Hi, I have been trying and failing to get SNMP monitoring working for my Sophos XG firewall using PRTG. I have done the following to try and get this working: Enabled the SNMP agent in the firewall config Added the SNMP manager address and community string Created a firewall rule to allow port 161 from LAN to LAN (although technically this is not needed) Confirmed that SNMP is enabled for the LAN zone Added the MIB referenced in https://community.sophos.com/kb/en-us/125597 to PRTG However, PRTG is unable to gather any SNMP data from the firewall, and a SNMP walk from the same system running PRTG times out. It is almost like SNMP is not enabled, or is being blocked. I have checked the firewall logs on the firewall and I see no traffic when I try and connect. It is not the firewall on the PRTG server as this is disabled while I try and get this working. What am I doing wrong?! Thanks

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to get SNMP data from XG firewall

Hi,

I have been trying and failing to get SNMP monitoring working for my Sophos XG firewall using PRTG. I have done the following to try and get this working:

Enabled the SNMP agent in the firewall config
Added the SNMP manager address and community string
Created a firewall rule to allow port 161 from LAN to LAN (although technically this is not needed)
Confirmed that SNMP is enabled for the LAN zone
Added the MIB referenced in https://community.sophos.com/kb/en-us/125597 to PRTG

However, PRTG is unable to gather any SNMP data from the firewall, and a SNMP walk from the same system running PRTG times out. It is almost like SNMP is not enabled, or is being blocked. I have checked the firewall logs on the firewall and I see no traffic when I try and connect. It is not the firewall on the PRTG server as this is disabled while I try and get this working.

What am I doing wrong?!

Thanks

This thread was automatically locked due to age.

Parents

0 LuCar Toni over 6 years ago

Would recommend to dump the traffic and take a look.

Port 161 and port 162 should be some kind of traffic.
Cancel
Vote Up 0 Vote Down

Cancel
0 Matt Yarranton over 6 years ago in reply to LuCar Toni

Thanks.

The packet capture shows the traffic definitely hitting the firewall, but it is not responding. See the attached.

The SNMP tester log shows the following:

----------------------- New Test -----------------------
Paessler SNMP Tester 5.2.3 Computername: PAS-ALD-SRV-01 Interface: (192.168.1.xxx, 169.254.0.2)
11/11/2018 12:24:53 (2 ms) : Device: 192.168.1.xxx
11/11/2018 12:24:53 (2 ms) : SNMP V2c
11/11/2018 12:24:53 (3 ms) : Walk 1.3.6.1.4.1.21067.2
11/11/2018 12:24:59 (6017 ms) : Error: -2003
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Matt Yarranton over 6 years ago in reply to LuCar Toni

Thanks.

The packet capture shows the traffic definitely hitting the firewall, but it is not responding. See the attached.

The SNMP tester log shows the following:

----------------------- New Test -----------------------
Paessler SNMP Tester 5.2.3 Computername: PAS-ALD-SRV-01 Interface: (192.168.1.xxx, 169.254.0.2)
11/11/2018 12:24:53 (2 ms) : Device: 192.168.1.xxx
11/11/2018 12:24:53 (2 ms) : SNMP V2c
11/11/2018 12:24:53 (3 ms) : Walk 1.3.6.1.4.1.21067.2
11/11/2018 12:24:59 (6017 ms) : Error: -2003
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 LuCar Toni over 6 years ago in reply to Matt Yarranton

Could you perform a drop packet capture on CLI?

XG125_XN03_SFOS 17.5.0 Beta-2# drppkt | grep port 161

This should give you some output. Would like to see it.

Also try:

tcpdump -ni any port 161
Cancel
Vote Up 0 Vote Down

Cancel
0 Matt Yarranton over 6 years ago in reply to LuCar Toni

Tried this but the commands do not work:

console> drppkt | grep port 161 % Error: Unknown Parameter 'drppkt'

Also, tried various variations of the tcpdump commands that I know and none of them work except for a simple "tcpdump" which obviously produces a lot of output!

console> tcpdump -nnXX port 161 % Error: Unknown Parameter 'port'

console> tcpdump port 161 % Error: Unknown Parameter '161'

Is there a syntax reference anywhere for the expressions that can be used on the XG implementation of this?
Cancel
Vote Up 0 Vote Down

Cancel
0 Matt Yarranton over 6 years ago in reply to Matt Yarranton

Ok, it seems as if the commands are a little different to how you describe (see https://community.sophos.com/kb/en-us/123567 and https://community.sophos.com/kb/en-us/127111)

The 'drop-packet-capture' does not produce results for port 161, and the output from tcpdump is as below, but a bit unremarkable. Unfortunately attempts to add switches to extend the output to something more interesting fail.

console> tcpdump "port 161"
tcpdump: Starting Packet Dump
17:46:56.591386 Port1, IN: IP 192.168.1.xxx.49868 > 192.168.1.x.161: GetRequest(26) .1.3.6.1.2.1.1.3.0
17:46:56.591386 br0, IN: IP 192.168.1.xxx.49868 > 192.168.1.x.161: GetRequest(26) .1.3.6.1.2.1.1.3.0
17:47:02.731284 Port1, IN: IP 192.168.1.xxx.49873 > 192.168.1.x.161: GetRequest(26) .1.3.6.1.2.1.1.3.0
17:47:02.731284 br0, IN: IP 192.168.1.xxx.49873 > 192.168.1.x.161: GetRequest(26) .1.3.6.1.2.1.1.3.0
Cancel
Vote Up 0 Vote Down

Cancel