Add SNMPv3 users

Add SNMPv3 users to provide secure, authenticated, and encrypted SNMP management access to your device. This task ensures that only authorized users can access SNMPv3 features using specified authentication and encryption algorithms.

You create users for SNMPv3 only. These steps are not applicable for SNMPv1 or SNMPv2c.

Note	SNMPv3 only supports read-only users.

SNMP users have a specified username, an authentication password, an encryption password, and authentication and encryption algorithms to use.

Note	If you add a new cluster unit or replace a High Availability unit when using SNMPv3 with clustering or High Availability, SNMPv3 users are not replicated to the new unit. Remove the users, add them again, and redeploy your configuration to replicate users to the new unit.

For a successful SNMPv3 user authentication, the authentication key size should be equal to or larger than the encryption key size. For example, a user authentication using SHA-1 with AES256 fails, whereas authentication using SHA256 with AES256 succeeds.

The authentication algorithm options are MD5 (deprecated, pre-6.5 only), SHA, SHA224, SHA256, and SHA384.

Note

The MD5 option has been deprecated. If your deployment includes SNMP v3 users using the MD5 authentication algorithm that were created using a version previous to 6.5, you can continue to use those users for FTD devices running versions 6.7 and previous. However, you cannot edit those users and retain the MD5 authentication algorithm, or create new users with the MD5 authentication algorithm. If your management center manages any threat defenses running Versions 7.0+, deploying a platform settings policy that uses the MD5 authentication algorithm to those threat defenses will fail.

The encryption algorithm options are DES (deprecated, pre-6.5 only), 3DES, AES256, AES192, and AES128.

Note

The DES option has been deprecated. If your deployment includes SNMP v3 users using DES encryption that were created using a version previous to 6.5, you can continue to use those users for threat defenses running versions 6.7 and previous. However, you cannot edit those users and retain DES encryption, or create new users with DES encryption. If your management center manages any threat defenses running Versions 7.0+, deploying a platform settings policy that uses DES encryption to those threat defenses will fail.

Procedure

Step 1

Choose Devices > Platform Settings and create or edit the Firewall Threat Defense policy.

Step 2

Choose SNMP > Users tab.

Step 3

Click Add and completed the following:

Select the security level for the user from the Security Level drop-down list.
- Auth—Authentication but No Privacy, which means that messages are authenticated.
- No Auth—No Authentication and No Privacy, which means that no security is applied to messages.
- Priv—Authentication and Privacy, which means that messages are authenticated and encrypted.
Enter the name of the SNMP user in the Username field. Usernames must be 32 characters or fewer.
Select the type of password, you want to use in the Encryption Password Type drop-down list. Choose from:
- Clear text—The Firewall Threat Defense device will still encrypt the password when deploying to the device.
- Encrypted—The Firewall Threat Defense device will directly deploy the encrypted password.

In the Auth Algorithm Type drop-down list, select the type of authentication you want to use: SHA, SHA224, SHA256, or SHA384.

Note

The MD5 option has been deprecated. If your deployment includes SNMP v3 users using the MD5 authentication algorithm that were created using a version previous to 6.5, you can continue to use those users for FTD devices running versions 6.7 and previous. However, you cannot edit those users and retain the MD5 authentication algorithm, or create new users with the MD5 authentication algorithm. If your Cloud-Delivered Firewall Management Center manages any Firewall Threat Defenses running Versions 7.0+, deploying a platform settings policy that uses the MD5 authentication algorithm to those Firewall Threat Defenses will fail.

In the Authentication Password field, enter the password to use for authentication. If you selected Encrypted as the Encrypt Password Type, the password must be formatted as xx:xx:xx..., where xx are hexadecimal values.

Note

The length of the password will depend on the authentication algorithm selected. For all passwords, the length must be 256 characters or less.

If you selected Clear Text as the Encrypt Password Type, repeat the password in the Confirm field.

In the Encryption Type drop-down list, select the type of encryption you want to use: AES128, AES192, AES256, 3DES.

Note	To use AES or 3DES encryption, you must have the appropriate license installed on the device.

Note

The DES option has been deprecated. If your deployment includes SNMP v3 users using DES encryption that were created using a version previous to 6.5, you can continue to use those users for Firewall Threat Defenses running versions 6.7 and previous. However, you cannot edit those users and retain DES encryption, or create new users with DES encryption. If your Cloud-Delivered Firewall Management Center manages any Firewall Threat Defenses running Versions 7.0+, deploying a platform settings policy that uses DES encryption to those Firewall Threat Defenses will fail.

Enter the password to use for encryption in the Encryption Password field. If you selected Encrypted as the Encrypt Password Type, the password must be formatted as xx:xx:xx..., where xx are hexadecimal values. For encrypted passwords, the length of the password depends on the encryption type selected. The password sizes are as follows. Each xx is one octal.:
- AES 128 requires 16 octals
- AES 192 requires 24 octals
- AES 256 requires 32 octals
- 3DES requires 32 octals
- DES can be any size
Note

For all passwords, the length must be 256 characters or fewer.

If you selected Clear Text as the Encrypt Password Type, repeat the password in the Confirm field.

Step 4

Click OK.

Step 5

Click Save.

You can now go to Deploy > Deploy and deploy the policy to assigned devices. The changes are not active until you deploy them.

After completing these steps, SNMPv3 users are added with the specified authentication and encryption settings. The device is now configured for secure SNMPv3 management access.