0

我的帖子

个人中心

设置

  发新话题
运维管理平台需要通过SNMP读取防火墙的数据,但是死活连不上,求指点。



配置发瞵,提示除也配置snmp 团体名 允许的主机钱,还要在host inbound里允许snmp



引用:
原帖由 小侠唐在飞 于 2017-12-16 00:34 发表
配置发瞵,提示除也配置snmp 团体名 允许的主机钱,还要在host inbound里允许snmp
大神,配置发哪里了?



J-Web ConfigurationThe following example configures an SRX Series device as an SNMP agent, which allows the device to be managed using SNMP:
  • Select Configure>Services>SNMP.
  • In the System Location box, type lab.
  • In the Contact Information box, type labguy@juniper.net.
  • Under Communities, click Add. The Add an SNMP community window appears.
  • In the Community Name box, type public.
  • In the Authorization list, select read-write.
  • Click OK.
  • Click Apply.
  • Select Configure>Security>Zones.
  • Select the security zone named trust. The Edit Security Zone: trust window appears.
  • In the Interfaces Configuration list, click the ge-0/0/0.0 interface, and click Edit.
  • For Host Inbound Traffic, under System Services, click Allow All or Allow Selected Services.
  • If you selected Allow Selected Services, select snmp, and click Add.
    • Select http, and click Add.
    • Select https, and click Add.
    Important: Make sure you added http and/or https; otherwise, you will lose J-Web connectivity to the SRX Series device.
  • Click OK.
  • Click Apply.
  • Make sure that you have added http or https in step 13, and then select Commit.

CLI ConfigurationThe following example configures an SRX Series device as an SNMP agent, which allows the device to be managed using SNMP:
  • Set the system identification and community.
    Note: This example does not use every option available for SNMP configuration. For information about additional SNMP configuration options, see Technical Documentation.

    user@host# set snmp location lab
    user@host# set snmp contact "labguy@juniper.net"

  • One or more communities must be configured to authorize network management system access to the SRX Series device. Each community has a community name, an authorization, which determines the kind of access the network management system has to the device, and, when applicable, a list of valid clients that can access the device.
    user@host# set snmp community public authorization read-write

  • Enable SNMP access on an interface.
    user@host# set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services snmp

  • (Optional) Restrict SNMP access to certain sources.user@host# set snmp community public clients 172.26.0.0/16
    user@host# set snmp community public clients 0.0.0.0/0 restrict

For SNMPv3 configuration, refer to KB22048 - How to configure SNMPv3 on SRX.


SNMP MonitoringThe following are examples of querying an SRX Series device using SNMP.

Example 1

This example shows how to walk the jnxMibs MIB on the SRX Series device from a remote host using snmpwalk:
  • MIB walk on the SRX (OID for the jnxMibs is 1.3.6.4.1.2636.3):                 

    root@srx3600> show snmp mib walk jnxMibs
    or
    root@SRX240> show snmp mib walk 1.3.6.1.4.1.2636.3

    jnxBoxClass.0 = jnxProductLineSRX240.0
    jnxBoxDescr.0 = Juniper SRX240-poe Internet Router
    jnxBoxSerialNo.0 = AH2709AA0096
    jnxBoxRevision.0
    jnxBoxInstalled.0 = 14339200
    jnxContainersIndex.1 = 1
    jnxContainersIndex.4 = 4
    jnxContainersIndex.7 = 7
    jnxContainersIndex.8 = 8
    jnxContainersIndex.9 = 9
    jnxContainersView.1 = 1
    jnxContainersView.4 = 2
    jnxContainersView.7 = 1
    jnxContainersView.8 = 1
    jnxContainersView.9 = 1
    jnxContainersLevel.1 = 0
    jnxContainersLevel.4 = 1
    jnxContainersLevel.7 = 1
    jnxContainersLevel.8 = 2
    jnxContainersLevel.9 = 1
    jnxContainersWithin.1 = 0
    jnxContainersWithin.4 = 1
    jnxContainersWithin.7 = 1
    jnxContainersWithin.8 = 7
    jnxContainersWithin.9 = 1
    <snip>
  • snmpwalk of the SRX Series device from remote host: (srx240hostname resolves to the interface IP address used for snmp polling in the following example)
    [root@Svr3]# snmpwalk -v 2c -Ob -c public srx240hostname 1.3.6.1.4.1.2636.3

    SNMPv2-SMI::enterprises.2636.3.1.1.0 = OID: SNMPv2-SMI::enterprises.2636.1.1.1.1.39.0
    SNMPv2-SMI::enterprises.2636.3.1.2.0 = STRING: "Juniper SRX240-poe Internet Router"
    SNMPv2-SMI::enterprises.2636.3.1.3.0 = STRING: "AH2709AA0096"
    SNMPv2-SMI::enterprises.2636.3.1.4.0 = ""
    SNMPv2-SMI::enterprises.2636.3.1.5.0 = Timeticks: (14329200) 1 day, 15:48:12.00
    SNMPv2-SMI::enterprises.2636.3.1.6.1.1.1 = INTEGER: 1
    SNMPv2-SMI::enterprises.2636.3.1.6.1.1.4 = INTEGER: 4
    SNMPv2-SMI::enterprises.2636.3.1.6.1.1.7 = INTEGER: 7
    SNMPv2-SMI::enterprises.2636.3.1.6.1.1.8 = INTEGER: 8
    SNMPv2-SMI::enterprises.2636.3.1.6.1.1.9 = INTEGER: 9
    SNMPv2-SMI::enterprises.2636.3.1.6.1.2.1 = INTEGER: 1
    SNMPv2-SMI::enterprises.2636.3.1.6.1.2.4 = INTEGER: 2
    SNMPv2-SMI::enterprises.2636.3.1.6.1.2.7 = INTEGER: 1
    SNMPv2-SMI::enterprises.2636.3.1.6.1.2.8 = INTEGER: 1
    SNMPv2-SMI::enterprises.2636.3.1.6.1.2.9 = INTEGER: 1
    SNMPv2-SMI::enterprises.2636.3.1.6.1.3.1 = INTEGER: 0
    SNMPv2-SMI::enterprises.2636.3.1.6.1.3.4 = INTEGER: 1
    SNMPv2-SMI::enterprises.2636.3.1.6.1.3.7 = INTEGER: 1
    SNMPv2-SMI::enterprises.2636.3.1.6.1.3.8 = INTEGER: 2
    SNMPv2-SMI::enterprises.2636.3.1.6.1.3.9 = INTEGER: 1
    SNMPv2-SMI::enterprises.2636.3.1.6.1.4.1 = INTEGER: 0
    SNMPv2-SMI::enterprises.2636.3.1.6.1.4.4 = INTEGER: 1
    SNMPv2-SMI::enterprises.2636.3.1.6.1.4.7 = INTEGER: 1
    SNMPv2-SMI::enterprises.2636.3.1.6.1.4.8 = INTEGER: 7
    SNMPv2-SMI::enterprises.2636.3.1.6.1.4.9 = INTEGER: 1
    <snip>
Example 2
This example shows how to walk the jnxMibs MIB from the SRX Series device.
root@SRX240> show snmp mib walk jnxOperatingDescr
jnxOperatingDescr.1.1.0.0 = midplane
jnxOperatingDescr.4.1.0.0 = SRX240 PowerSupply fan 1
jnxOperatingDescr.4.2.0.0 = SRX240 PowerSupply fan 2
jnxOperatingDescr.4.3.0.0 = SRX240 CPU fan 1
jnxOperatingDescr.4.4.0.0 = SRX240 CPU fan 2
jnxOperatingDescr.7.1.0.0 = FPC: FPC @ 0/*/*
jnxOperatingDescr.8.1.1.0 = PIC: 16x GE Base PIC @ 0/0/*
jnxOperatingDescr.9.1.0.0 = Routing Engine
jnxOperatingDescr.9.1.1.0 = USB Hub



junos系统中常见V2的配置。。。。。。。。。。。。。。。

set snmp community "china88" authorization read-only
set snmp community "china88" clients 100.238.28.1/32
set snmp community "china88" clients 0.0.0.0/0 restrict
set snmp trap-options source-address 100.238.15.33
set snmp trap-group "china88" version v2
set snmp trap-group "china88" categories authentication
set snmp trap-group "china88" categories link
set snmp trap-group "china88" categories remote-operations
set snmp trap-group "china88" categories routing
set snmp trap-group "china88" categories startup
set snmp trap-group "china88" categories configuration
set snmp trap-group "china88" targets 100.238.75.19




本帖最后由 小侠唐在飞 于 2017-12-19 20:55 编辑
【大侠唐在飞出品网络教学视频课程 】
天下风云出我辈, 一入江湖岁月催。当年的“小侠唐在飞” 如今变成了“大侠唐在飞”。♫金杯银杯,不如网友的口碑;金奖银奖,不如网友的褒奖;熊掌鸭掌,不如网友的鼓掌~   
☺欢迎加入“唐志强技术教学交流群”,群号:67182271。   ♥【51CTO最受欢迎讲师投票开启了。找到--大侠唐在飞,投下一票吧。每天可投一次
SRX防火墙除了开启相应的服务外,还要在区域上允许host-inbound-traffic


set security zones security-zone insidehost-inbound-traffic system-services ping
set security zones security-zone inside host-inbound-traffic system-services ssh
set security zones security-zone inside host-inbound-traffic system-services https
set security zones security-zone inside host-inbound-traffic system-services traceroute
set security zones security-zone inside host-inbound-traffic system-services http
set security zones security-zone inside host-inbound-traffic system-services snmp
set security zones security-zone inside host-inbound-traffic system-services ftp



【大侠唐在飞出品网络教学视频课程 】
天下风云出我辈, 一入江湖岁月催。当年的“小侠唐在飞” 如今变成了“大侠唐在飞”。♫金杯银杯,不如网友的口碑;金奖银奖,不如网友的褒奖;熊掌鸭掌,不如网友的鼓掌~   
☺欢迎加入“唐志强技术教学交流群”,群号:67182271。   ♥【51CTO最受欢迎讲师投票开启了。找到--大侠唐在飞,投下一票吧。每天可投一次
‹‹ 上一贴:juniper srx 240 远程访问vpn(dynamic-vpn)   |   下一贴:juniper 认证考试指南(持续更新中2017-06-23) ... ››
  发新话题
快速回复主题
关于我们 | 诚聘英才 | 联系我们 | 网站大事 | 友情链接 |意见反馈 | 网站地图
Copyright©2005-2017 51CTO.COM
本论坛言论纯属发布者个人意见,不代表51CTO网站立场!如有疑义,请与管理员联系:bbs@51cto.com