Thread Info
  • State Verified Answer
  • Replies 9 replies
  • Subscribers 6 subscribers
  • Views 5565 views
  • Users 0 members are here
Options
Suggested

Sophos Switch - SNMP v3

AstaroNBack

I can't find a single how-to or example for setting up SMTPv3.  Does someone have a working example?

I am trying to get SNMP V3 on Sophos CS110-48FP to communicate with a Domontz agent.  (SNMP Polling).

Does switch have and logs which show relevant SNMP logs, why it won't "talk"?  I don't see any on syslog or local.  

SOPHOS, Where is SNMP V3 how to?  -- Features pertaining to security should be completely documented to show BEST PRACTICE.

It seems that Sophos created a switch and integrated it into Central, which is a good thing for the Sophos ecosystem, but has put MINIMAL EFFORT into creating documentation which should provide clear examples of features.

Previously, I called into support for help, and Sophos Switch is NOT on the support menu.  Sophos customer support said that it is not on the menu because there are not many engineers trained to support the product..  I was put through to a FW tech.  - This must be fixed, if Sophos expects customers to purchase additional!

I think the hardware is solid for the price point, and central management is coming along, showing potential.  I appreciate the GUI and realize that this should make it easier for those unfamiliar with Sophos CLI.  No good examples for CLI.  IE: CLI manual shows command syntax, but does noting to put the pieces together.  FRUSTRATING.



Added TAGs
[edited by: Erick Jan at 6:00 AM (GMT -8) on 11 Jan 2024]
  • 0

    I'm using SolarWinds Real Time Bandwidth Monitor (free) as a tool for getting V3 figured out.  V2, works with this tool, with default community NETMAN.

    For V3, a User must be created with credentials for Privlidge mode, Auth, and Encryption.

    Do we need a Community name specified for V3?  I don't think so, not sure?

    How does Group List, Access, View work / function with V3?  Can Sophos please explain?

    So far, No luck with V3 auth, and I can't find any logging coming from switch?  Is there a CLI command so that it will provide verbose output, like: 

    "SMMP V3, auth fail 10.254.6.2 ........"

  • 0 in reply to AstaroNBack

    Did you check out the docs? https://doc.sophos.com/nsg/switch/help/en-us/userGuide/features/configure/snmp/index.html

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    YES.

    So I've discovered that many SNMP monitoring tools leave MUCH to be desired, and I believe this is related to how they implement or fail to encryption protocols.  No matter what I have tried Domotz has been a royal PIA, and doesn't want to read SNMP data from this switch.  Time to ditch it and move on.  Solarwinds Real Time bandwidth monitor will not play nice with V3 either.  (Depreciated).

    Good news: This tool is the Bomb-digity if you need to test SNMP: https://www.paessler.com/tools/snmptester (free)

    After trying a few iterations, I came to the realization that the BUILT-IN account noAuthUser works with SNMP V3, however there is no Authentication or Encryption working out of the box.

    SOPHOS should make by default provide working examples using best in practice examples, (Auth / Encryption).

    I used the noAuthUser as an example and created a new user IE:TestUser. 

    Note:  Occasionally I tried deleting entries that I created with GUI.  Sometimes I would get a error and the entry would not be removed.  I resorted to the CLI, Conf T, and inserted NO in front of the offending line of configuration, (Like Cisco IOS). 

    I created corresponding entries in Group List, Access List and View List and successfully tested Auth and Encryption with SHA / AES.

    I didn't know I had to create entries in Group, Access, View, I am not a SNMP V3 guru. 

    I will work on creating a Sophos SMNP V3 How-To with Paessler. 

    Finding a reliable / affordable monitoring agent which works with Auth / Encryption is a whole different monkey......

  • 0 in reply to LuCar Toni

    My replies / posts keep getting blocked due to pesky SPAM robot which believes relevant information is junk... ARGH>

    This article for a Cisco product was very helpful in understanding V3, and I was able to see CLI with examples and relate that to how to proceed with Sophos.  networkverge.com/configure-snmpv3-on-cisco-switch

    The Paessler SNMP tester (free) is an invaluable tool for getting real time troubleshooting data.

  • +1

    Use this for v2c, ill work on one for v3 shortly. Please don't enter the comment lines i put there Slight smile

    #(config) snmp user usernamehere
    #(config) snmp group groupnamehere user usernamefromabovehere security-model v2c
    //**this command ensures your group/user will have view access to the full OID list
    #(config) snmp view aviewnamehere 1 mask 1 include
    //**this command gives access to the group using v2c with read and notify permissions, and you can specify write as well
    #(config) snmp access groupnamehere v2c read aviewnamehere notify aviewnamehere (optionally write aviewnamehere)
    #(config) snmp community name NAME security usernamefromabovehere

  • 0 in reply to AstaroNBack

    From CLI, this will get you v3 up and running, the same process works from GUI. Will work on something GUI-based for you! You can run this directly from Central as well on the relevant switches all at once to configure them quickly.  Just remove my comments if you copy/paste after updating the settings. That goes for the v2c also.

    #(config) conf t 

    #(config)    snmp user v3usernamehere auth md5 12345678 priv AES_CFB128 12345678  <<you can modify your auth and enc requirements
    //**remember the minimum characters are 8, so i just typed out 1-8, but you should set a proper value
    #(config)snmp group v3groupnamehere user v3usernamefromabove security-model v3  <<
    //**this command ensures your group/user will have view access to the full OID list
    #(config)snmp view viewnamehere 1 mask 1 include
    //**this command gives access to the group using v3 with read and notify permissions, and you can specify write as well
    #(config)snmp access v3groupnamehere v3 read viewnamehere notify viewnamehere
    #(config)snmp community name SNMPNAME security v3usernamefromabove

  • 0 in reply to Matthew Ritchie

    Matthew, I would like to say Thank you for your contributions here.  I should have done so a while back !!

  • 0 in reply to Matthew Ritchie

    This one works fine.  Enter into CLI, then check out GUI, that will help figuring out how to use GUI (What / Where).

  • 0 in reply to AstaroNBack

    Thank you and I'm really glad it helped you out!

Unfiltered HTML