Configure SNMP Traps

Use SNMP Traps to configure SNMP traps (event notifications) for the threat defense device. Traps are different from browsing; they are unsolicited “comments” from the threat defense device to the management station for certain events, such as linkup, linkdown, and syslog event generated. An SNMP object ID (OID) for the device appears in SNMP event traps sent from the device.

Some traps are not applicable to certain hardware models. These traps will be ignored if you apply the policy to one of these models. For example, not all models have field-replaceable units, so the Field Replaceable Unit Insert/Delete trap will not be configured on those models.

SNMP traps are defined in either standard or enterprise-specific MIBs. Standard traps are created by the IETF and documented in various RFCs. SNMP traps are compiled into the threat defense software.

If needed, you can download RFCs, standard MIBs, and standard traps from the following location:

http://www.ietf.org/

Browse the complete list of Cisco MIBs, traps, and OIDs from the following location:

SNMP Object Navigator

In addition, download Cisco OIDs by FTP from the following location:

ftp://ftp.cisco.com/pub/mibs/oid/oid.tar.gz

Procedure

Step 1

Choose Devices > Platform Settings and create or edit the threat defense policy.

Step 2

Click SNMP > SNMP Traps to configure SNMP traps (event notifications) for the threat defense device.

Step 3

Select the appropriate Enable Traps options. You can select either or both options.

  1. Check Enable All SNMP Traps to quickly select all traps in the subsequent four sections.

  2. Check Enable All Syslog Traps to enable transmission of trap-related syslog messages.

Note
SNMP traps are of higher priority than other notification messages from the threat defense as they are expected to be near real-time. When you enable all SNMP or syslog traps, it is possible for the SNMP process to consume excess resources in the agent and in the network, causing the system to hang. If you notice system delays, unfinished requests, or timeouts, you can selectively enable SNMP and syslog traps. You can also limit the rate at which syslog messages are generated by severity level or message ID. For example, all syslog message IDs that begin with the digits 212 are associated with the SNMP class; see Limit the Rate of Syslog Message Generation.

Step 4

The event-notification traps in the Standard section are enabled by default for an existing policy:

  • Authentication – Unauthorized SNMP access. This authentication failure occurs for packets with an incorrect community string.

  • Link Up – One of the device’s communication links has become available (it has “come up”), as indicated in the notification.

  • Link Down – One of the device’s communication links has failed, as indicated in the notification.

  • Cold Start – The device is reinitializing itself such that its configuration or the protocol entity implementation may be altered.

  • Warm Start – The device is reinitializing itself such that its configuration and the protocol entity implementation is unaltered.

Step 5

Select the desired event-notification traps in the Entity MIB section:

  • Field Replaceable Unit Insert – A Field Replaceable Unit (FRU) has been inserted, as indicated. (FRUs include assemblies such as power supplies, fans, processor modules, interface modules, etc.)

  • Field Replaceable Unit Delete – A Field Replaceable Unit (FRU) has been removed, as indicated in the notification

  • Configuration Change – There has been a hardware change, as indicated in the notification

Step 6

Select the desired event-notification traps in the Resource section:

  • Connection Limit Reached – This trap indicates that a connection attempt was rejected because the configured connections limit has been reached.

Step 7

Select the desired event-notification traps in the Other section:

  • NAT Packet Discard – This notification is generated when IP packets are discarded by the NAT function. Available Network Address Translation addresses or ports have fallen below configured threshold.

  • CPU Rising Threshold – This notification is generated when rising CPU utilization exceeds a predefined threshold for a configured period of time. Check this option to enable CPU rising threshold notifications:

    • Percentage – The default value is 70 percent for the high threshold notification; the range is between 10 and 94 percent. The critical threshold is hardcoded at 95 percent.

    • Period – The default monitoring period is 1 minute; the range is between 1 and 60 minutes.

  • Memory Rising Threshold – This notification is generated when rising memory utilization exceeds a predefined threshold, thus reducing available memory. Check this option to enable memory rising threshold notifications:

    • Percentage – The default value is 70 percent for the high threshold notification; the range is between 50 and 95 percent.

  • Failover – This notification is generated when there is a change in the failover state as reported by the CISCO-UNIFIED-FIREWALL-MIB.

  • Cluster – This notification is generated when there is a change in the cluster health as reported by the CISCO-UNIFIED-FIREWALL-MIB.

  • Peer Flap – This notification is generated when there is BGP route flapping, a situation in which BGP systems send an excessive number of update messages to advertise network reachability information.

Step 8

Click Save.

You can now go to Deploy > Deployment and deploy the policy to assigned devices. The changes are not active until you deploy them.