SNMP community settings do not match across cluster members-paloaltonetworks-panos

SNMP community settings do not match across cluster members-paloaltonetworks-panos
0

SNMP community settings do not match across cluster members-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Description:
Indeni will identify when two devices are part of a cluster and alert if the SNMP settings do not match.

Remediation Steps:
Ensure all of the SNMP settings are configured correctly on all cluster members.

How does this work?
This alert uses the Palo Alto Networks API interface to parse through SNMP Trap profiles and alert the admin if the community name is set to “PUBLIC” or “PRIVATE”.

Why is this important?
If the default SNMP communities are configured, like “public” or “private” it could allow unauthorized clients to poll the device.

Without Indeni how would you find this?
Login to the device’s web interface and click on “Device” -> “Server Profiles” -> “SNMP Trap”.

panos-snmp-trap-default-community

name: panos-snmp-trap-default-community
description: Make sure the Community names are not set with the default ones so that
    we can maintain unique community strings and have no conflicts in the network
    with multiple SNMP services being used.
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: paloaltonetworks
    os.name: panos
    product: firewall
comments:
    snmp-communities:
        why: |
            If the default SNMP communities are configured, like "public" or "private" it could allow unauthorized clients to poll the device.
        how: |
            This alert uses the Palo Alto Networks API interface to parse through SNMP Trap profiles and alert the admin if the community name is set to "PUBLIC" or "PRIVATE".
        without-indeni: |
            Login to the device's web interface and click on "Device" -> "Server Profiles" -> "SNMP Trap".
        can-with-snmp: false
        can-with-syslog: false
        vendor-provided-management: Can be done through Management GUI.
steps:
-   run:
        type: HTTP
        command: /api/?type=config&action=get&xpath=/config/shared/log-settings/snmptrap&key=${api-key}
    parse:
        type: XML
        file: panos-snmp-trap-default-community.parser.1.xml.yaml

cross_vendor_snmp_communities_comparison

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.SnapshotComparisonTemplateRule
import com.indeni.server.rules.RemediationStepCondition

/**
  *
  */
case class cross_vendor_snmp_communities_comparison() extends SnapshotComparisonTemplateRule(
  ruleName = "cross_vendor_snmp_communities_comparison",
  ruleFriendlyName = "Clustered Devices: SNMP community settings do not match across cluster members",
  ruleDescription = "Indeni will identify when two devices are part of a cluster and alert if the SNMP settings do not match.",
  metricName = "snmp-communities",
  isArray = true,
  alertDescription = "Devices that are part of a cluster should have the same SNMP configuration. Review the differences below.",
  baseRemediationText = "Ensure all of the SNMP settings are configured correctly on all cluster members.")(
  RemediationStepCondition.VENDOR_CISCO ->
    """|
      |1. Ensure all of the SNMPv2 communities are configured correctly on all cluster members by using  the "show snmp" NX-OS command.
      |2. Configure the same SNMPv2c communities by using the next command "snmp-server community name group { ro | rw }" across the peer Switches.
      |3. For more information please review  the next CISCO configuration guide:
      |https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/system_management/configuration/guide/sm_nx_os_cg/sm_9snmp.html
    """.stripMargin
)

this is very cool. I would like to see similar post regarding this. thanks.

1 Like