We have seen it... It doesn't help us. We configured an SNMP user and name, but in the name section we don't understand how to write the mask. We are also unsure what MIB to enter. I put in 184.108.40.206 and left the mast blank. That MIB was readable when we were using V2. I also tried putting in a mask of 0xf0 and 0xffffffff... I have also tried changing the option from include to exclude. Non of it has helped. We have not been able to figure out from the Palo Alto side where the problem is because we see nothing in the logs. We also don't see a way to trouble shoot it from the Solarwinds side. I know it isn't working, but we have no indication why... May try a network capture, but since it should be encrypted, I will only be able to see if the session connects.
You can decipher it using WireShark. You can go into the settings and into the SNMP area and enter the user, authentication, privacy, and the passwords to see the packets. As far as what MIB to unlock, I'd recommend mib-2. It opens things up a bit, but will make sure Orion can see the RFC MIBs it needs. There shouldn't be a mask needed as Orion NPM doesn't require one. It should all depend on the view that's setup, the user, the authentication, and privacy that's setup.
So I have opened a case with PaloAlto and Solarwinds. Neither was helpful. PaloAlto doesn't seem to know anything about SNMPv3 and Solarwinds didn't have any more information on it. We have established that the problem is a PaloAlto issue, but you can't really troubleshoot the issue with WireShark since most of the communication is encrypted (PaloAlto does not do unencrypted SNMPv3). We are pretty sure we authenticate OK, but we can't make the OIDs accessible. The way PaloAlto does the filters for the MIBs is unlike anything anyone else does. Since they can't explain what they want, we remain stuck on SNMPv2 (which works flawlessly, but makes my security people unhappy).
Just thought I would update the post in case anyone had new ideas.
I'm having the same problems with Solarwinds not being able to accept SNMP v3 traps for my Cisco devices. They claim the issue will be fixed in the next release, which they also told me before the current release, so I'll believe it when I see it.
What's going on with your Cisco gear? NPM v10 should be able to work with it.
All I get is an error message. I don't have a current example of it, but I was told it has to do with SW not being able to support devices that use a key for the password. Not sure what that means, since SNMP v3 is supposed to use passwords.
Unless you setup a key, then SW will support the device as long as you have the user, group, and view setup with supported authentication and privilege.
For the 2050, here is what I had to do:
Under Device->Setup-Operations, click on SNMP setup
Enter the physical location field, contact, change from v2 to v3
Add a new View; name=Solarwinds View=EnginID OID=220.127.116.11.6, option=Include mask=0x80 (per PAN tech support)
Add new user; use the SNMP v3 username, passphrase and Priv, view should be the one created in the previous step
Run the following from a linux box to get the firewalls engine ID; snmpget -v 3 -u [username] -l authPriv -a SHA -A [auth password] -x AES -X [priv password] [IP address] 18.104.22.168.22.214.171.124.1.1.0
Copy the engine ID
On the firewall, add a new snmp trap
User= snmpv3 username
Engine ID = 0x80 (hex string with no spaces from the snmpget output)
Auth= snmpv3 auth
Priv= snmpv3 priv
Will try your suggestions for PA-500. Unfortunately we are in an environment where one cannot connect other devices such as a Linux/Unix laptop.
For PA-500, changed OID to 126.96.36.199.4.1.254188.8.131.52, per Palo Alto Networks latest MIBs.
I see this is several years ago if dates are correct. Was this ever resolved? I am having issues with Solarwinds and PA-500, PAN-OS 6.1.4, SNMPv3. I believe the mask should be 0x80.
Unsure what Palo Alto means by "View".
I have been successful with establishing:
A) SSH2 session between Solarwinds and PA-500;
B) ICMP between Solarwinds and PA-500.
It doesn't appear to have been answered, and I'd like someone to explain how to set up v3 period.
We've been using v2c and now we have devices that won't do anything but v3 and I have yet to find any documentation that explains what you need to do and why.
There are plenty of pages of paragraphs and diagrams and flow charts on authentication that I really don't care about. I just want to know what to put where and why and if that comes from somewhere else. For instance, the checklist below is extremely helpful (I stole it from linevty.com Cisco IOS, SNMPv3 and SolarWinds NPM - The correct way!), but it doesn't explain WHERE these usernames and passwords come from. Are they ones you just make up for SolarWinds Orion and consistently use? Or is there some configuration that has to happen on the SolarWinds Orion server to set this up? I've posted quite a few things to the community and have yet to get any response on them. I don't know if I'm being considered a noob and therefore my questions are stupid, or if no one really knows how to help. If it's the noob thing, **** it up and give me some information that's not condescending. If it's because you genuinely don't know how to explain it... I'm not even going to complete that sentence.
So tell me where I get the bold items from:
When configuring Solarwinds NPM to add your SNMPv3 credential, follow these steps;
- Add your node’s IP address
- Select SNMP and ICMP Monitoring
- Choose SNMPv3 from the ‘SNMP Version’ drop down menu
- Enter your SNMPv3 Username in the ‘SNMPv3 Credentials’ section
- Select ‘SHA1’ as the ‘Method’ from the ‘SNMPv3 Authentication’ section
- Select ‘AES256’ as the ‘Method’ from the ‘SNMPv3 Privacy / Encryption’ section
- Enter your ‘auth’ password in the ‘SNMPv3 Authentication’ section
- Enter your SNMPv3 Username again in the ‘Read / Write SNMPv3 Credentials’ section
- Again, Select ‘SHA1’ as the ‘Method’ from the ‘SNMPv3 Authentication’ section
- Again, Select ‘AES256’ as the ‘Method’ from the ‘SNMPv3 Privacy / Encryption’ section
And now you can press ‘Test’, and this should come up with ‘Test Successful”
We were recently able to get SNMPv3 working on a Palo firewall. Ran into a lot of issues, most of which being me not knowing about SNMP.
Step 1 absolutely has to be getting SNMPv3 working with SNMPWalk. It is a waste of time to configure it in Solarwinds without it actually working in SNMPWalk. Everything I was doing on the server side looked right, and probably was, but without the SNMP connection, it kept failing. I worked with my network engineer to get SNMPWalk working.
SnmpWalk is located in C:\Program Files (x86)\SolarWinds\Orion\SnmpWalk.exe
1. Open SnmpWalk and fill in the following information:
Agent Address or DNS name: 10.0.0.123 (Your Palo IP)
Port: 161 (default setting)
SNMP Timeout [ms]: 2500 (I started changing this to 500 so I didn't have to wait so long)
Select 'Version 3' from the dropdown
Root OID: 184.108.40.206.4.1.25461.2.3.XX (replace the XX with the correct OID of whatever model you have)
Username: create a user on the Palo and use the username here (case sensitive).
Context: (leave this blank)
Select Authentication and Privacy
Authentication Algorithm: SHA
Authentication Password: from the account created on your Palo
Privacy Algorithm: AES128
Privacy Password: from the account created on your Palo. I used the same password to make things easier during setup. You can always change this after you get it working. Keep things simple.
Do NOT check Password is a key box on either.
Hit the Scan button
Mine found 11 OIDs at this level and deleting the numbers back to the Palo identifier (25461) raised the found OIDs to 2-300 and going to 220.127.116.11 produced about 3000 OIDs. If you can't find anything or it says it is timing out, you Palo settings are off. Leave SnmpWalk as is so you can hit Scan when you want to test.
As for the Palo configuration, I am not the NA so I will try to do what I can to explain what I can remember. It started by printing off the pages mentioned above from the admin guide. I gave that to my NA and had him put that information in there. The important take away from that was the different locations that have to be changed for SNMP. Follow along with the tab selections and values.
What we had done prior to this:
- installed WireShark on the SolarWinds server
- created an allow Any/Any to the entire network device subnet (unnecessary)
- monitored traffic between the Palo and SW server, added rules for everything being blocked and the list of ports that are listed in the SolarWinds Administrator manual
What we saw that had us scratching our heads:
- 161 was hitting the Palo, with a good sized payload. Sent traffic back on 162, but it never made it to the server. This must have been a setting on the Palo because the NA resolved after some time.
- 162 finally started hitting the server, but was not delivering traps. This was resolved when SnmpWalk was successful. Spent lots of time on troubleshooting it. No clue why that happened.
- DB would blow up. Logging on the Palo. It was set to send traps of the network traffic, including informational and lows. I think it blew up my SQL instance within three hours. Kept having to truncate the trapsvarbinds table. To get it back to normal levels, I had to open the Orion DB Manager and execute a query: truncate table TrapVarbinds This would allow me to shrink my SolarWinds db instance, which I did from SQL Server Manager (Right-click SolarWinds db instance, Tasks, Shrink, Database).
After SnmpWalk is successful, add a node in SolarWinds with the same settings as used by SnmpWalk.
I'm still not 100% on my installation/configuration. I will try to add some more information and details on the Palo side when I get some free time.
Good luck, this kicked my **** and I still don't have everything configured. Hope this helps someone at least a little bit.