Cisco Secure Firewall SNMP using Firepower Device Manager (FDM)

In this article we will take a look at how to configure SNMP on the Cisco Secure Firewall (formally FTD) using the local manager; Firepower Device Manager (FDM).

This article assumes that the Cisco Secure Firewall is configured with the base settings and the administrator has access to FDM.

In order to configure the Cisco Secure Firewall with SNMP, FlexConfig must be used.

Note: This demonstration uses Cisco Secure Firewall software version 6.6.3 and SNMP v2

Create Objects for SNMP

Two objects are required before SNMP is configured using FlexConfig:

  • Secret Key for the v2 Community
  • Object for the SNMP server host/s

Perform the following steps to complete the object creation:

  • Login to the FDM and select Objects
  • Select Secret Keys
  • Create a new secret key by selecting one of the highlighted options

  • Populate the fields with the relevant values and click OK when complete

  • Select Networks and add a new host for the target SNMP server

  • Populate the relevant fields ensuring that the host IP information for the target SNMP server is populated and press OK when complete

Create FlexConfig

  • Click on the FTD device at the top of the GUI and once on the main page, select Advanced Configuration

  • Select FlexConfig Objects and create a new FlexConfig Object. This will be used to add the SNMP community configuration

  • Add two variables and give them a name along with the correct value. Each name will be referenced in the next steps. The first variable type should be Network and the next variable type should be Secret. Each value should reflect the objects created in the previous steps.

  • Once the variables have been created, they need to be referenced in both templates. The negate template shouldn’t be left empty and can cause issues if not populated. This is because the Firewall will first wipe the configuration from the device before redeploying the original template. Furthermore, should you wish to remove the SNMP FlexConfig in the future, the negate template configuration will be used.
    • Modify the configuration below to match your environment

Note: The values within {{ }} must match the names that were created for the variables. {{.value}} and {{.password}} are both required within the {{ }} as shown below.

Template Configuration

snmp-server host inside {{SNMP-Server.value}} community {{SNMP-Community-RO.password}} version 2c
snmp-server location FTD
snmp-server contact kelvin@networkwizkid.com
snmp-server community {{SNMP-Community-RO.password}}

Negate Template Configuration

no snmp-server host inside {{SNMP-Server.value}} community {{SNMP-Community-RO.password}} version 2c
no snmp-server location FTD
no snmp-server contact kelvin@networkwizkid.com
no snmp-server community {{SNMP-Community-RO.password}}

  • When complete, your configuration should look something similar to the output below

  • Navigate to FlexConfig Policy and add the newly created FlexConfig for SNMP. Once added a preview of the configuration will be shown in the preview section. If you are happy with the output, save and deploy the configuration.

If your SNMP Server is configured, once the Firewall changes are deployed, the device can be polled.

Video Demonstration

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: