Add SNMPv3 Users

Note

You create users for SNMPv3 only. These steps are not applicable for SNMPv1 or SNMPv2c.

Note that SNMPv3 only supports read-only users.

SNMP users have a specified username, an authentication password, an encryption password, and authentication and encryption algorithms to use.

Note

When using SNMPv3 with clustering or High Availability, if you add a new cluster unit after the initial cluster formation or you replace a High Availability unit, then SNMPv3 users are not replicated to the new unit. You must remove the users, re-add them, and then redeploy your configuration to force the users to replicate to the new unit.

The authentication algorithm options are MD5 (deprecated, pre-6.5 only), SHA, SHA224, SHA256, and SHA384.

Note

The MD5 option has been deprecated. If your deployment includes SNMP v3 users using the MD5 authentication algorithm that were created using a version previous to 6.5, you can continue to use those users for FTDs running versions 6.7 and previous. However, you cannot edit those users and retain the MD5 authentication algorithm, or create new users with the MD5 authentication algorithm. If your management center manages any threat defenses running Versions 7.0+, deploying a platform settings policy that uses the MD5 authentication algorithm to those threat defenses will fail.

The encryption algorithm options are DES (deprecated, pre-6.5 only), 3DES, AES256, AES192, and AES128.

Note

The DES option has been deprecated. If your deployment includes SNMP v3 users using DES encryption that were created using a version previous to 6.5, you can continue to use those users for threat defenses running versions 6.7 and previous. However, you cannot edit those users and retain DES encryption, or create new users with DES encryption. If your management center manages any threat defenses running Versions 7.0+, deploying a platform settings policy that uses DES encryption to those threat defenses will fail.

Procedure

Step 1

Choose Devices > Platform Settings and create or edit the threat defense policy.

Step 2

Click SNMP > Users.

Step 3

Click Add.

Step 4

Select the security level for the user from the Security Level drop-down list.

  • Auth—Authentication but No Privacy, which means that messages are authenticated.

  • No Auth—No Authentication and No Privacy, which means that no security is applied to messages.

  • Priv—Authentication and Privacy, which means that messages are authenticated and encrypted.

Step 5

Enter the name of the SNMP user in the Username field. Usernames must be 32 characters or less.

Step 6

Select the type of password, you want to use in the Encryption Password Type drop-down list.

  • Clear text—The threat defense device will still encrypt the password when deploying to the device.
  • Encrypted—The threat defense device will directly deploy the encrypted password.

Step 7

In the Auth Algorithm Type drop-down list, select the type of authentication you want to use: SHA, SHA224, SHA256, or SHA384.

Note

The MD5 option has been deprecated. If your deployment includes SNMP v3 users using the MD5 authentication algorithm that were created using a version previous to 6.5, you can continue to use those users for FTDs running versions 6.7 and previous. However, you cannot edit those users and retain the MD5 authentication algorithm, or create new users with the MD5 authentication algorithm. If your management center manages any threat defenses running Versions 7.0+, deploying a platform settings policy that uses the MD5 authentication algorithm to those threat defenses will fail.

Step 8

In the Authentication Password field, enter the password to use for authentication. If you selected Encrypted as the Encrypt Password Type, the password must be formatted as xx:xx:xx..., where xx are hexadecimal values.

Note

The length of the password will depend on the authentication algorithm selected. For all passwords, the length must be 256 characters or less.

If you selected Clear Text as the Encrypt Password Type, repeat the password in the Confirm field.

Step 9

In the Encryption Type drop-down list, select the type of encryption you want to use: AES128, AES192, AES256, 3DES.

Note

To use AES or 3DES encryption, you must have the appropriate license installed on the device.

Note

The DES option has been deprecated. If your deployment includes SNMP v3 users using DES encryption that were created using a version previous to 6.5, you can continue to use those users for threat defenses running versions 6.7 and previous. However, you cannot edit those users and retain DES encryption, or create new users with DES encryption. If your management center manages any threat defenses running Versions 7.0+, deploying a platform settings policy that uses DES encryption to those threat defenses will fail.

Step 10

Enter the password to use for encryption in the Encryption Password field. If you selected Encrypted as the Encrypt Password Type, the password must be formatted as xx:xx:xx..., where xx are hexadecimal values. For encrypted passwords, the length of the password depends on the encryption type selected. The password sizes are as follows (where each xx is one octal):

  • AES 128 requires 16 octals

  • AES 192 requires 24 octals

  • AES 256 requires 32 octals

  • 3DES requires 32 octals

  • DES can be any size

Note

For all passwords, the length must be 256 characters or less.

If you selected Clear Text as the Encrypt Password Type, repeat the password in the Confirm field.

Step 11

Click OK.

Step 12

Click Save.

You can now go to Deploy > Deployment and deploy the policy to assigned devices. The changes are not active until you deploy them.