Re: Cisco 151e PIX & MRTG

From: Spack (news_at_worldofspack.co.uk)
Date: 03/10/05


Date: Thu, 10 Mar 2005 11:06:27 -0000

William wrote on Wed, 9 Mar 2005 23:40:06 -0800:

> Enable SNMP is not a recommended practice in general. You can have your
> firewall to send SNMP trap to your monitor station.

PIX SNMP traps are only capable of sending what can be sent via syslog,
which are sent in response to changes (links going up/down, rules being hit,
connections being made, etc). The OP is asking how to get MRTG to request
data to generate usage charts - these tend to be current state requests for
traffic and connection counts at intervals from the machine running MRTG,
and therefore need to request the data via SNMP as this cannot be done using
traps AFAIK.

By restricting SNMP requests to a single host on the inside interface the
risk is significantly reduced, especially in a known LAN environment. And as
I understand it polling hosts can only read data, not write back.

Dan