Customers and Partners can log in to view:
While it's possible to set up email notifications directly from an appliance, many admins prefer to use a monitoring tool. There are two options for monitoring system events using SNMP:
- Poll--the SNMP queries or pulls information from an appliance
- Trap--the appliance pushes event information to the SNMP server
Both options are described in detail in each appliance's administration guide. This article provides a brief summary for reference.
In SNMPv2, the "snmp community" is similar to a password. Make sure you change the <community> string with the correct SNMP community used for both snmp polling and SNMP traps.
In SNMPv3, the "snmp community" is replaced with a username, auth hash algorithm, auth password and an optional priv password.
|MNS||Network Management System|
Network Management System IP:
The IP address of the monitoring server getting the traps; it is not required if you are only polling the info off the device.
|Polling||The SNMP tool queries appliance the appliance on UDP Port 161 for statistics..|
|Traps||The appliance pushes alerts to the SNMP tool when specified thresholds are met or events occur.|
|OID||Object Identifier: A unique identifier representing a specific attribute, condition, or information about the appliance.|
|MIB||Management Information Base: Contains all the OIDs for traps and polling attributes available on the appliance. Common FireEye MIBs are:|
OIDs and MIBs may vary between appliance types and operating system versions. You can download the MIB from each appliance by going to Notifications > SNMP > Download our MIB file.
Example using an OID in Polling and Traps:
- Polling: The .126.96.36.199.4.1.168188.8.131.52 OID will return the appliance OS version
- Trapping: The appliance can use the .184.108.40.206.4.1.255220.127.116.11.1 OID in a trap to send the FireEye appliance OS version when it has exceeded its own temperature threshold
To enable SNMP on an appliance:
hostname # enable
hostname # configure terminal
hostname (Config) # snmp-server enable
hostname (Config) # snmp-server enable communities
hostname (Config) # snmp-server listen enable
hostname (Config) # snmp-server enable notify
hostname (Config) # snmp-server host <$NMS_IP> traps <community>
<$NMS_IP> = the IP address of the monitoring server receiving traps; not required for polling
hostname (Config) # snmp-server community <community> ro
In SNMPv2, the "snmp community" is like a password. Ensure the <community> string is correct for both SNMP polling and SNMP traps
hostname(Config) # snmp-server user <$username> v3 auth <$hash_algorithm> <$password>
hostname(Config) # snmp-server user <$username> v3 enable
In SNMPv3, the "snmp community" is replaced with a username, auth hash algorithm, auth password, and an optional priv password.
SNMP Polls (Query/ Request)
To configure polling, download the FE-FIREEYE-MIB from the appliance (Notifications > SNMP > Download our MIB file) and load it into the SNMP tool. Most SNMP browsers can retrieve the values the appliance supports, and then display them in a hierarchy so you can find the value you need to include in the request.
SNMP polling uses UDP port 161 to pull information from the appliance. You can set a threshold on the NMS (Network Management System) for the polled data, but that threshold is on the NMS only--the appliance has no record of it.
For more details, see “Retrieving SNMP Data” in your appliance's System Administration Guide.
SNMP Traps (Event Push)
Event notifications (known as traps) are sent by the appliance to the SNMP manager. Traps typically report alarm conditions such as a disk failure or excessive temperature.
SNMP traps use UDP port 162 to push alerts from an appliance to the SNMP server. For alerts based on thresholds, the threshold is configured on the appliance itself. In some cases, an additional trap may be sent when a value that exceeded a threshold returns to acceptable limits (Rising and Falling).
For more details, see “Sending Traps” in your appliance's System Administration Guide.
To enable the appliance to send notifications to the SNMP server for specific events, use the following CLI command:
hostname (config)# snmp-server notify event <$event>
hostname (config)# write memory
The events available for notification may vary between appliance types and operating system versions. The table below shows examples of events and event descriptions. For a list of events actually available on each appliance, use the following CLI command:
hostname (config)# snmp-server notify event ?
- Note: as of 09 February 2017, event thresholds cannot be adjusted.
|deployment-check-failure||Deployment check has failed.|
|deployment-check-recover||Deployment check has recovered.|
|disk-space-low||File system free space has fallen too low.|
|excessive-temperature||Excessive temperature has been reached.|
|fan-failure||A fan has failed.|
|fan-recover||A fan has recovered.|
|hardware-bypass-entered||Permanent hardware bypass mode entered.|
|http-throughput||HTTP throughput has not increased for a specified time.|
|if-link-change||An interface link has changed.|
|interface-down||An interface's link state has changed to down.|
|interface-up||An interface's link state has changed to up.|
|license-state-changed||A license state has changed.|
|normal-temperature||Temperature is normal.|
|physical-disk-failure||A physical disk has failed.|
|physical-disk-recover||A physical disk has recovered.|
|power-supply-failure||A power supply has failed.|
|power-supply-recover||A power supply has recovered.|
|aid-status-failure||A RAID error has occurred.|
|raid-status-recover||A RAID has recovered.|
|security-update-failure||Security update has failed.|
|sizing-threshold-exceeded||One of the sizing measurement has exceeded threshold.|
|sizing-threshold-normal||All sizing measurements have returned to normal.|
|snmp-authtrap||An SNMP v3 request has failed authentication.|