Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to get SNMP data from XG firewall

Hello,

I have been trying and failing to get SNMP monitoring working for my Sophos XG firewall using PRTG.  I have done the following to try and get this working:

  • Enabled the SNMP agent in the firewall config
  • Added the SNMP manager address and community string
  • Created a firewall rule to allow port 161 from LAN to LAN (although technically this is not needed)
  • Confirmed that SNMP is enabled for the LAN zone

However, PRTG is unable to gather any SNMP data from the firewall, and a SNMP walk from the same system running PRTG times out.  It is almost like SNMP is not enabled, or is being blocked.  I have checked the firewall logs on the firewall and I see no traffic when I try and connect.  It is not the firewall on the PRTG server as this is disabled while I try and get this working.

test in snmp tester by prtg prompt SNMP error # -2003

What am I doing wrong?!

Thanks



This thread was automatically locked due to age.
Parents
  • Your configuration seems to be okay based on the details you've provided:

    • Activate the SNMP Manager.
    • Set up an SNMP Manager (also known as the PRTG Server) and assign it a community string.
    • Confirm or set up SNMP Access on the Device Access Page.

    It's important to double-check your SNMP settings on both the Sophos and PRTG systems, especially if you're using SNMPv3. Since you mentioned setting up a community, it seems you might be using SNMPv2. You could use tcpdump or the packet capture tool (with a BPF filter for udp and port 161) to check if the SNMP requests from your manager (the PRTG server) are reaching your firewall. If you observe traffic similar to the example below, then the requests are indeed reaching your firewall. Otherwise, there may be a connectivity issue on the path to the firewall.

    Example tcpdump output:

    tcpdump -ni any udp and port 161
    Listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes:
    
    21:38:35.027085 Port1, IN: ethertype IPv4, IP <PRTG-Server>.35647 > <SOPHOS>.161: C="<COMMUNITY>" GetNextRequest(26) .1.3.6.1.2.1.1
    21:38:36.028344 Port1, IN: ethertype IPv4, IP <PRTG-Server>.35647 > <SOPHOS>.161: C="<COMMUNITY>" GetNextRequest(26) .1.3.6.1.2.1.1



    To verify if the SNMP daemon is running, you can execute the following command in an advanced shell:

    ps | grep ^snmpd
    
    snmpd 1633 1539 root 26532 11484 S {snmpd} csc -L 3 -w -c /_conf/cscconf.bin
    snmpd 3492 1633 root 13452 6696 S snmpd -f -A -c /cfs/system/snmpd.conf --logTimestamp=true



    Additionally, you can use netstat to check if the daemon is listening on port 161 (netstat -anup | grep 161). For a final check, you could run a direct SNMP get request on the firewall using a small script. To do this, access the advanced console and create the following file:


    vi /tmp/snmptest.py


    Paste the script below into the file. In the last line (send_snmp_get_request), input the IP address of your Sophos Firewall (here: 172.20.20.20)

    import socket
    
    def send_snmp_get_request(target_ip):
    # SNMP GET-Request for OID .1.3.6.1.2.1.1.1.0 with Community 'sophos'
    snmp_get_request = bytes.fromhex(
    '30 29 02 01 00 04 06 73 6f 70 68 6f 73 a0 1c 02 04 01 02 03 04 02 01 00 02 01 00 30 0e 30 0c 06 08 2b 06 01 02 01 01 01 00 05 00'
    )
    
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    sock.sendto(snmp_get_request, (target_ip, 161))
    
    response, _ = sock.recvfrom(1024)
    sock.close()
    print(response)
    
    send_snmp_get_request('172.20.20.20')


    This script requires an SNMP configuration on the firewall to allow a local manager to connect to the daemon. The community is set to 'sophos' in the script, which should match the 'Name' parameter in the SNMP configuration:

    Navigate to Administration -> SNMP -> SNMPv1 and v2 community and traps -> Add

    • Name: sophos
    • IP address: <your firewall IP, here 172.20.20.20)
    • Query: enabled
    • Trap: disabled
    • Execute the script with:

    python /tmp/snmptest.py
    
    b'0l\x02\x01\x00\x04\x06sophos\xa2_\x02\x04\x01\x02\x03\x04\x02\x01\x00\x02\x01\x000Q0O\x06\x08+\x06\x01\x02\x01\x01\x01\x00\x04CLinux localhost 4.14.277 #2 SMP Wed Jul 5 21:40:44 CEST 2023 x86_64'

    Delete the script after execution with rm /tmp/snmptest.py

Reply
  • Your configuration seems to be okay based on the details you've provided:

    • Activate the SNMP Manager.
    • Set up an SNMP Manager (also known as the PRTG Server) and assign it a community string.
    • Confirm or set up SNMP Access on the Device Access Page.

    It's important to double-check your SNMP settings on both the Sophos and PRTG systems, especially if you're using SNMPv3. Since you mentioned setting up a community, it seems you might be using SNMPv2. You could use tcpdump or the packet capture tool (with a BPF filter for udp and port 161) to check if the SNMP requests from your manager (the PRTG server) are reaching your firewall. If you observe traffic similar to the example below, then the requests are indeed reaching your firewall. Otherwise, there may be a connectivity issue on the path to the firewall.

    Example tcpdump output:

    tcpdump -ni any udp and port 161
    Listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes:
    
    21:38:35.027085 Port1, IN: ethertype IPv4, IP <PRTG-Server>.35647 > <SOPHOS>.161: C="<COMMUNITY>" GetNextRequest(26) .1.3.6.1.2.1.1
    21:38:36.028344 Port1, IN: ethertype IPv4, IP <PRTG-Server>.35647 > <SOPHOS>.161: C="<COMMUNITY>" GetNextRequest(26) .1.3.6.1.2.1.1



    To verify if the SNMP daemon is running, you can execute the following command in an advanced shell:

    ps | grep ^snmpd
    
    snmpd 1633 1539 root 26532 11484 S {snmpd} csc -L 3 -w -c /_conf/cscconf.bin
    snmpd 3492 1633 root 13452 6696 S snmpd -f -A -c /cfs/system/snmpd.conf --logTimestamp=true



    Additionally, you can use netstat to check if the daemon is listening on port 161 (netstat -anup | grep 161). For a final check, you could run a direct SNMP get request on the firewall using a small script. To do this, access the advanced console and create the following file:


    vi /tmp/snmptest.py


    Paste the script below into the file. In the last line (send_snmp_get_request), input the IP address of your Sophos Firewall (here: 172.20.20.20)

    import socket
    
    def send_snmp_get_request(target_ip):
    # SNMP GET-Request for OID .1.3.6.1.2.1.1.1.0 with Community 'sophos'
    snmp_get_request = bytes.fromhex(
    '30 29 02 01 00 04 06 73 6f 70 68 6f 73 a0 1c 02 04 01 02 03 04 02 01 00 02 01 00 30 0e 30 0c 06 08 2b 06 01 02 01 01 01 00 05 00'
    )
    
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    sock.sendto(snmp_get_request, (target_ip, 161))
    
    response, _ = sock.recvfrom(1024)
    sock.close()
    print(response)
    
    send_snmp_get_request('172.20.20.20')


    This script requires an SNMP configuration on the firewall to allow a local manager to connect to the daemon. The community is set to 'sophos' in the script, which should match the 'Name' parameter in the SNMP configuration:

    Navigate to Administration -> SNMP -> SNMPv1 and v2 community and traps -> Add

    • Name: sophos
    • IP address: <your firewall IP, here 172.20.20.20)
    • Query: enabled
    • Trap: disabled
    • Execute the script with:

    python /tmp/snmptest.py
    
    b'0l\x02\x01\x00\x04\x06sophos\xa2_\x02\x04\x01\x02\x03\x04\x02\x01\x00\x02\x01\x000Q0O\x06\x08+\x06\x01\x02\x01\x01\x01\x00\x04CLinux localhost 4.14.277 #2 SMP Wed Jul 5 21:40:44 CEST 2023 x86_64'

    Delete the script after execution with rm /tmp/snmptest.py

Children
No Data