Skip to content
Click here to open the documentation of locally-managed switches, including the CLI and API guides.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=switch-management-snmp

SNMP

The SNMP page lets you configure Simple Network Management Protocol (SNMP) settings on Sophos switches, including configuring users and groups, community strings, view lists and access lists, and notification settings for secure network monitoring and management.

Go to Switches, select a switch, stack, or site, and click SNMP to configure SNMP.

Global settings

The Global settings tab lets you turn SNMP on or off and configure the Engine ID for SNMPv3.

You can configure the following settings:

  • SNMP status: Select On or Off to turn SNMP on or off. Select Not set to use the local switch configuration.

  • Engine ID: Set a hexadecimal value. The number of characters can be from 10 to 64. This value is a unique identifier for the switch and protects against message replay, delay, and redirection issues. We recommend selecting Default to use the default value.

    Warning

    Deleting or changing the Engine ID clears all local SNMP users. You must reconfigure them.

Configuration source shows the origin of the SNMP settings.

Click Update to save your changes.

Click Clear to reset the values.

Users and groups

SNMP users add security to your network by adding authentication, authorization, and encryption to SNMP monitoring and management. Users & Communities lets you manage access to SNMP devices by creating SNMP users to associate with the Groups you create. You must create at least one group if you want to use access lists.

!!! info "Click the appropriate tab to see how to manage Users & Communities and Groups.

The Users & Communities list shows the Name, Protocols, and Authentication settings for all SNMP users on the switch. Configuration source shows the origin of the user's settings.

To add users and communities, do as follows:

  1. Under Users and Communities, click Add.

  2. Enter the following information:

    • Name: The name for the user. It must be from 4 to 20 characters and can't include ", \, %, &, ?, ', !, ;, |, +, or spaces.

    • Privilege mode: Select one of the following options:

      • No authentication: Doesn't use any authentication.
      • Authentication: Authenticates users before they can interact with devices.
      • Privilege: Authenticates users and encrypts SNMP messages.

    • Authentication protocol: Select one of the following options:

      • MD5: Use HMAC-MD5.
      • SHA: Use HMAC-SHA-96.

    • Authentication password: Enter the password you want to use. It must be from 8 to 32 characters and can't include ", \, %, &, ?, ', !, ;, |, +, or spaces.

    • Encryption protocol: Select the method used to authenticate users.

      • DES_CBC: 64-bit encryption using Data Encryption Standard with Cipher Block Chaining.
      • AES_CFB128: 128-bit encryption using Advanced Encryption Standard with Cipher Feedback.

    • Encryption password: Enter the password you want to use. It must be from 8 to 40 characters and can't include ", \, %, &, ?, ', !, ;, |, +, or spaces.

  3. (Optional) Select Enable SNMP v1/v2c for this user.

    SNMPv1 and SNMPv2c control access using a community string as the password. Selecting this option creates a community using the Name entered and associates the user with it. This information is transmitted in plain text, so it's less secure than the encrypted passwords used by SNMPv3 and should only be used for legacy devices that don't support SNMPv3.

    SNMPv1 and SNMPv2c send information to SNMP managers based on transport tags. You can enter a Transport tag to associate the community with specific SNMP devices. Transport tags ensure that SNMP messages are only sent to and accepted from specific devices. If the tag isn't part of the community string, the switch can't respond to SNMP requests. You must define these values as the Tag identifier at Notifications > Target address. See Notifications.

  4. Click Add.

To delete users, select the ones you want to remove and click Delete.

SNMP groups help you control network access by organizing your SNMP users and assigning them different management rights depending on their access needs. You can then add these groups to access lists to control access to SNMP devices in your network.

The Groups list shows the Group name, Security mode, and Security name for all SNMP groups on the switch.

To add groups, do as follows:

  1. Under Groups, click Add.
  2. Enter a Group name. It must be from 1 to 30 characters and can't include ", \, %, &, ?, ', !, ;, |, +, or spaces.

  3. Use the checkboxes to select the users and SNMP versions you want to add to the group.

    Tip

    Selecting the checkbox at the top of the v1, v2c, or v3 columns selects that security mode for all available users.

  4. Click Add.

    Note

    You'll see an error if you select users without the necessary privilege for the selected Security mode or who are already in another group with the same settings. However, Sophos Central still creates the group without those users.

Click on a group's name to edit its settings.

To delete groups, select the checkbox next to the groups you want to remove and click Delete.

Views and access list

Views and access lists give you granular control over which Management Information Base (MIB) Object Identifiers (OID) your SNMP users can access.

Note

We recommend familiarizing yourself with MIBs and OIDs before configuring Views and Access lists. See MIBs and OIDs.

!!! info "Click the appropriate tab to see how to manage Views and Access lists.

SNMP uses information defined in the MIB files to manage and monitor your network devices. Within the MIB file, a hierarchical namespace containing OIDs organizes the information about a device. Creating views to add to your access lists lets you specify exactly which OIDs SNMP users can interact with.

Views shows the name and OID mappings for all views on the switch.

To configure a new view, do as follows:

  1. Under Views, click Add.
  2. Enter a View name. It must be from 1 to 20 characters and can't include ", \, %, &, ?, ', !, ;, |, +, or spaces.

  3. Click Add new mapping.

    A new line is created in the OID mappings table.

  4. Enter the Subtree OID. The OID is a unique string identifying an object in the MIB that an SNMP manager will include or exclude from access.

  5. Enter the Subtree mask. This is an integer between 1 and 20 that identifies groups of related objects within the MIB. The number identifies the level at which the SNMP manager applies the mask. For example, a Subtree Mask of 5 only applies to objects at the fifth level of the MIB tree.
  6. Select the View type. Select which OID branch within the MIB tree will be Included or Excluded from the selected SNMP view. If you mark an entry as Excluded, we recommend creating another entry of Included, with the OID subtree overlapping the Excluded entry.

  7. (Optional) Click Add new mapping to add more OID mappings.

    You can repeat this multiple times.

  8. Click Save.

Click on a view's name to edit its settings.

To delete views, select the checkbox next to the ones you want to remove and click Delete.

SNMP access lists let you control which SNMP groups can interact with specific devices on your network and the levels of interaction they're allowed. You can use access lists to specify read, write, and notify privileges for specific groups and view lists. You must create at least one group to create an access list.

Access list shows the name, security and privilege modes, and read, write, and notify views for all access lists on the switch.

To create an access list, do as follows:

  1. Under Access lists, click Add.

  2. Select the group to which you want the access list to apply from the drop-down list.

    The group's Security mode and Privilege mode details are shown in the table. You can adjust the Privilege mode settings.

  3. Select a Read view for each version of SNMP turned on for the group. This is the name of the view list you want to restrict to read-only.

  4. Select a Write view for each version of SNMP turned on for the group. This is the name of the view list to which you want to allow write privilege.
  5. Select a Notify view for each version of SNMP turned on for the group. This is the name of the view list for which you want to receive SNMP trap messages generated by the switch's SNMP agent.
  6. Click Save.

Click on an access list's name to edit its settings.

To delete access lists, select the checkbox next to the lists you want to remove and click Delete.

MIBs and OIDs

MIBs are a reference for SNMP managers and are essentially databases of organized information about SNMP devices. The Sophos Switch MIB files are available from Sophos Central. To download the Sophos Switch MIB files, do as follows:

  1. Go to Devices > Installers.
  2. Under Switches, click Download SNMP MIB files to download an archive containing MIB files for all Sophos Switch models.
  3. Save the archive to a location of your choice.
  4. Extract the MIB files from the archive.

Every OID identifies a variable that can be read or set via SNMP. There is a large list of public parameters and vendors often provide their own OIDs specific to their hardware. See OID or check your vendor documentation.

Notifications

You can control how SNMP devices communicate with each other by configuring notifications, target parameters, and target addresses.

!!! info "Click the appropriate tab to see how to manage Target parameters, Notifications, and Target address.

All SNMP notifications require Target parameters. They define the SNMP versions, security level, and privilege when sending notifications. This information is separate from target addresses, meaning you can associate multiple target addresses with a single target parameter.

Target parameters shows the name, security settings, privilege mode, and user associated with all Target parameters on the switch.

To add target parameters, do as follows:

  1. Under Target parameters, click Add.
  2. Enter a Name. It must be from 1 to 30 characters and can't include ", \, %, &, ?, ', !, ;, |, +, or spaces.
  3. Choose the Message processing model from the drop-down list. Select v1, v2c, or v3.

  4. Choose the Security mode from the drop-down list. Select v1, v2c, or v3.

    If you select v3 you must also select the Privilege mode.

  5. Select a User from the drop-down list.

  6. Click Save.

Click on a target parameter's name to edit its settings.

To delete target parameters, select the checkbox next to the ones you want to remove and click Delete.

SNMP notifications are messages sent between SNMP devices. You can choose the type of notifications the switch sends to an SNMP manager when an event occurs and tag them for easy categorization.

Notifications shows the name, tag, and type of message for all notifications on the switch.

To add notifications, do as follows:

  1. Under Notifications, click Add.

  2. Enter the following information:

  3. Notify name: Enter a name. It must be from 1 to 32 characters and can't include ", \, %, &, ?, ', !, ;, |, +, or spaces.

  4. Tag identifier: Enter the tag identifier string. This identifies the target address for notifications. It must be from 1 to 20 characters and can't include ", \, %, &, ?, ', !, ;, |, +, or spaces.

  5. Notify type: Select one of the following options:

    • Traps: Traps are one-way communications and don't send a response. Delivery is not confirmed or guaranteed.
    • Informs: SNMPv2c and SNMPv3 only. Inform messages are more reliable because they include a request for acknowledgment of receipt. However, they consume more system and network resources.

  6. Click Save.

Click on a notification's name to edit its settings.

To delete notifications, select the checkbox next to the notifications you want to remove and click Delete.

Sending SNMP notifications requires target addresses. They tell SNMP agents the domain and address information of the recipient, the port to use, and how often to send or retry notifications. You must have at least one target parameter configured before you can configure a target address.

Target address shows the name, IP address, and communication settings for all target addresses on the switch.

To configure a target address, do as follows:

  1. Under Target address, click Add.

  2. Configure the following settings:

    • Target address name: Enter a name. It must be from 1 to 32 characters and can't include ", \, %, &, ?, ', !, ;, |, +, or spaces.
    • IP address: Enter the target IP address.
    • UDP port: Enter the UDP port used to send notifications.
    • Timeout: Enter the the device waits before resending a notification. The default is 15 seconds.

    • Retry: Enter the time the device waits before resending an inform request. The default is 3 seconds.

      Restriction

      Timeout and Retry only apply when you set a notification's Type to Informs.

    • Tag identifier: Enter the tag identifier string. It must be from 1 to 20 characters and can't include ", \, %, &, ?, ', !, ;, |, +, or spaces. This is used as transport tag information. See Users and groups.

    • Target parameter: Select a target parameter from the drop-down list.

  3. Click Save.

Click on a target address's name to edit its settings.

To delete target addresses, select the checkbox next to the ones you want to remove and click Delete.