This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SNMP is not working on UTM 9

He utilize Cacti server for network bandwidth monitoring and packet loss so we can have historical information for our clients. Please hella good when dealing with ISPs and packet loss. :)

We come from a Mikrotik world but one of our clients use a SG135 box. We want to set up the same SNMP monitoring but I for the life of me cannot get it to work. I have enabled the SNMP Query under Management > SNMP. I have tried both v2c and v3 set my allowed networks, and so on. From the Cacti side, all I get is "SNMP error". I have done a tcpdump on the Sophos box and do not see anything coming from my public IP on 161 or anything for that matter. I have gone as far as creating a firewall entry that has source as cacti, service SNMP, and the destination: External (WAN).

I also see that nmap shows 161 as "filtered" from my office as well as well as from the cacti server.

Has anyone heard of or seen this before and can help me out? 



This thread was automatically locked due to age.
Parents
  • Hi Joshua and welcome to the UTM Community!

    Please show pics of your UTM SNMP configuration.  Also, does doing #1 in Rulz provide any insight?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hi Joshua and welcome to the UTM Community!

    Please show pics of your UTM SNMP configuration.  Also, does doing #1 in Rulz provide any insight?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Thank you, Bob, for the welcome! I have looked at the suggested logs while querying SNMP looking for my IP but no joy.

    From the Cacti side, I'm showing UDP 161 packets being transmitted to the Sophos box when I click verbose query but nothing when looking at the tcpdump on the Sophos. 

    Any assistance you and the community can provide, I would be incredibly grateful! 

  • It sounds like the configuration of SNMP in the UTM is incomplete, hence my suggestion that you show us pictures of what you have.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • My bad Bob, Meant to include that and got distracted. :)

     

    Again, I'm new to the Sophos world so if I left it out or you want to see something else let me know.

     

    SNMP Screenshot of the Sophos Box:

    Cacti SNMP query log:

  • Are you connecting from WAN side or is your monitoring in internal network?

    P.S. Answer edited.

    -

  • I am connecting from the WAN side. 

  • OK, I didn't have done this myself. I'm not sure if you could open a security risk if you open SNMP to WAN.

    But technically it should be possible. Is the result of the test with PortQry changing if you add your WAN network to the allowed networks under SNMP? If not maybe adding of a firewall rule is necessary. 

    Best 

    Alex

    P.S. No IPSEC VPN Tunnel for that?

    -

  • You are accessing from which of the Hosts/Networks in 'Allowed Networks'?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I have tried to add the External WAN to the allowed networks field with no result or change in behavior. The current allowed network I have listed in the allowed networks is the public IP address of our network monitor. 

    The hosts/networks in the previous screenshots were for testing. Ideally, we will only have the one labeled Skyhawk Netman as an allowed network.

    To define what each is:

    Skyhawk Netman - External to network, bandwidth monitoring server

    Skyhawk - Dude - External to network, PING monitor (Used for up/down alerts for non-Mikrotik devices.)

    Skyhawk Office - External to network, ONLY for testing from my physical location.

    FPCBR01 - Internal to network, internal server. Used to do some testing for our RMM tool. 

     

    To address the lack of VPN concern:

    Our thought process on why an IPSEC tunnel is not necessary at this time is that we are trying to only allow the IP from our network monitor, also using a non-typical community string, and we have not interested in writing to the box, just querying interface statistics. It would be a completely different story if any one of those three reasons changes. As our needs evolve (Or if it is required to expose the box to more than just our monitoring IP.) we will certainly look at something.

  • I'm having to work too hard to review the entire thread, Joshua.  Please copy snips of your 'Query' and 'Traps' tabs into a single post (not Imgur) and tell us from which Network/Host you're querying.  Rather than trying to give us the whole picture, let's just focus on one proof point.

    Also, it doesn't make sense that you can see the packets leaving your querying device but not arriving at the UTM.  Are you sure you were listening on the correct NIC?  Is there anything in between the two devices that might block your traffic?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA