ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

SNMP NETSCREEN-POLICY-MIB for ipv6 rules

‎01-14-2009 05:46 PM
I'm running ScreenOS 6.2.0r1.0 and am trying to pull Counter32 values from snmp oid NETSCREEN-POLICY-MIB::nsPlyMonTotalByte (.1.3.6.1.4.1.3224.10.2.1.8).  This provides the TotalByte count for each rule in the policy.  The problem I'm having is I'm only getting data for IPv4 rules.  All my IPv6 rules are reporting 0 even though they are being utilized.  Anyone know why this data is not available via snmp?
7 REPLIES 7
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: SNMP NETSCREEN-POLICY-MIB for ipv6 rules

‎01-14-2009 07:56 PM

Hi there...

Yes, I think there is some issue, can you open TAC case for that.

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: SNMP NETSCREEN-POLICY-MIB for ipv6 rules

‎01-15-2009 08:04 AM
Problem is this observation was discovered in our lab ns5gt which does not have a support contract. Currently IPv6 is only in our lab environment as we try to overcome hurdles like this.
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: SNMP NETSCREEN-POLICY-MIB for ipv6 rules

‎04-21-2009 06:32 PM
Now I've upraded to 6.2.0r2 and now the counters are visible doing a 'get counter policy <id#> day' for example.  However, the data is still not available when doing an snmp read.  Yet I notice there are not MIBS for 6.2 only 6.1.  Ideas?
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: SNMP NETSCREEN-POLICY-MIB for ipv6 rules

‎04-22-2009 12:02 PM

Hi

 

If you check the page, there are MIBs for 6.2, it juse says 6.1 still 😛

http://www.juniper.net/techpubs/software/screenos/mibs.html#61

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: SNMP NETSCREEN-POLICY-MIB for ipv6 rules

‎04-28-2009 10:17 AM

Thanks for the clarification.  Unfortunately even with those mibs the SNMP data still comes back empty.  Here's an example from our lab:

 

ns5gt-> get address Trust name trust_v6_net
Name                 Address/Mask                    Flag  Comments

trust_v6_net         2001:470:e0bb::/64              0080

 

ns5gt-> get policy id 31
name:"LAN-PING6-EXT" (id 31), zone Untrust -> Trust,action Permit, status "enabled"
src "Any-IPv6", dst "trust_v6_net", serv "PINGv6"
Rules on this VPN policy: 0
nat off, Web filtering : disabled
vpn unknown vpn, policy flag 00010000, session backup: on, idle reset: on
traffic shaping off, scheduler n/a, serv flag 00
log close, log count 79, alert no, counter yes(23) byte rate(sec/min) 0/0
total octets 0, counter(session/packet/octet) 0/0/23

 

*Note: I assume the "counter yes(23)" would correalate to what's in 'get counter' and would expect to get from the snmp data?

 

ns5gt-> get counter policy 31 min
PID: 31, Interval: Minute, Unit: Kb/Min, End Time: 28Apr2009:13:04:50
000-002: 00000000000000000000 00000000000000000000 00000000000000000000
003-005: 00000000000000000001 00000000000000000001 00000000000000000000

 

$ snmpwalk -v2c -c <string> <ns5gt ip> .1.3.6.1.4.1.3224.10.2.1.8.31.0
NETSCREEN-POLICY-MIB::nsPlyMonTotalByte.31.0 = Counter32: 0

 

 

4744 RICHLANDS HWY - JACKSONVILLE, N.C. - 28541

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: SNMP NETSCREEN-POLICY-MIB for ipv6 rules

[ Edited ]
‎04-28-2009 10:23 AM

After more investigation I've discovered that I'm not getting IPv6 policy counter snmp data for *packet* and *byte* counters, but I am getting the data for the *session* counters.  However, I would expect that once the counter for an IPv6 policy ID were turned on I should get all.  Let me know if my resoning is off.

 

 $ snmpwalk -v2c -c <string> <ns5gt ip> .1.3.6.1.4.1.3224.10.2.1.11.31.0
NETSCREEN-POLICY-MIB::nsPlyMonTotalSession.31.0 = Counter32: 109

Message Edited by techniq on 04-28-2009 10:35 AM
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: SNMP NETSCREEN-POLICY-MIB for ipv6 rules

‎04-28-2009 12:39 PM
hmm I think that is an issue you need to open a ticket for though
****pls click the button " Accept as Solution" if my post helped to solve your problem****
Feedback