1. Check whether the alarms are recorded to the trap buffer, in trapbuffer we can see the traps for the alarms:
2. Capture packets on the eSight side, the eSight server is windows so we can capture with Wireshark. No trap is observed to arrive to the eSight server
3. Validate the snmp-agent statistics to confirm whether traps are processed correctly
4. Confirm that the communication between local zone and the zone where the eSight is connected is allowed in both directions.
First confirm the Zone to which the interface connected to eSight belongs to. According to SNMP trap source of the device, the outgoing interface which communicates to eSight server is Vlanif43
Note: The real vlanif name is edited to protect customer data.
Then we check which Zone has added the Vlanif43, it is found that the vlanif43 is added to the zone named PRIV (Name also edited to protect customer data).
Check whether there are Security policy rules that allow PRIV Zone to Local Zone and Local Zone to PRIV Zone,
Rule for PRIV ZONE to Local communication
Rule for Local to PRIV ZONE communication,
We can focus in this rule since the traps will go from Local to PRIV ZONE. There are found several service set which are allowed. One of them is named “SNMP saliente” (Translated as SNMP Outogoing) so we check the service set.
Above service can allow SNMP communication message between NMS such as GET-Request, GET-NEXT-REQUEST, GET-RESPONSE, SET-REQUEST and so on because the source port from the device is 161 and the destination port at NMS side is random.
However for the trap message, the Source port at the device end is random and the Destination port at NMS should be 162. Above rule does not meet this requirement. So the Firewall won’t allow the outgoing traps messages.
Here we can define a new service set that allows the SNMP trap sending from Local Zone to PRIV Zone. After this the traps can be sent from USG to eSight and the alarms can be displayed correctly in eSight.