[mrtg] Sonicwall MIBs are here :)
Andrew Davis
andrew at socallinuxsolutions.com
Fri Oct 11 23:47:31 MEST 2002
Okay... the legal counsel of one of my contracts threatened good 'ole
Sonicwall with a false advertising lawsuit after they refused to provide
me MIBs for my firewall (yet their documentation says they 'fully
support SNMP'). An hour later, I was emailed MIBs by an engineer.
Thankfully they didn't say that I couldn't distribute them, however they
did mention that they don't normally provide them (my guess is that they
want to make money on licenses for their custom monitoring software
called ViewPoint).
Nonetheless, the MIBs are below. I've added them to my config file
(sonicfw.cfg) with the lines:
LoadMibs: /usr/local/mrtg/mibs/sw-smi.mib
LoadMibs: /usr/local/mrtg/mibs/sw-firewall-trap.mib
I don't get any errors with my mrtg cron job(s) or when running mrtg
manually, but I also don't seem to be trending any data yet. :( Maybe
the MIBs they gave me are no good. If someone gets them working and
would care to share how, I would be eternally grateful.
Here're the MIBs for ya':
<<<sw-smi.mib>>>
-- *****************************************************************
-- SONICWALL-SMI.MIB
--
-- February 2001, Susan Yan
--
-- Copyright (c) 2001 by SonicWall, Inc.
-- All rights reserved.
-- *****************************************************************
SONICWALL-SMI
--FORCE-INCLUDE <asn1conf.h>
--FORCE-INCLUDE <mib.h>
--FORCE-INCLUDE <snmpdefs.h>
--FORCE-INCLUDE "swMibhand.h"
DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY,
OBJECT-IDENTITY,
enterprises
FROM SNMPv2-SMI;
sonicwall MODULE-IDENTITY
LAST-UPDATED "200102230000Z"
ORGANIZATION "SonicWall, Inc."
CONTACT-INFO
" SonicWall Inc.
Postal: 1160 Bordeaux Dr.
Sunnyvale, CA 94089
USA
Tel: +1 408 745 9600
Fax: +1 408 745 9300
E-mail: product at sonicwall.com"
DESCRIPTION
"The MIB Module for Sonicwall enterprise."
REVISION "200102230000Z"
DESCRIPTION
"Initial version."
::= { enterprises 8714 }
sonicwallFw OBJECT-IDENTITY
STATUS current
DESCRIPTION
"sonicwallFw is the subtree for the sonicwall firewall
production."
::= { sonicwall 1 }
END
<<<sw-firewall-trap.mib>>>
-- *****************************************************************
-- SONICWALL-FIREWALL-TRAP
--
-- February 2001, Susan Yan
--
-- Copyright (c) 2001 by SonicWall, Inc.
-- All rights reserved.
-- *****************************************************************
SONICWALL-FIREWALL-TRAP-MIB DEFINITIONS ::= BEGIN
IMPORTS
DisplayString,
TEXTUAL-CONVENTION FROM SNMPv2-TC
IpAddress,
snmpModules,
OBJECT-TYPE,
NOTIFICATION-TYPE,
MODULE-IDENTITY FROM SNMPv2-SMI
sonicwallFw FROM SONICWALL-SMI;
sonicwallFwTrapModule MODULE-IDENTITY
LAST-UPDATED "200102230000Z"
ORGANIZATION "SonicWall, Inc."
CONTACT-INFO
" SonicWall Inc.
Postal: 1160 Bordeaux Dr.
Sunnyvale, CA 94089
USA
Tel: +1 408 745 9600
Fax: +1 408 745 9300
E-mail: product at sonicwall.com"
DESCRIPTION
"The MIB Module for SonicWALL Firewall Trap."
REVISION "200102230000Z"
DESCRIPTION
"Initial version."
::= { sonicwallFw 1 }
-- *********************************************************************
-- Standard Traps
-- *********************************************************************
snmpTraps OBJECT IDENTIFIER ::= {snmpModules 1 1 5 }
coldStart NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"This trap signifies that the SonicWALL appliance is
re-initializing itself
such that the agent's configuration or the appliance
itself
implementation may be altered. "
::= { snmpTraps 1 }
warmStart NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"This trap signifies that the SonicWALL appliance is
re-initializing itself
such that neither the agent configuration nor the
appliance
implementation is altered. "
::= { snmpTraps 2 }
authenticationFailure NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"This trap signifies that the SonicWALL appliance is the
addressee of
a protocol message that is not properly authenticated. "
::= { snmpTraps 5 }
-- *********************************************************************
-- Type define
-- *********************************************************************
MacAddress ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"ethernet address."
SYNTAX OCTET STRING (SIZE (6))
FwTrapType ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Trap type of firewall. The type have 4 digitals, ABCD.
AB represent trap catalog, CD represent trap type in the
catalog."
SYNTAX INTEGER {
-- =========== Attack =================================================
trapTypePingOfDeathBlocked (501), -- Ping
of death blocked
trapTypeIPSpoofDetected (502), -- IP
spoof detected
trapTypePossibleSynFlood (503), --
Possible SYN flood attack
trapTypeProbableSynFlood (504), --
Probable SYN flood attack
trapTypeLandAttack (505),
-- Land Attack Dropped
trapTypeAttemptedAdminLoginFromWAN (506), -- Attempted
administrator login from WAN
trapTypeLogUnknownSpi (507), --
Unknown IPSec SPI
trapTypeLogIpsecAuthFailure (508), -- IPSec
Authentication Failed
trapTypeLogIpsecDecryptFailure (509), -- IPSec
Decryption Failed
trapTypeLogIllegalIpsecPeer (510), -- IPSec
packet from or to an illegal host
trapTypeNetBusDropped (511), --
NetBus Attack Dropped
trapTypeBackOrificeDropped (512), -- Back
Orifice Attack Dropped
trapTypeNetSpyDropped (513), -- Net
Spy Attack Dropped
trapTypeSub7Dropped (514),
-- Sub Seven Attack Dropped
trapTypeRipperDropped (515), --
Ripper Attack Dropped
trapTypeStrikerDropped (516), --
Striker Attack Dropped
trapTypeSennaSpyDropped (517), -- Senna
Spy Attack Dropped
trapTypePriorityDropped (518), --
Priority Attack Dropped
trapTypeIniKillerDropped (519), -- Ini
Killer Attack Dropped
trapTypeSmurfDropped (520), -- Smurf
Amplification Attack Dropped
trapTypePortScanPossible (521), --
Possible Port Scan
trapTypePortScanProbable (522), --
Probable Port Scan
trapTypeLogIkeProposalReject (523), -- IKE
Responder: IPSec proposal not acceptable
trapTypeAVReceivedAlert (524), --
Received AV Alert
trapTypeLogAddTest (525),
-- Add an attack message
trapTypeAVExpiredMsg (526), --
Received AV Alert: Your SonicWALL Network Anti-Virus subscription has
expired.
trapTypeForbiddenAttachment (527), --
Forbidden E-mail attachment altered
trapTypeTcpFinScanDropped (528), --
Probable TCP FIN scan
trapTypeTcpXmasScanDropped (529), --
Probable TCP XMAS scan
trapTypeTcpNullScanDropped (530), --
Probable TCP NULL scan
trapTypeReplayDetected (531), -- IPSEC
Replay Detected
-- =========== System Errors
=================================================
trapTypeLogFull
(601), -- Log full; deactivating SonicWALL
trapTypeLogProblemLoadingCheckSettings (602), -- Problem
loading the Filter list; check Filter settings
trapTypeLogProblemLoadingCheckDNS (603), --
Problem loading the Filter list; check your DNS server
trapTypeLogProblemEmailingCheckSettings (604), -- Problem
sending log email; check log settings
trapTypeIllegalLanAddressInUse (605), --
Illegal LAN address in use
trapTypeNATCouldntRemap (606),
-- NAT could not remap incoming packet
trapTypeCacheFull
(607), -- The cache is full; %d open connections; some will be dropped
trapTypeConnDroppedTooManyIP (608), --
License exceeded: Connection dropped because too many IP addresses are
in use on your LAN
trapTypeLogOutOfMemory (609),
-- Diagnostic Code E
trapTypeInternalErr
(610), -- Diagnostic Code D
trapTypeLogSuspendReboot (611),
-- Diagnostic Code A
trapTypeLogDeadlockReboot (612),
-- Diagnostic Code B
trapTypeLogLowMemReboot (613),
-- Diagnostic Code C
trapTypeHaIdlePrimary (614),
-- Primary firewall has transitioned to Idle
trapTypeHaMissedHeartbeatPrimary (615), --
Primary missed heartbeats from Active Backup: Primary going Active
trapTypeHaMissedHeartbeatBackup (616), -- Backup
missed heartbeats from Active Primary: Backup going Active
trapTypeHaErrorReceivedPrimary (617), --
Primary received error signal from Active Backup: Primary going Active
trapTypeHaErrorReceivedBackup (618), -- Backup
received error signal from Active Primary: Backup going Active
trapTypeHaBackupPreempt (619),
-- Backup firewall being preempted by Primary
trapTypeHaPrimaryPreempt (620),
-- Primary firewall preempting Backup
trapTypeLogHttpServerReboot (621),
-- Diagnostic Code F
trapTypeBackupActivePreempt (622),
-- Backup going Active in preempt mode after reboot
trapTypeCflUpdateApplianceNotRegistered (623), -- Problem
loading the Filter list; Appliance not registered.
trapTypeCflUpdateSubscriptionExpired (624), -- Problem
loading the Filter list; Subscription expired.
trapTypeCflUpdateErrorTransient (625), --
Problem loading the Filter list; Try loading it again.
trapTypeCflUpdateErrorTransientAuto (626), --
Problem loading the Filter list; Retrying later.
trapTypeCflUpdateErrorInternal (627), --
Problem loading the Filter list; Flash write failure.
trapTypeCflApplianceCflExpired (628), -- The
loaded content filter list has expired.
trapTypeHaSetError
(629), -- Error setting the IP address of the backup, please manually
set to backup LAN IP
trapTypeHaSyncError
(630), -- Error updating HA peer configuration
-- =========== Blocked Web Sites
=================================================
trapTypeWebSiteBlocked (701),
-- Web site blocked
trapTypeNewsgroupBlocked (702),
-- Newsgroup blocked
trapTypeWebSiteAccessed (703),
-- Web site accessed
trapTypeNewsgroupAccessed (704),
-- Newsgroup accessed
trapTypeProxyAccessBlocked (705) --
Access to Proxy Server Blocked
}
-- **************************** Enterprise Specific Traps Information
*******************************
sonicwallFwTrapInfo OBJECT IDENTIFIER ::= {sonicwallFwTrapModule 1}
--
******************************************************************************************
--
-- The swTrapInfoTable
--
-- This table contains information that is
-- for the basic event on the firewall.
--
******************************************************************************************
swTrapInfoTable OBJECT IDENTIFIER ::= { sonicwallFwTrapInfo 1 }
swTrapInfoTrapType OBJECT-TYPE
SYNTAX FwTrapType
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"trap type ."
::= { swTrapInfoTable 1 }
swTrapInfoTrapDescription OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"The description of the trap. "
::= { swTrapInfoTable 2 }
swTrapInfoSrcIpAddress OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"The source ip address. "
::= { swTrapInfoTable 3 }
swTrapInfoDstIpAddress OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"The destination ip address. "
::= { swTrapInfoTable 4 }
swTrapInfoSrcPort OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"The destination port. "
::= { swTrapInfoTable 5 }
swTrapInfoDstPort OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"The destination port. "
::= { swTrapInfoTable 6 }
swTrapInfoSrcMacAddress OBJECT-TYPE
SYNTAX MacAddress
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"The source MAC address. "
::= { swTrapInfoTable 7 }
swTrapInfoDstMacAddress OBJECT-TYPE
SYNTAX MacAddress
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"The destination MAC address. "
::= { swTrapInfoTable 8 }
swTrapInfoIpType OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"The ip type. "
::= { swTrapInfoTable 9 }
swTrapInfoPrivMsg OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"The additional message. "
::= { swTrapInfoTable 10 }
swTrapInfoIpAddress OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"The ip address. "
::= { swTrapInfoTable 11 }
--
******************************************************************************************
--
-- sonicwall firewall trap group
--
-- This group defines the trap which sonicwall firewall generated
--
******************************************************************************************
sonicwallFwTrapRoot OBJECT IDENTIFIER ::= {sonicwallFwTrapModule 2}
swFwTrapAttack NOTIFICATION-TYPE
OBJECTS {
swTrapInfoTrapType,
swTrapInfoTrapDescription
}
STATUS current
DESCRIPTION
"This trap indicates that the firewall have detected a
attack.
The bound objects provide more detailed information about
this problem."
::= { sonicwallFwTrapRoot 0 1 }
swFwTrapSysError NOTIFICATION-TYPE
OBJECTS {
swTrapInfoTrapType,
swTrapInfoTrapDescription
}
STATUS current
DESCRIPTION
"This trap indicates that there is a system problem with the
SonicWALL appliance.
The bound objects provide more detailed information about
this problem."
::= { sonicwallFwTrapRoot 0 2 }
swFwTrapBlkWebSite NOTIFICATION-TYPE
OBJECTS {
swTrapInfoTrapType,
swTrapInfoTrapDescription
}
STATUS current
DESCRIPTION
"This trap indicates that there is a web site was blocked by
the firewall.
The bound objects provide more detailed information about
this problem."
::= { sonicwallFwTrapRoot 0 3}
END
--
Andrew Davis, Founder
SoCalLinuxSolutions
andrew at socallinuxsolutions.com
760-525-4689
SoCalLinuxSolutions.com
Linux Consultation & Integration Services
--
Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Archive http://www.ee.ethz.ch/~slist/mrtg
FAQ http://faq.mrtg.org Homepage http://www.mrtg.org
WebAdmin http://www.ee.ethz.ch/~slist/lsg2.cgi
More information about the mrtg
mailing list