Sophos Switch - SNMP v3

I can't find a single how-to or example for setting up SMTPv3.  Does someone have a working example?

I am trying to get SNMP V3 on Sophos CS110-48FP to communicate with a Domontz agent.  (SNMP Polling).

Does switch have and logs which show relevant SNMP logs, why it won't "talk"?  I don't see any on syslog or local.  

SOPHOS, Where is SNMP V3 how to?  -- Features pertaining to security should be completely documented to show BEST PRACTICE.

It seems that Sophos created a switch and integrated it into Central, which is a good thing for the Sophos ecosystem, but has put MINIMAL EFFORT into creating documentation which should provide clear examples of features.

Previously, I called into support for help, and Sophos Switch is NOT on the support menu.  Sophos customer support said that it is not on the menu because there are not many engineers trained to support the product..  I was put through to a FW tech.  - This must be fixed, if Sophos expects customers to purchase additional!

I think the hardware is solid for the price point, and central management is coming along, showing potential.  I appreciate the GUI and realize that this should make it easier for those unfamiliar with Sophos CLI.  No good examples for CLI.  IE: CLI manual shows command syntax, but does noting to put the pieces together.  FRUSTRATING.



Added TAGs
[edited by: Erick Jan at 6:00 AM (GMT -8) on 11 Jan 2024]
Parents
  • I'm using SolarWinds Real Time Bandwidth Monitor (free) as a tool for getting V3 figured out.  V2, works with this tool, with default community NETMAN.

    For V3, a User must be created with credentials for Privlidge mode, Auth, and Encryption.

    Do we need a Community name specified for V3?  I don't think so, not sure?

    How does Group List, Access, View work / function with V3?  Can Sophos please explain?

    So far, No luck with V3 auth, and I can't find any logging coming from switch?  Is there a CLI command so that it will provide verbose output, like: 

    "SMMP V3, auth fail 10.254.6.2 ........"

  • From CLI, this will get you v3 up and running, the same process works from GUI. Will work on something GUI-based for you! You can run this directly from Central as well on the relevant switches all at once to configure them quickly.  Just remove my comments if you copy/paste after updating the settings. That goes for the v2c also.

    #(config) conf t 

    #(config)
    snmp user v3usernamehere auth md5 12345678 priv AES_CFB128 12345678  <<you can modify your auth and enc requirements
    //**remember the minimum characters are 8, so i just typed out 1-8, but you should set a proper value
    #(config)snmp group v3groupnamehere user v3usernamefromabove security-model v3  <<
    //**this command ensures your group/user will have view access to the full OID list
    #(config)snmp view viewnamehere 1 mask 1 include
    //**this command gives access to the group using v3 with read and notify permissions, and you can specify write as well
    #(config)snmp access v3groupnamehere v3 read viewnamehere notify viewnamehere
    #(config)snmp community name SNMPNAME security v3usernamefromabove

Reply
  • From CLI, this will get you v3 up and running, the same process works from GUI. Will work on something GUI-based for you! You can run this directly from Central as well on the relevant switches all at once to configure them quickly.  Just remove my comments if you copy/paste after updating the settings. That goes for the v2c also.

    #(config) conf t 

    #(config)
    snmp user v3usernamehere auth md5 12345678 priv AES_CFB128 12345678  <<you can modify your auth and enc requirements
    //**remember the minimum characters are 8, so i just typed out 1-8, but you should set a proper value
    #(config)snmp group v3groupnamehere user v3usernamefromabove security-model v3  <<
    //**this command ensures your group/user will have view access to the full OID list
    #(config)snmp view viewnamehere 1 mask 1 include
    //**this command gives access to the group using v3 with read and notify permissions, and you can specify write as well
    #(config)snmp access v3groupnamehere v3 read viewnamehere notify viewnamehere
    #(config)snmp community name SNMPNAME security v3usernamefromabove

Children