Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SNMP on WAN not working

I'm coming from a Sophos UTM9 home setup, where externally monitoring it from the WAN via SNMP worked fine. I'm having difficulty getting it to work on Sophos XG Home.  Here is what I have done:

  • System > Administration > Device Access: SNMP is checked for both LAN and WAN
  • System > Administration > SNMP > Agent Configuration:  Enable SNMP Agent is checked, with Name, Location, Contact and normal ports 161 & 162 set.
  • System > Administration > SNMP > Community:   Community added with the correct community name and the public IP of our Monitoring Server set, Protocol v2c checked.

No additional firewall rules have been written or attempted, since the docs clearly state that you do not need them.  It should just "work".

From the external Monitoring Server, I am testing this by issuing an snmpwalk command (snmpwalk -v2c -c redacted 1.2.3.4) , and I just get "Timeout: No Response from 1.2.3.4"

As a test, I edited the Community and changed the allowed IP address to be my local machine, and I issued the same snmpwalk command against the LAN IP, and it worked perfectly. So, the Sophos XG definitely has SNMP working and I have the right command, but it just does not work from the WAN side.

Open to any ideas you may have.  Thank you, in advance, for the help!

- Scott



This thread was automatically locked due to age.
Parents
  • Hi  

    I too am not able to SNMP walk on the WAN zone.

    Please could you open up a support case with us so that this can be rectified.

    Thanks.

    KingChris
    Community Support | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Thanks   Support Case 9629167 has been opened.

    - Scott

  •  even though I told them you asked me to open the ticket, they rejected the ticket because I am a XG Home Free user.  Now what?

    - Scott

     

    Hello Scott,

    My apologies for the late response. As I further check on this  we found a designated support for sophos home and sophos home premium users. For sophos home users their support would be provided in the sophos community and we have a public KB article to follow. For sophos home premium there is a chat support found in the dashboard. https://support.home.sophos.com/hc/en-us/articles/115005585566-Contacting-Sophos-Home-Support

    Since there is a designated support and this would be considered misrouted case we suggest to touch base with them for further support assistance
  • Are you sure to send SNMP through WAN? 

    __________________________________________________________________________________________________________________

  • Hi  

    My apologies for that but I should have asked you if you were a home user or commercial licensed user.

    To let you know that I was eventually able to get SNMP monitoring through the WAN working fine.  The actual issue was due to misconfiguration in my lab that I had forgotten about.  Once that was configured correctly, SNMP monitoring through WAN zone worked fine.

    What I would suggest you do is open SSH to the XG.  Go to "Advance Console" and run a packet capture to see if the traffic is even making it to the XG.  What I think you are doing is you are coming from the LAN side and trying to hit SNMP services on the WAN side of the XG.  This will require what is called a "hairpin" rule.  This is messy and shouldnt be done.

    Thanks!

    KingChris
    Community Support | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • KingChris said:
    My apologies for that but I should have asked you if you were a home user or commercial licensed user.

    Hi Chris. Sorry for the confusion, although I did start the post by saying "I'm having difficulty getting it to work on Sophos XG Home." :-)

    KingChris said:
    What I think you are doing is you are coming from the LAN side and trying to hit SNMP services on the WAN side of the XG.  This will require what is called a "hairpin" rule.  This is messy and shouldnt be done.

    No, I am coming from the Public IP of a Linux server out in the cloud, connecting to the public WAN IP of the Sophos XG.

    KingChris said:
    What I would suggest you do is open SSH to the XG.  Go to "Advance Console" and run a packet capture to see if the traffic is even making it to the XG.

     

    Packet capture was a great idea!  I've done some captures, both from the XG and also from the external server. Interestingly, it does look like the packets are getting to the XG and it's trying to respond, but the responses are not being received by the external server. I'm checking now to see if there is a firewall issue between the two servers that might cause the responses to be blocked.  So, this was a very good idea!  FYI, for anyone else that may see this discussion in the future... when you SSH into the XG, you would choose "Device Console" (not 'Advanced Console') and then choose tcpdump. There is an excellent article on using tcpdump here: https://community.sophos.com/kb/en-us/123567

    UPDATE: I found out the data center. where I am doing my snmpwalk from, is blocking UDP 161. 

    SOLUTION: The Sophos XG has the SNMP Agent port hard-coded to 161 (unlike the SNMP Manager port, which defaults to 162, but can be changed).  However, I found a workaround, by creating a firewall rule on the Sophos XG to allow SNMP on an alternate port (for example 1616), and then mapping that port 1616 to the LAN port of the XG, on the standard port of 161. For anyone that wants to try this, it looks like this:

    SNMP on WAN via Alternate SNMP Port:

    First, make sure you have SNMP enabled on the LAN port, under System > Administration > Device Access (WAN port not needed)

    Next, make the following Firewall Rule (Protect > Firewall > Add Firewall Rule)

    Rule Name, Description and Rule Group are whatever you want to use.
    Source Zone: WAN
    Allowed Client Networks: I used the Public IP of the server in the cloud that will be connecting to the XG
    Blocked Client Networks:  (empty)
    Destination Host/Network: I selected the already created host of "#Port3-1.2.3.4" (where 1.2.3.4 is your public IP on WAN port)
    Services:  I created a new Service, called SNMP-1616, with Protocol UDP, Source Port 1:65535, Destination Port 1616
    Protected Server(s): I created a new entry, called "LAN Port 10.1.1.1" with the IP address being the LAN Port of my Sophos XG
    Protected Zone: LAN
    Mapped Port: 161

    After enabling this rule, I was able to issue an snmpwalk command from the cloud server, although it needed the alternate port designation -- adding :1616 after the IP address in the snmpwalk command (i.e.: snmpwalk -v2c -c redacted 1.2.3.4:1616)

    Hope this helps someone in the future that needs to be able to use SNMP on a port other than the standard UDP 161!

    - Scott

Reply
  • KingChris said:
    My apologies for that but I should have asked you if you were a home user or commercial licensed user.

    Hi Chris. Sorry for the confusion, although I did start the post by saying "I'm having difficulty getting it to work on Sophos XG Home." :-)

    KingChris said:
    What I think you are doing is you are coming from the LAN side and trying to hit SNMP services on the WAN side of the XG.  This will require what is called a "hairpin" rule.  This is messy and shouldnt be done.

    No, I am coming from the Public IP of a Linux server out in the cloud, connecting to the public WAN IP of the Sophos XG.

    KingChris said:
    What I would suggest you do is open SSH to the XG.  Go to "Advance Console" and run a packet capture to see if the traffic is even making it to the XG.

     

    Packet capture was a great idea!  I've done some captures, both from the XG and also from the external server. Interestingly, it does look like the packets are getting to the XG and it's trying to respond, but the responses are not being received by the external server. I'm checking now to see if there is a firewall issue between the two servers that might cause the responses to be blocked.  So, this was a very good idea!  FYI, for anyone else that may see this discussion in the future... when you SSH into the XG, you would choose "Device Console" (not 'Advanced Console') and then choose tcpdump. There is an excellent article on using tcpdump here: https://community.sophos.com/kb/en-us/123567

    UPDATE: I found out the data center. where I am doing my snmpwalk from, is blocking UDP 161. 

    SOLUTION: The Sophos XG has the SNMP Agent port hard-coded to 161 (unlike the SNMP Manager port, which defaults to 162, but can be changed).  However, I found a workaround, by creating a firewall rule on the Sophos XG to allow SNMP on an alternate port (for example 1616), and then mapping that port 1616 to the LAN port of the XG, on the standard port of 161. For anyone that wants to try this, it looks like this:

    SNMP on WAN via Alternate SNMP Port:

    First, make sure you have SNMP enabled on the LAN port, under System > Administration > Device Access (WAN port not needed)

    Next, make the following Firewall Rule (Protect > Firewall > Add Firewall Rule)

    Rule Name, Description and Rule Group are whatever you want to use.
    Source Zone: WAN
    Allowed Client Networks: I used the Public IP of the server in the cloud that will be connecting to the XG
    Blocked Client Networks:  (empty)
    Destination Host/Network: I selected the already created host of "#Port3-1.2.3.4" (where 1.2.3.4 is your public IP on WAN port)
    Services:  I created a new Service, called SNMP-1616, with Protocol UDP, Source Port 1:65535, Destination Port 1616
    Protected Server(s): I created a new entry, called "LAN Port 10.1.1.1" with the IP address being the LAN Port of my Sophos XG
    Protected Zone: LAN
    Mapped Port: 161

    After enabling this rule, I was able to issue an snmpwalk command from the cloud server, although it needed the alternate port designation -- adding :1616 after the IP address in the snmpwalk command (i.e.: snmpwalk -v2c -c redacted 1.2.3.4:1616)

    Hope this helps someone in the future that needs to be able to use SNMP on a port other than the standard UDP 161!

    - Scott

Children
No Data