Configure SNMP traps

Use SNMP traps to configure event notifications for the Firewall Threat Defense device. Traps are unsolicited notifications sent from the device to the management station for certain events, such as linkup, linkdown, and syslog event generation. Each SNMP trap includes an object ID (OID) for your device.

Some traps are not applicable to certain hardware models. These traps will be ignored if you apply the policy to one of these models. For example, not all models have field-replaceable units, so the Field Replaceable Unit Insert/Delete trap will not be configured on those models.

SNMP traps are defined in standard MIBs or in enterprise-specific MIBs. Standard traps are created by the IETF and documented in various RFCs. The Firewall Threat Defense software includes SNMP traps.

If needed, you can download RFCs, standard MIBs, and standard traps from this location:

http://www.IETF.org/

Browse the complete list of CISCO MIBs, traps, and OIDs using the SNMP Object Navigator on the Cisco website:

SNMP Object Navigator

In addition, download CISCO OIDs by FTP from this location:

ftp://ftp.cisco.com/pub/mibs/oid/oid.tar.gz

Procedure

Step 1

Choose Devices > Platform Settings and create or edit the Firewall Threat Defense policy.

Step 2

Click SNMP > SNMP Traps to configure SNMP traps (event notifications) for the Firewall Threat Defense device.

Step 3

Select the appropriate Enable Traps options. You can select either or both options.

  1. Check Enable All SNMP Traps to select all traps in the subsequent four sections.

  2. Check Enable All Syslog Traps to enable transmission of trap-related syslog messages.

Note
SNMP traps are of higher priority than other notification messages from the Firewall Threat Defense as they are expected to be near real-time. When you enable all SNMP or syslog traps, it is possible for the SNMP process to consume excess resources in the agent and in the network, causing the system to hang. If you notice system delays, unfinished requests, or timeouts, you can selectively enable SNMP and syslog traps. You can also limit the rate at which syslog messages are generated by severity level or message ID. For example, all syslog message IDs that begin with the digits 212 are associated with the SNMP class; see Configure syslog rate limits.

Step 4

The event-notification traps in the Standard section are enabled by default for an existing policy:

  • Authentication – Unauthorized SNMP access. This authentication failure occurs for packets with an incorrect community string.

  • Link Up – One of the device’s communication links has become available (it has “come up”), as indicated in the notification.

  • Link Down – One of the device’s communication links has failed, as indicated in the notification.

  • Cold Start – The device is reinitializing itself such that its configuration or the protocol entity implementation may be altered.

  • Warm Start – The device is reinitializing itself such that its configuration and the protocol entity implementation is unaltered.

Step 5

Select the desired event-notification traps in the Entity MIB section:

  • Field Replaceable Unit Insert – A Field Replaceable Unit (FRU) has been inserted, as indicated. (FRUs include assemblies such as power supplies, fans, processor modules, interface modules, etc.)

  • Field Replaceable Unit Delete – A Field Replaceable Unit (FRU) has been removed, as indicated in the notification

  • Configuration Change – There has been a hardware change, as indicated in the notification

Step 6

Select the desired event-notification traps in the Resource section:

  • Connection Limit Reached – This trap indicates that a connection attempt was rejected because the configured connections limit has been reached.

Step 7

Select the desired event-notification traps in the Other section:

  • NAT Packet Discard – This notification is generated when IP packets are discarded by the NAT function. Available Network Address Translation addresses or ports have fallen below configured threshold.

  • CPU Rising Threshold – This notification is generated when rising CPU utilization exceeds a predefined threshold for a configured period of time. Check this option to enable CPU rising threshold notifications:

    • Percentage – The default value is 70% for the high threshold notification; the range is 10 to 94%. The critical threshold is 95%.

    • Period – The default monitoring period is 1 minute; the range is 1 to 60 minutes.

  • Memory Rising Threshold – This notification is generated when rising memory utilization exceeds a predefined threshold, thus reducing available memory. Check this option to enable memory rising threshold notifications:

    • Percentage – The default value is 70% for the high threshold notification; the range is 50 to 95%.

  • Failover – This notification is generated when there is a change in the failover state as reported by the CISCO-UNIFIED-FIREWALL-MIB.

  • Cluster – This notification is generated when there is a change in the cluster health as reported by the CISCO-UNIFIED-FIREWALL-MIB.

  • Peer Flap – This notification is generated when there is BGP route flapping, a situation in which BGP systems send an excessive number of update messages to advertise network reachability information.

Step 8

Click Save.

You can now go to Deploy > Deploy and deploy the policy to assigned devices. The changes are not active until you deploy them.

After completing this task, SNMP traps are configured on the Firewall Threat Defense device, and event notifications will be sent to the management station for the selected events. This enables proactive monitoring and timely response to device events.