For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

レザ's avatar
レザ
Icon for Cirrus rankCirrus
Jan 03, 2023
Solved

How to limit some snmp mib access

Hi, folks. How can i limit some snmp (snmpv2) mib's from begin accessed by a monitoring system (for exampe PRTG). I want the monitoring system to be able to monitor all items on F5-BIGIP-SYSTEM-MIB...
application delivery
  • JRahm's avatar
    JRahm
    Jan 04, 2023

    If you translate the globals in each of those mibs, you'll see where you can delineate in your oid string:

     

    [root@ltm3:Active:Standalone] mibs # snmptranslate -On F5-BIGIP-SYSTEM-MIB::sysGlobals
.1.3.6.1.4.1.3375.2.1.1
[root@ltm3:Active:Standalone] mibs # snmptranslate -On F5-BIGIP-LOCAL-MIB::ltmGlobals
.1.3.6.1.4.1.3375.2.2.1
[root@ltm3:Active:Standalone] mibs # snmptranslate -On F5-BIGIP-GLOBAL-MIB::gtmGlobals
.1.3.6.1.4.1.3375.2.3.1

     

    So if you want to define a community string that will only be allowed to read from the F5-BIGIP-SYSTEM-MIB, but not the others, you can set the string to allow everything from:

     

    .1.3.6.1.4.1.3375.2.1

     

    which after applied would look something like this:

     

    sys snmp {
    agent-addresses { tcp6:161 udp6:161 }
    communities {
        if5devcentralrocks_1 {
            community-name f5devcentralrocks
            oid-subset .1.3.6.1.4.1.3375.2.1
            source 192.168.1.245
        }
    }
...
}

     

Paulius's avatar
Paulius
Icon for MVP rankMVP
Jan 03, 2023

レザI believe this can be achieved by configuring the appropriate OID for the top most node in question for the SNMP v2 community. This articel outlines the configuration for OID for SNMP v1 and v2c and a section for v3 as well.

https://support.f5.com/csp/article/K52219241

レザ's avatar
レザ
Icon for Cirrus rankCirrus
Jan 03, 2023

Hi Paulius, unfortunately, this is not what I want. I think this is not possible in snmpv2