SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Simply cannot get SNMP working on SRX240

    Posted 10-04-2016 22:41

    Hi guys,

    Hope you can help me, after many attempts to get SNMP working I am turning to you for some help.

    My config looks like this:

     security-zone Trust {
            description "Trusted Zone ";
            host-inbound-traffic {
                system-services {
                    all;
                    snmp;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/4.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }

     

    forwarding-options {
    sampling {
        input {
            rate 100;
        }
        family inet {
            output {
                flow-server 192.168.1.71 {
                    port 2055;
                    version 5;
                }
            }
        }
    }
}



    snmp {
name SRX;
description "FIREWALL";
location unk;
contact "test@test.com";
community public {
authorization read-only;
}
community "password" {
authorization read-write;
}
trap-group missingsmth-trap {
version all;
categories {
authentication;
chassis;
startup;
configuration;
services;
}
targets {
192.168.1.71;
}
}
traceoptions {
file snmp.tr size 5m files 5 world-readable;
flag all;
}
}





    Hope you guys can help

     

    Thanks

     

    Barend



  • 2.  RE: Simply cannot get SNMP working on SRX240

    Posted 10-05-2016 00:11

    We might need more of your configuration output to try to help you.

     

    If you've got the lo0 interface configured and have some deny terms in firewall section, you should allow there your monitoring host for traffic to snmp port.

    And you might need the security policy for the trust zone allowing snmp traffic to it. AFAIK the default policy is deny.

    Sou you might need something like

     

    set security policies from-zone trust to-zone trust policy permit-adm-and-routing match source-address mon-host
set security policies from-zone trust to-zone trust policy permit-adm-and-routing match destination-address any
set security policies from-zone trust to-zone trust policy permit-adm-and-routing match application any
set security policies from-zone trust to-zone trust policy permit-mon-host then permit

    and add the address in address book for  mon-host.

     

    Also you might have the junos-host zone (or smth similar), so the policy could look the seam but to-zone should be junos-host



  • 3.  RE: Simply cannot get SNMP working on SRX240

    Posted 10-05-2016 01:32

    Hi Romeo

     

    Thanks for the reply.

     

    I already have the Polcies in place

     

           from-zone Trust to-zone Trust {
            policy test {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-close;
                    }
                    count;
                }
            }
        }
         from-zone Trust to-zone junos-host {
            policy test {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }

    Still no dice. Can't seemd to find a good reason as to why it's not working

     



  • 4.  RE: Simply cannot get SNMP working on SRX240

     
    Posted 10-05-2016 05:52

    Hi, 

     

    If you are trying to poll SNMP from a client you may  need to add it in the snmp clients:

    set snmp community xxx authorization read-only clients x.x.x.x

    Cheers,

    Ashvin



  • 5.  RE: Simply cannot get SNMP working on SRX240

    Posted 10-06-2016 04:29

    from-zone Trust to-zone Trust {

     

    The zone for traffic going to the SRX itself is junos-host for the security policy not the zone of the interface.

     

    You will also need to permit the traffic under the security zone of the interface with host-inbound-traffic

     

    http://www.juniper.net/techpubs/en_US/junos15.1x49/topics/reference/configuration-statement/security-edit-system-service-zone-host-inbound-traffic.html



  • 6.  RE: Simply cannot get SNMP working on SRX240
    Best Answer

    Posted 10-06-2016 04:53

    Hey spuluka,

     

    I did that but I finnaly found the solution to my problem.

     

    I had to enable routing instance access and had to define my routing instances in my snmp communities.

     

       community public {
        authorization read-write;
        clients {
            192.168.1.71/32;
        }
        routing-instance TRUST-VRF {
            clients {
                192.168.1.71/32;
            }
        }
   }
    routing-instance-access;

    On the client side you define your comunity as TRUST-VRF@public and then it works