination pool Zabbix_Trap address port 162

     

    set security nat destination rule-set untrust_vips rule TATA_Zabbix_Trap match destination-address 14.x.x.2/32
    set security nat destination rule-set untrust_vips rule TATA_Zabbix_Trap match destination-port 162
    set security nat destination rule-set untrust_vips rule TATA_Zabbix_Trap then destination-nat pool Zabbix_Trap

     

    set security policies from-zone untrust to-zone trust policy Zabbix_Trap match source-address 14.x.x.1
    set security policies from-zone untrust to-zone trust policy Zabbix_Trap match destination-address Zabbix
    set security policies from-zone untrust to-zone trust policy Zabbix_Trap match application SNMP
    set security policies from-zone untrust to-zone trust policy Zabbix_Trap then permit
    set security policies from-zone untrust to-zone trust policy Zabbix_Trap then log session-init
    set security policies from-zone untrust to-zone trust policy Zabbix_Trap then count

     

    But when we are trying to configure traps on edge devices we have configured destination nat pool on the core firewall (SRX 240) and we have given the same target ip which we have given for snmp configuration on edge devices.

     

    We have even configured a policy from untrust to trust zone and  source as public ip ex: 14.x.x.x and destination as private ip of our zabbix server and allowed the application port as 162 for trap.

     

    please find attached network architecture.

     

     

     

    Can any one kindly assist in proceeding  further.

     

     

    Thanks,

    Gautam

    Trap.PNG



  • 2.  RE: Configuring SNMP traps on Edge devices whose management ip's are public.
    Best Answer

     
    Posted 02-26-2020 07:02

    Gautam,

     

    The NAT configuration is correct on Core SRX and the security-policy should look like this:

     

    set security policies from-zone untrust to-zone trust policy Zabbix_Trap match source-address [Address-book representing 14.x.x.1/32]
    set security policies from-zone untrust to-zone trust policy Zabbix_Trap match destination-address [Address-book representing 192.168.10.2/32]
    set security policies from-zone untrust to-zone trust policy Zabbix_Trap match application SNMP
    set security policies from-zone untrust to-zone trust policy Zabbix_Trap then permit
    set security policies from-zone untrust to-zone trust policy Zabbix_Trap then log session-init
    set security policies from-zone untrust to-zone trust policy Zabbix_Trap then count
    
    set applications application SNMP protocol udp
    set applications application SNMP destination-port 162

     

    Running flow traces will help you understand how is the Core firewall processing these packets:

     

    set security flow traceoptions file FLOW_TRACE
    set security flow traceoptions flag basic-datapath
    set security flow traceoptions packet-filter TEST source-prefix 14.X.X.1
    set security flow traceoptions packet-filter TEST destination-prefix 14.X.X.2
    set security flow traceoptions packet-filter TEST destination-port 162

     

    After commiting the configuration, check the generated file with:

     

    > show log FLOW_TRACE

     



  • 3.  RE: Configuring SNMP traps on Edge devices whose management ip's are public.

    Posted 02-27-2020 00:33

    Hi,

    Aswesome..

    After doing the flow trace we are able to identify the Rule position issue .We are doing destination NAT on same IP (14.x.x.2) for various protocals with specific port number but for TATA_OWA did not define port number ,TATA_Zabbix_Trap configured in the last position.

     

    Junos.PNGNAT.PNG

    Thanks,

    Yusuf 



  • 4.  RE: Configuring SNMP traps on Edge devices whose management ip's are public.

     
    Posted 02-27-2020 19:09

    nice, glad it was useful.

     



  • 5.  RE: Configuring SNMP traps on Edge devices whose management ip's are public.

    Posted 02-28-2020 00:03

    Thank you mrojas