[mrtg] Sonicwall MIBs are here :)

Andrew Davis andrew at socallinuxsolutions.com
Fri Oct 11 23:47:31 MEST 2002


Okay... the legal counsel of one of my contracts threatened good 'ole
Sonicwall with a false advertising lawsuit after they refused to provide
me MIBs for my firewall (yet their documentation says they 'fully
support SNMP'). An hour later, I was emailed MIBs by an engineer.
Thankfully they didn't say that I couldn't distribute them, however they
did mention that they don't normally provide them (my guess is that they
want to make money on licenses for their custom monitoring software
called ViewPoint).

Nonetheless, the MIBs are below. I've added them to my config file
(sonicfw.cfg) with the lines:
LoadMibs: /usr/local/mrtg/mibs/sw-smi.mib
LoadMibs: /usr/local/mrtg/mibs/sw-firewall-trap.mib

I don't get any errors with my mrtg cron job(s) or when running mrtg
manually, but I also don't seem to be trending any data yet. :( Maybe
the MIBs they gave me are no good. If someone gets them working and
would care to share how, I would be eternally grateful.

Here're the MIBs for ya':

<<<sw-smi.mib>>>
-- *****************************************************************
-- SONICWALL-SMI.MIB
--
-- February 2001, Susan Yan
--
-- Copyright (c) 2001 by SonicWall, Inc.
-- All rights reserved.
-- *****************************************************************


SONICWALL-SMI

--FORCE-INCLUDE <asn1conf.h>
--FORCE-INCLUDE <mib.h>
--FORCE-INCLUDE <snmpdefs.h>
--FORCE-INCLUDE "swMibhand.h"


DEFINITIONS ::= BEGIN

IMPORTS
        MODULE-IDENTITY,
        OBJECT-IDENTITY,
        enterprises
                FROM SNMPv2-SMI;

sonicwall MODULE-IDENTITY
        LAST-UPDATED "200102230000Z"
        ORGANIZATION "SonicWall, Inc."
        CONTACT-INFO
                "       SonicWall Inc.

                Postal: 1160 Bordeaux Dr.
                        Sunnyvale, CA 94089
                        USA

                   Tel: +1 408 745 9600
                   Fax: +1 408 745 9300

                E-mail: product at sonicwall.com"
        DESCRIPTION
                "The MIB Module for Sonicwall enterprise."
        REVISION      "200102230000Z"
        DESCRIPTION
                "Initial version."
        ::= { enterprises 8714 }


sonicwallFw OBJECT-IDENTITY
        STATUS  current
        DESCRIPTION
                "sonicwallFw is the subtree for the sonicwall firewall
production."
        ::= { sonicwall 1 }

END




<<<sw-firewall-trap.mib>>>
-- *****************************************************************
-- SONICWALL-FIREWALL-TRAP
--
-- February 2001, Susan Yan
--
-- Copyright (c) 2001 by SonicWall, Inc.
-- All rights reserved.
-- *****************************************************************

SONICWALL-FIREWALL-TRAP-MIB DEFINITIONS ::= BEGIN

IMPORTS
    DisplayString,
    TEXTUAL-CONVENTION                  FROM SNMPv2-TC

    IpAddress,
        snmpModules,
    OBJECT-TYPE,
    NOTIFICATION-TYPE,
        MODULE-IDENTITY             FROM SNMPv2-SMI

    sonicwallFw                         FROM SONICWALL-SMI;

sonicwallFwTrapModule MODULE-IDENTITY
        LAST-UPDATED "200102230000Z"
        ORGANIZATION "SonicWall, Inc."
        CONTACT-INFO
                "       SonicWall Inc.

                Postal: 1160 Bordeaux Dr.
                        Sunnyvale, CA 94089
                        USA

                   Tel: +1 408 745 9600
                   Fax: +1 408 745 9300

                E-mail: product at sonicwall.com"
        DESCRIPTION
                "The MIB Module for SonicWALL Firewall Trap."
        REVISION      "200102230000Z"
        DESCRIPTION
                "Initial version."
    ::= { sonicwallFw 1 }



-- *********************************************************************

--    Standard Traps

-- *********************************************************************

snmpTraps      OBJECT IDENTIFIER ::= {snmpModules 1 1 5 }

coldStart NOTIFICATION-TYPE
         STATUS current
         DESCRIPTION
                "This trap signifies that the SonicWALL appliance is
re-initializing itself
                 such that the agent's configuration or the appliance
itself
                 implementation may be altered. "
         ::= { snmpTraps 1 }

warmStart NOTIFICATION-TYPE
         STATUS current
         DESCRIPTION
                "This trap signifies that the SonicWALL appliance is
re-initializing itself
                 such that neither the agent configuration nor the
appliance
                 implementation is altered. "
         ::= { snmpTraps 2 }

authenticationFailure NOTIFICATION-TYPE
         STATUS current
         DESCRIPTION
                "This trap signifies that the SonicWALL appliance is the
addressee of
                a protocol message that is not properly authenticated. "
         ::= { snmpTraps 5 }



-- *********************************************************************

-- Type define


-- *********************************************************************
MacAddress ::= TEXTUAL-CONVENTION
    STATUS current
    DESCRIPTION
        "ethernet address."
    SYNTAX OCTET STRING (SIZE (6))


FwTrapType ::= TEXTUAL-CONVENTION
    STATUS current
    DESCRIPTION
        "Trap type of firewall. The type have 4 digitals, ABCD.
         AB represent trap catalog, CD represent trap type in the
catalog."
    SYNTAX INTEGER {

-- =========== Attack =================================================

        trapTypePingOfDeathBlocked                      (501),  -- Ping
of death blocked
        trapTypeIPSpoofDetected                         (502),  -- IP
spoof detected
        trapTypePossibleSynFlood                        (503),  --
Possible SYN flood attack
        trapTypeProbableSynFlood                        (504),  --
Probable SYN flood attack
        trapTypeLandAttack                                      (505), 
-- Land Attack Dropped
        trapTypeAttemptedAdminLoginFromWAN      (506),  -- Attempted
administrator login from WAN
        trapTypeLogUnknownSpi                           (507),  --
Unknown IPSec SPI
        trapTypeLogIpsecAuthFailure                     (508),  -- IPSec
Authentication Failed
        trapTypeLogIpsecDecryptFailure          (509),  -- IPSec
Decryption Failed
        trapTypeLogIllegalIpsecPeer                     (510),  -- IPSec
packet from or to an illegal host
        trapTypeNetBusDropped                           (511),  --
NetBus Attack Dropped
        trapTypeBackOrificeDropped                      (512),  -- Back
Orifice Attack Dropped
        trapTypeNetSpyDropped                           (513),  -- Net
Spy Attack Dropped
        trapTypeSub7Dropped                                     (514), 
-- Sub Seven Attack Dropped
        trapTypeRipperDropped                           (515),  --
Ripper Attack Dropped
        trapTypeStrikerDropped                          (516),  --
Striker Attack Dropped
        trapTypeSennaSpyDropped                         (517),  -- Senna
Spy Attack Dropped
        trapTypePriorityDropped                         (518),  --
Priority Attack Dropped
        trapTypeIniKillerDropped                        (519),  -- Ini
Killer Attack Dropped
        trapTypeSmurfDropped                            (520),  -- Smurf
Amplification Attack Dropped
        trapTypePortScanPossible                        (521),  --
Possible Port Scan
        trapTypePortScanProbable                        (522),  --
Probable Port Scan
        trapTypeLogIkeProposalReject            (523),  -- IKE
Responder: IPSec proposal not acceptable
        trapTypeAVReceivedAlert                         (524),  --
Received AV Alert
        trapTypeLogAddTest                                      (525), 
-- Add an attack message
        trapTypeAVExpiredMsg                            (526),  --
Received AV Alert: Your SonicWALL Network Anti-Virus subscription has
expired.
        trapTypeForbiddenAttachment                     (527),  --
Forbidden E-mail attachment altered
        trapTypeTcpFinScanDropped                       (528),  --
Probable TCP FIN scan
        trapTypeTcpXmasScanDropped                      (529),  --
Probable TCP XMAS scan
        trapTypeTcpNullScanDropped                      (530),  --
Probable TCP NULL scan
        trapTypeReplayDetected                          (531),  -- IPSEC
Replay Detected


-- =========== System Errors
=================================================
        trapTypeLogFull                                                
(601), -- Log full; deactivating SonicWALL
        trapTypeLogProblemLoadingCheckSettings  (602), -- Problem
loading the Filter list; check Filter settings
        trapTypeLogProblemLoadingCheckDNS               (603), --
Problem loading the Filter list; check your DNS server
        trapTypeLogProblemEmailingCheckSettings (604), -- Problem
sending log email; check log settings
        trapTypeIllegalLanAddressInUse                  (605), --
Illegal LAN address in use
        trapTypeNATCouldntRemap                                 (606),
-- NAT could not remap incoming packet
        trapTypeCacheFull                                              
(607), -- The cache is full; %d open connections; some will be dropped
        trapTypeConnDroppedTooManyIP                    (608), --
License exceeded: Connection dropped because too many IP addresses are
in use on your LAN
        trapTypeLogOutOfMemory                                  (609),
-- Diagnostic Code E
        trapTypeInternalErr                                            
(610), -- Diagnostic Code D
        trapTypeLogSuspendReboot                                (611),
-- Diagnostic Code A
        trapTypeLogDeadlockReboot                               (612),
-- Diagnostic Code B
        trapTypeLogLowMemReboot                                 (613),
-- Diagnostic Code C
        trapTypeHaIdlePrimary                                   (614),
-- Primary firewall has transitioned to Idle
        trapTypeHaMissedHeartbeatPrimary                (615), --
Primary missed heartbeats from Active Backup: Primary going Active
        trapTypeHaMissedHeartbeatBackup                 (616), -- Backup
missed heartbeats from Active Primary: Backup going Active
        trapTypeHaErrorReceivedPrimary                  (617), --
Primary received error signal from Active Backup: Primary going Active
        trapTypeHaErrorReceivedBackup                   (618), -- Backup
received error signal from Active Primary: Backup going Active
        trapTypeHaBackupPreempt                                 (619),
-- Backup firewall being preempted by Primary
        trapTypeHaPrimaryPreempt                                (620),
-- Primary firewall preempting Backup
        trapTypeLogHttpServerReboot                             (621),
-- Diagnostic Code F
        trapTypeBackupActivePreempt                             (622),
-- Backup going Active in preempt mode after reboot
        trapTypeCflUpdateApplianceNotRegistered (623), -- Problem
loading the Filter list; Appliance not registered.
        trapTypeCflUpdateSubscriptionExpired    (624), -- Problem
loading the Filter list; Subscription expired.
        trapTypeCflUpdateErrorTransient                 (625), --
Problem loading the Filter list; Try loading it again.
        trapTypeCflUpdateErrorTransientAuto             (626), --
Problem loading the Filter list; Retrying later.
        trapTypeCflUpdateErrorInternal                  (627), --
Problem loading the Filter list; Flash write failure.
        trapTypeCflApplianceCflExpired                  (628), -- The
loaded content filter list has expired.
        trapTypeHaSetError                                             
(629), -- Error setting the IP address of the backup, please manually
set to backup LAN IP
        trapTypeHaSyncError                                            
(630), -- Error updating HA peer configuration

-- =========== Blocked Web Sites
=================================================
        trapTypeWebSiteBlocked                                  (701),
-- Web site blocked
        trapTypeNewsgroupBlocked                                (702),
-- Newsgroup blocked
        trapTypeWebSiteAccessed                                 (703),
-- Web site accessed
        trapTypeNewsgroupAccessed                               (704),
-- Newsgroup accessed
        trapTypeProxyAccessBlocked                              (705) --
Access to Proxy Server Blocked
        }

-- ****************************  Enterprise Specific Traps Information
*******************************

sonicwallFwTrapInfo OBJECT IDENTIFIER ::= {sonicwallFwTrapModule 1}


--
******************************************************************************************
--
-- The swTrapInfoTable
--
-- This table contains information that is
-- for the basic event on the firewall.
--
******************************************************************************************

swTrapInfoTable OBJECT IDENTIFIER ::= { sonicwallFwTrapInfo 1 }

swTrapInfoTrapType OBJECT-TYPE
        SYNTAX     FwTrapType
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
            "trap type ."
    ::= { swTrapInfoTable 1 }


swTrapInfoTrapDescription OBJECT-TYPE
                SYNTAX DisplayString
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
            "The description of the trap. "
    ::= { swTrapInfoTable 2 }

swTrapInfoSrcIpAddress OBJECT-TYPE
                SYNTAX IpAddress
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
            "The source ip address. "
    ::= { swTrapInfoTable 3 }

swTrapInfoDstIpAddress OBJECT-TYPE
                SYNTAX IpAddress
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
            "The destination ip address. "
    ::= { swTrapInfoTable 4 }

swTrapInfoSrcPort OBJECT-TYPE
                SYNTAX INTEGER
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
            "The destination port. "
    ::= { swTrapInfoTable 5 }

swTrapInfoDstPort OBJECT-TYPE
                SYNTAX INTEGER
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
            "The destination port. "
    ::= { swTrapInfoTable 6 }

swTrapInfoSrcMacAddress OBJECT-TYPE
                SYNTAX MacAddress
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
            "The source MAC address. "
    ::= { swTrapInfoTable 7 }

swTrapInfoDstMacAddress OBJECT-TYPE
                SYNTAX MacAddress
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
            "The destination MAC address. "
    ::= { swTrapInfoTable 8 }

swTrapInfoIpType OBJECT-TYPE
                SYNTAX INTEGER
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
            "The ip type. "
    ::= { swTrapInfoTable 9 }

swTrapInfoPrivMsg OBJECT-TYPE
                SYNTAX DisplayString
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
            "The additional message. "
    ::= { swTrapInfoTable 10 }

swTrapInfoIpAddress OBJECT-TYPE
                SYNTAX IpAddress
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
            "The ip address. "
    ::= { swTrapInfoTable 11 }



--
******************************************************************************************
--
-- sonicwall firewall trap group
--
-- This group defines the trap which sonicwall firewall generated
--
******************************************************************************************

sonicwallFwTrapRoot OBJECT IDENTIFIER ::= {sonicwallFwTrapModule 2}


swFwTrapAttack NOTIFICATION-TYPE
        OBJECTS {
            swTrapInfoTrapType,
            swTrapInfoTrapDescription
        }
        STATUS current
        DESCRIPTION
            "This trap indicates that the firewall have detected a
attack.
             The bound objects provide more detailed information about
this problem."
    ::= { sonicwallFwTrapRoot 0 1 }

swFwTrapSysError NOTIFICATION-TYPE
        OBJECTS {
            swTrapInfoTrapType,
            swTrapInfoTrapDescription
        }
        STATUS current
        DESCRIPTION
            "This trap indicates that there is a system problem with the
SonicWALL appliance.
             The bound objects provide more detailed information about
this problem."
    ::= { sonicwallFwTrapRoot 0 2 }

swFwTrapBlkWebSite NOTIFICATION-TYPE
        OBJECTS {
            swTrapInfoTrapType,
            swTrapInfoTrapDescription
        }
        STATUS current
        DESCRIPTION
            "This trap indicates that there is a web site was blocked by
the firewall.
             The bound objects provide more detailed information about
this problem."
    ::= { sonicwallFwTrapRoot 0 3}

END

-- 
Andrew Davis, Founder
SoCalLinuxSolutions
andrew at socallinuxsolutions.com
760-525-4689

SoCalLinuxSolutions.com
Linux Consultation & Integration Services

--
Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Archive     http://www.ee.ethz.ch/~slist/mrtg
FAQ         http://faq.mrtg.org    Homepage     http://www.mrtg.org
WebAdmin    http://www.ee.ethz.ch/~slist/lsg2.cgi



More information about the mrtg mailing list