Cisco Secure Firewall SNMP using Firepower Device Manager (FDM)

In this article, we will take a look at how to configure SNMP on the Cisco Secure Firewall (formally FTD) using the local manager; Firepower Device Manager (FDM).

This article assumes that the Cisco Secure Firewall is configured with the base settings and that the administrator has access to FDM.

In order to configure the Cisco Secure Firewall with SNMP, FlexConfig must be used.

Note: This demonstration uses Cisco Secure Firewall software version 6.6.3 and SNMP v2. This article is NOT applicable for version 6.7+.

Create Objects for SNMP

Two objects are required before SNMP is configured using FlexConfig:

  • Secret Key for the v2 Community
  • Object for the SNMP server host/s

Perform the following steps to complete the object creation:

  • Login to the FDM and select Objects
  • Select Secret Keys
  • Create a new secret key by selecting one of the highlighted options

  • Populate the fields with the relevant values and click OK when complete

  • Select Networks and add a new host for the target SNMP server

  • Populate the relevant fields ensuring that the host IP information for the target SNMP server is populated and press OK when complete

Create FlexConfig

  • Click on the FTD device at the top of the GUI and once on the main page, select Advanced Configuration

  • Select FlexConfig Objects and create a new FlexConfig Object. This will be used to add the SNMP community configuration

  • Add two variables and give them a name along with the correct value. Each name will be referenced in the next steps. The first variable type should be Network and the next variable type should be Secret. Each value should reflect the objects created in the previous steps.

  • Once the variables have been created, they need to be referenced in both templates. The negate template shouldn’t be left empty and can cause issues if not populated. This is because the Firewall will first wipe the configuration from the device before redeploying the original template. Furthermore, should you wish to remove the SNMP FlexConfig in the future, the negate template configuration will be used.
    • Modify the configuration below to match your environment

Note: The values within {{ }} must match the names that were created for the variables. {{.value}} and {{.password}} are both required within the {{ }} as shown below.

Template Configuration

snmp-server host inside {{SNMP-Server.value}} community {{SNMP-Community-RO.password}} version 2c
snmp-server location FTD
snmp-server contact kelvin@networkwizkid.com
snmp-server community {{SNMP-Community-RO.password}}

Negate Template Configuration

no snmp-server host inside {{SNMP-Server.value}} community {{SNMP-Community-RO.password}} version 2c
no snmp-server location FTD
no snmp-server contact kelvin@networkwizkid.com
no snmp-server community {{SNMP-Community-RO.password}}

  • When complete, your configuration should look something similar to the output below

  • Navigate to FlexConfig Policy and add the newly created FlexConfig for SNMP. Once added a preview of the configuration will be shown in the preview section. If you are happy with the output, save and deploy the configuration.

If your SNMP Server is configured, once the Firewall changes are deployed, the device can be polled.

Video Demonstration

5 comments

  1. If you have errors then please check your syntax to ensure everything is spaced correctly and the actual syntax is correct, matching any variables that you’ve created.

    Like

  2. These instructions need to be updated to include a note that this only works on version 6.6 and older.

    From 6.7 onward you will need to use the API Explorer or a Python script to configure this. The “Block list CLI error:” message as seen in 6.7 and newer is because the FlexConfig for SNMP has been removed.

    Below is Cisco’s overly complicated documentation for using the API Explorer to configure SNMP for versions 6.7 and newer.

    https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/216551-configure-and-troubleshoot-snmp-on-firep.html

    A Python script is found below. The Python install they mentioned is overly simplified. There are other modules and things to set up to get it working.

    https://community.cisco.com/t5/security-knowledge-base/firepower-device-manager-fdm-6-7-snmp-using-python-script/ta-p/4283247/page/2

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: