The USG6620 firewall does not send alarms to eSight due Security Rules on FW

On eSight no alarm is observed for the USG6620, even though the SNMP communication is correct (Test is successful for the SNMP protocol from eSight) and the configuration is correct. 

1.     Check whether the alarms are recorded to the trap buffer, in trapbuffer we can see the traps for the alarms:

2.     Capture packets on the eSight side, the eSight server is windows so we can capture with Wireshark. No trap is observed to arrive to the eSight server

3.     Validate the snmp-agent statistics to confirm whether traps are processed correctly

4.     Confirm that the communication between local zone and the zone where the eSight is connected is allowed in both directions.

First confirm the Zone to which the interface connected to eSight belongs to. According to SNMP trap source of the device, the outgoing interface which communicates to eSight server is Vlanif43

Note: The real vlanif name is edited to protect customer data.

Then we check which Zone has added the Vlanif43, it is found that the vlanif43 is added to the zone named PRIV (Name also edited to protect customer data).

Check whether there are Security policy rules that allow PRIV Zone to Local Zone and Local Zone to PRIV Zone,

Rule for PRIV ZONE to Local communication

Rule for Local to PRIV ZONE communication,

We can focus in this rule since the traps will go from Local to PRIV ZONE. There are found several service set which are allowed. One of them is named “SNMP saliente” (Translated as SNMP Outogoing) so we check the service set.

Above service can allow SNMP communication message between NMS such as GET-Request, GET-NEXT-REQUEST, GET-RESPONSE, SET-REQUEST and so on because the source port from the device is 161 and the destination port at NMS side is random.

However for the trap message, the Source port at the device end is random and the Destination port at NMS should be 162. Above rule does not meet this requirement. So the Firewall won’t allow the outgoing traps messages.

Here we can define a new service set that allows the SNMP trap sending from Local Zone to PRIV Zone. After this the traps can be sent from USG to eSight and the alarms can be displayed correctly in eSight.

The service set defined on the Security Policy Rule for Local Zone to the Zone where eSight is located does not allow the traps messages to be sent from USG to eSight (Dest port 162)

Configure a service set to allow the SNMP trap messages to be sent from the USG to eSight and add the service set to the correspondent Security Policy Rule:

1.     Create the service-set to allow sending the traps from any port of the USG to the port 162 of the NMS.

2.       Add the service set to the Security Policy Rule that allows communication from Local Zone to the Zone where the eSight is located, in this case PRIV Zone.