Internet Engineering Task Force C. Grall
INTERNET-DRAFT Trusted Information Systems
Expires 25 October 1998 20 April 1998
Firewall Management Information Base
<draft-grall-firewall-mib-01.txt>
Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference
material or to cite them other than as "work in progress."
To view the entire list of current Internet-Drafts, please check the
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe),
munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or
ftp.isi.edu (US West Coast).
Abstract
This document defines a portion of the Management Information Base
(MIB) for use with network management protocols in TCP/IP-based
internets. In particular, it defines objects for monitoring firewall
devices.
Table of Contents
Abstract
Table of Contents
The Network Management Framework
Overview
Textual Conventions
SnmpAdminString
EventTypeUnitTC
ProtocolUnitTC
Grall [Page 1]
Internet-Draft Firewall MIB 20 April 1998
Structure of MIB
The Service Identifiers Group
The Firewall Event Variables and Logs Group
The Status and Statistics Group
The Firewall Traps Group
Monitoring of Firewall Devices
Events
Event Logs and Traps
Details Table Use
Trap Flooding
Thresholds
Log Tables
Conventions
Definitions
Acknowledgments
Security Considerations
References
Author's Address
Appendix A: Sample Configurations and Scripts
1. The Network Management Framework
The Internet-standard Network Management Framework consists of three
components. They are:
RFC 1902 [4] which defines the SMI, the mechanisms used for
describing and naming objects for the purpose of management.
STD 17, RFC 1213 [5] defines MIB-II, the core set of managed
objects for the Internet suite of protocols.
RFC 1157 [6], RFC 1905 [7], and RFC 2261 [13] which define three
versions of the protocol used for network access to managed
objects.
The Framework permits new objects to be defined for the purpose of
experimentation and evaluation.
Managed objects are accessed via a virtual information store,
termed the Management Information Base or MIB. Within a given MIB
module, objects are defined using RFC 1902's OBJECT-TYPE macro. At
a minimum, each object has a name, a syntax, an access-level, and
Grall [Page 2]
Internet-Draft Firewall MIB 20 April 1998
an implementation-status.
The name is an object identifier, an administratively assigned
name, which specifies an object type. The object type together
with an object instance serves to uniquely identify a specific
instantiation of the object. For human convenience, we often use a
textual string, termed the object descriptor, to also refer to the
object type.
The syntax of an object type defines the abstract data structure
corresponding to that object type. The ASN.1[9] language is used
for this purpose. However, RFC 1155[3] purposely restricts the
ASN.1 constructs which may be used. These restrictions are expli-
citly made for simplicity.
2. Overview
This document specifies a working draft of a Management Information Base
(MIB) definition intended for use in monitoring firewall systems with
network management protocols in TCP/IP-based internets. All object
identifiers defined herein are under the private enterprises MIB tree.
This positioning would change if and when this MIB is adopted as stan-
dard.
2.1. Textual Conventions
Several new data types are introduced including EventTypeUnitTC, and
ProtocolUnitTC. The SnmpAdminString as proposed in the SNMPV3 documents
is also used.
2.1.1. SnmpAdminString
The SnmpAdminString textual convention is used for all string variables.
The definition from the current RFC [13] is included in this MIB (rather
than referenced) until the RFC becomes a standard.
2.1.2. EventTypeUnitTC
This textual convention enumerates many kinds of common events that may
happen on a firewall. The list represents error conditions, unusual
events, and normal activities.
Grall [Page 3]
Internet-Draft Firewall MIB 20 April 1998
2.1.3. ProtocolUnitTC
This textual convention is an enumeration of the most common protocols
used with TCP/IP-based network firewalls.
2.2. Structure of MIB
The objects are arranged into the following groups:
- service identifiers (service)
- firewall event variables and logs (fwevent)
- firewall status and statistics data (fwquery)
- firewall traps (fwtrap)
These groups are the basic units of conformance. If a firewall imple-
ments a group, then it should implement all objects in that group. The
fwevent, fwquery and fwtrap groups are optional. If the fwtrap group is
implemented, the fwevent group must also be implemented. The services
group must be supported if any of the other groups are implemented.
These groups are defined to provide a means of assigning object identif-
iers, and to provide a method for managed agents to know which objects
they must implement.
2.2.1. The Service Identifiers Group
The service group defines object identifiers (OIDs) for resource,
classes of services, and particular services handled by firewalls.
These OIDs are used as values in variables in other groups of the MIB to
designate a service.
In this document and the MIB definition, "resource" is defined as any
service, application, proxy, hardware unit, utility, operating system,
product, engine, etc. on the firewall. Resource can also refer to the
firewall as a whole. Also, the term "service" is used interchangeably
with "resource" throughout the document and MIB.
2.2.2. The Firewall Event Variables and Logs Group
The fwevent group defines tables for logging events that take place on
the firewall. Management stations are notified of the events via traps
from the fwtrap group.
Grall [Page 4]
Internet-Draft Firewall MIB 20 April 1998
2.2.3. The Status and Statistics Group
The fwquery group contains status and statistic information. It
includes version information for the firewall and its resouces and ser-
vices. It includes version information, staus details, and statistics
measured by firewall resources and services.
2.2.4. The Firewall Traps Group
The fwtrap group defines the traps that a firewall can send.
3. Monitoring of Firewall Devices
The scope of the MIB defined here is to provide information for the pur-
pose of monitoring firewall activity. The objects defined here provide
information about urgent events, security, health and status, and per-
formance of a firewall. This information is provided in two ways, via
traps and through objects that must be queried. The traps also have
associated information that can be queried.
It is worth noting areas this MIB is not meant to address. It is not
meant to replicate all firewall audit information or perform all of a
firewall's logging. The information provided by the MIB objects is not
necessarily all the information needed for a full audit capability. For
example, suspicious monitoring entities would probably require audit
information which would not be provided as part of this MIB.
The MIB is also not meant to be used for reporting about the configura-
tion of a firewall. Currently, most firewall's use unique and/or
proprietary protocols and representations for dealing with the confi-
guration and 'policy'. It was decided it would be too difficult to try
to create a generic set of MIB objects that could represent most
firewall configurations. This MIB does not have many variables related
to configuration items.
Write operations to MIB objects are not supported, i.e., SNMP SETs are
currently not supported by this MIB. One motivation for this is that
many SNMP implementations and network architectures do not support
secure communications. Once SNMPv3 is established this can be revisted
and the MIB can be expanded to include objects that can be written.
Another motivation for not addressing SETs is that values typically
"SET" on a firewall would deal with the firewall's configuration and
'policy'. Without a secure connection, the firewall's configuration
could be exposed.
This section provides details on the expected use of the objects defined
Grall [Page 5]
Internet-Draft Firewall MIB 20 April 1998
in section "Definitions" below. It also presents some implementation
issues.
3.1. Events
Many of the objects in the MIB are related to events on the firewall.
An event as far as this MIB is concerned is what a trap is created for,
and what is stored in the event logs. An event can represent the
activity of a single user on the firewall, the status of a program on
the firewall, or a collection of firewall activities. It is up to the
firewall vendor to decide what activities on the firewall are
represented as events in the MIB.
In order to provide a common set of events for MIB users and management
status, the MIB includes an enumeration of event types, EventTypeUnitTC.
The list includes the most common events that happen on a firewall. The
comments included in the list describe the firewall activities each
entry is meant to represent. It is understood that the list will prob-
ably not represent all possible events any particular firewall may
report on and there are generic entries that can be used for these
cases.
While the MIB's main purpose is to report about "unusual" events on a
firewall, it was felt that the MIB should not disallow reporting related
to "normal" events. Items are included in EventTypeUnitTC to represent
"normal", "okay", "good", and "up" activities and conditions. A
firewall vender can then choose to report any kind of activity through
MIB events. For example, a firewall could equate a MIB event with an
audited event and report on all firewall activity with the MIB.
3.1.1. Event Logs and Traps
The fwevent group defines a set of log tables for storing information
about events. The fwtrap group defines a set of traps for reporting
about the events that have been recorded in the logs. These two groups
are meant to work together. Although it is possible to implement the
fwevent group without any trap support, this is not the purpose of the
logs in the fwevent group.
The event logs are represented by a set of tables. There is a basic
table that holds information common to every event, and there are other
tables that contain different sets of detailed information. Figure 1
provides a conceptual view of the tables. The basic table points to one
of the MIB detail tables by table OID and row index. The basic table
also (optionally) points to a firewall vendor defined details table.
Grall [Page 6]
Internet-Draft Firewall MIB 20 April 1998
details table
basic table entries ------------------------
---------------------------| | |
|index | | |
|time | | |
|source | | |
|type | /| |
|description | / ------------------------
| | /
|details table row |--/
| |
|vendor details table row |-\ vendor details table
| | \ ------------------------
---------------------------- \ | |
\ | |
\| |
| |
------------------------
Figure 1: Conceptual view of event log tables.
When an event (see section "Events") occurs on the firewall, the basic
table information is collected and, based on the event, a details table
is chosen and its information is collected as well. This information is
stored on the firewall and a trap from the fwtrap group is sent. The
trap contains the same information contained in the basic table. The
management station then has the option to query the firewall and ask for
the rows from the tables specified in the trap.
Which trap is sent depends on the details table chosen. For the
netEventsLogTable details table use the networkEventTrap trap. For the
healthEventsLogTable details table use the healthEventTrap. For the
managementEventsLogTable details table use the managementEventTrap.
There is a one-to-one mapping between a detail table and a trap. Which
details table to query is chosen based on the trap that was sent.
Since the trap contains the EventTypeUnitTC and EventDescription values
for the event, a user or management station can use these values to make
decisions on whether the event details are useful or not. The retrieval
of the details can be automated for many management stations. Appendix
A contains some configuration and script examples for some of the more
popular management tools.
3.1.2. Details Table Use
The MIB defines three log tables to record details about an event. Each
Grall [Page 7]
Internet-Draft Firewall MIB 20 April 1998
table includes a different set of information. Multiple tables were
defined rather than have one large table to lower the likelihood that
queries (and traps) would have many unneeded or undefined values.
The MIB does not dictate which details table must be used for recording
a particular event. In order to ease management station configuration
this section lists the preferred details table for each of the sets of
event in EventTypeUnitTC.
The following lists each of the sets from the EventTypeUnitTC and the
preferred details table used:
EventTypeUnitTC set Details Table
------------------------------------------------
other [any]
hardware healthEventsLogTable
system healthEventsLogTable
fwmodule healthEventsLogTable
mgmt managementEventsLogTable
logging healthEventsLogTable
routing netEventsLogTable
packet netEventsLogTable
encryption netEventsLogTable
network netEventsLogTable
protocol healthEventsLogTable
service healthEventsLogTable
configuration healthEventsLogTable
access netEventsLogTable
authentication netEventsLogTable
attack netEventsLogTable
contentInspection netEventsLogTable
debug healthEventsLogTable
test healthEventsLogTable
3.1.3. Trap Flooding
Under normal network conditions, one should not see many traps sent by a
firewall to a management station. There is a potential for a large
number of traps to be sent by a firewall implementing this MIB. This
depends on how the firewall maps activities to events and how many of a
particular event can occur in a short time. The MIB has no variables
related to controlling which traps are sent or to limit the number of
traps sent. If this turns out to be a widespread problem after initial
reference implementation testing, it will be addressed in a later draft
of this MIB.
Grall [Page 8]
Internet-Draft Firewall MIB 20 April 1998
To provide firewall and SNMP management users some control it is sug-
gested that an agent implementation provide some on/off configuration
options for the events a firewall will report about. Whether and how to
implement this and the granularity of the configuration control is
beyond the scope of this document.
3.1.4. Thresholds
It was stated earlier that a particular firewall vendor defines what a
MIB event is on their firewall. It is expected that some MIB events
will actually represent a set of activities on the firewall. For exam-
ple, EventTypeUnitTC has an event called login attempts. What is not
specified by the MIB is how many attempts happened before the event was
handled by the SNMP agent.
Individual thresholds for controlling which firewall activities are
represented as events in the MIB or for controlling which events should
generate traps are not specified in this MIB. Some activities are unin-
teresting when they occur occasionally, but more interesting when they
are more frequent. Firewall vendors decide which activities have thres-
holds and what kind of thresholds are available.
3.1.5. Log Tables
All of the log tables defined in the fwevent group are used and indexed
in the same way. This section addresses some implementation issues to
consider. The MIB does not dictate how the tables are implemented, just
how the values of the variables in a table row are used.
3.1.5.1. Table Size and Index Value
Table size is an implementation specific matter. Each table has an
index variable to uniquely identify a row in the table. The index is
assigned beginning with 1 when the table is created and increases by one
with each new log entry. Table creation will generally happen at
firewall system reboot, but may happen at any time (eg., when the
firewall's SNMP agent is restarted).
An agent implementation may even preserve data in the tables between
periods of down time (e.g., between firewall reboots). Note that this
MIB does not require preservation of table information. An example of a
reason for maintaining the data is for management stations that would
like to try and find out (quickly) why a machine rebooted. Note thought
that this MIB is not trying to recreate a reliable logging function.
Grall [Page 9]
Internet-Draft Firewall MIB 20 April 1998
The agent may choose to delete the rows of a table as needed. This may
be due to lack of space for the entries or due to other reasons (eg.,
the entries are too old). A query to the table cannot assume anything
about the table's size or whether a particular index value in the table
is valid or not.
Deletion of rows in the table may be based on age (ie., the smallest
valid index is deleted) or based on some other scheme (eg., the priority
of the event is lower than other events in the log). The MIB does not
place any requirements on which rows may or may not be deleted.
Each log table has a corresponding '...LogTableLastValidRow' object.
This variable can be used to obtain the index value of the last (or
newest) valid row in the table. Since the index value starts at 1 and
monotonically increases with each new entry, one can see how many events
have been recorded since the creation of the table by obtaining this
variable.
3.1.5.2. Entry Order
The MIB places no requirements on the order of entries in the log
tables. The order of entries in a table might not necessarily be in the
same order as the traps that arrive at the management station. The
order of the entries in the basicEventsLogTable will not necessarily be
in order by the basicEventTime value.
3.1.5.3. MIB Walks
There is a concern that for implementations that choose to use a large
log table size (eg., thousands of entries), that a MIB walk into the log
table will take a long time and will not necessarily be what the MIB
walker had in mind. One way to address this concern is to allow the
administrator to be able to choose the maximum size of the log tables.
3.1.5.4. Table Status
Section left in for now for historical reference, will be deleted.
[@?@ Earlier discussions addressed issues related to the status of the
various tables. For example, a value for the time when old rows in a
table were deleted, a value for how many events are in the table, a
value for how "full" the table is, and a trap for when the table gets X%
full. The majority opinion at that time was that overall these values
would not be useful, would unnecessarily complicate the MIB and instru-
mentation at the firewall, and could potentially cause too many traps
Grall [Page 10]
Internet-Draft Firewall MIB 20 April 1998
(since these kinds of values would probably end up as traps). So most
of the table management information was left out of the MIB objects
until we get a better feel for how the MIB will be used. Of course a
vendor can implement values like these in their private table. Keep in
mind that event information should not be lost since these tables are
not meant to replace a robust logging mechanism.]
3.1.5.5. Examples
The following examples are included to illustrate the use of object
identifiers and additional trap variables in a TRAP to describe a
firewall event.
3.1.5.5.1. Network Event Example
Event: a telnet proxy running on a firewall system 199.94.211.1, is con-
figured to deny access to users not connecting from a network, say
199.94.200.0. When denying access to a connection coming from
199.94.222.2, the proxy service might generate the following trap.
The trap type is set to 6 (enterprise specific). A specific trap of
type 1 (networkEventTrap) is chosen to best describe this event. The
networkEventTrap includes variables to point to the basicEventLogTable
and the netEventDetailsTable.
For this specific event the details table describes the entity making
the connection attempt and why the attempt failed.
TRAP networkEventTrap:
trap type = 6 (enterprise specific)
enterprise specific type = 1 (networkEventTrap)
Values set in the basicEventLogTable, the networkEventTrap contains the
same values except that it does not include basicEventDetailsTableOID:
basicEventLogIndex = INTEGER (217)
basicEventTime = TimeStamp
basicEventSource = IpAddress (199.94.211.1)
basicEventType = accessDeniedSource(1404)
basicEventDescription = String ("XXX")
basicEventDetailsTableRow = OID (netEventsLogTable.16)
basicEventVendorDetailsTableRow = OID (0.0)
Grall [Page 11]
Internet-Draft Firewall MIB 20 April 1998
The netEventsLogTable would have a row containing the following:
netEventLogIndex = INTEGER (16)
netEventInterface = INTEGER (1)
netEventProtocol = TCP (1)
netEventICMPCommand =
netEventSrcIpAddress = IpAddress (199.94.222.2)
netEventMappedSrcIPAddress = IpAddress (NULL)
netEventDstIPAddress = IpAddress (NULL)
netEventMappedDstIPAddress = IpAddress (NULL)
netEventSrcIPPort = INTEGER (3333)
netEventMappedSrcIPPort = INTEGER (NULL)
netEventDstIPPort = INTEGER (23)
netEventMappedSrcIPort = INTEGER (NULL)
netEventGenericService = OID (fwmib.service.svcLogin.telnet)
netEventServiceInformation = String ("tn-gw")
netEventAuthdEntity = String ("unknown")
netEventRuleID = INTEGER (27, eg., the config. file line number)
netEventActionReason = String ("source IP address denied")
3.1.5.5.2. Health Event Example
A service on the firewall is misconfigured. The firewall has an http
service and the system administrator configured it to run on port 8000.
But there is already another service running on port 8000. The http
service cannot bind to the port.
The trap type is set to 6 (enterprise specific). A specific trap of
type 2 (healthEventTrap) is chosen to best describe the event.
Values set in the basicEventLogTable, the healthEventTrap contains the
same values except that it does not include basicEventDetailsTableOID:
basicEventLogIndex = INTEGER (12)
basicEventTime = TimeStamp
basicEventSource = IpAddress (201.217.12.1)
basicEventType = configurationPortInUse(1305)
basicEventDescription = String ("XXX")
basicEventDetailsTableRow = OID (healthEventsLogTable.70)
basicEventVendorDetailsTableRow = OID (0.0)
The healthEventsLogTable would have a row containing the following:
Grall [Page 12]
Internet-Draft Firewall MIB 20 April 1998
healthEventLogIndex = INTEGER (70)
healthEventResourceType = OID (fwmib.service.svcWeb.http)
healthEventResourceDetails = String ("http proxy")
healthEventProblemDetail = String ("cannot bind to port 8000")
3.1.5.5.3. Management Event Example
A new configuration effecting the whole firewall was loaded by a remote
configuration utility.
The trap type is set to 6 (enterprise specific). A specific trap of
type 3 (managementEventTrap) is chosen to best describe the event.
Values set in the basicEventLogTable, the managementEventTrap contains
the same values except that it does not include basicEventDetailsTa-
bleOID:
basicEventLogIndex = INTEGER (743)
basicEventTime = TimeStamp
basicEventSource = IpAddress (198.198.198.198)
basicEventType = mgmtLoadedConfigRemote(407)
basicEventDescription = String ("XXX")
basicEventDetailsTableRow = OID (managementEventsLogTable.66)
basicEventVendorDetailsTableRow = OID (0.0)
The managementEventsLogTable would have a row containing the following:
managementEventLogIndex = INTEGER(66)
managementEventSubjectName = String ("root")
managementEventSubjectAction = mgmtLoadedConfigRemote(407)
managementEventActionDetail = String ("new config. loaded")
managementEventObjectManaged = OID (fwmib.service.svcFirewall)
4. Conventions
The following conventions are used throughout the Firewall MIB.
Good Packets
Good packets are error-free packets that have a valid frame length.
For example, on Ethernet, good packets are error-free packets that
are between 64 octets long and 1518 octets long. They follow the
form defined in IEEE 802.3 section 3.2.all.
Grall [Page 13]
Internet-Draft Firewall MIB 20 April 1998
Bad Packets
Bad packets are packets that have proper framing and are therefore
recognized as packets, but contain errors within the packet or have
an invalid length. For example, on Ethernet, bad packets have a
valid preamble and SFD, but have a bad CRC, or are either shorter
than 64 octets or longer than 1518 octets.
5. Definitions
Grall [Page 14]
Internet-Draft Firewall MIB 20 April 1998
FireWallMIB DEFINITIONS ::= BEGIN
- -- SUBTREE: 1.3.6.1.4.1.14.3.9
- -- iso.org.dod.internet.private.enterprises.bbn.products.fwmib
IMPORTS
-- RFC 1904
OBJECT-GROUP,
MODULE-COMPLIANCE FROM SNMPv2-CONF
-- RFC 1902
MODULE-IDENTITY,
OBJECT-TYPE,
NOTIFICATION-TYPE,
IpAddress,
enterprises,
TimeTicks,
Counter32 FROM SNMPv2-SMI
-- RFC 1903
TEXTUAL-CONVENTION,
TimeStamp FROM SNMPv2-TC
-- RFC 2233
InterfaceIndex FROM IF-MIB;
fwMIB MODULE-IDENTITY
LAST-UPDATED "9803040000Z" --March 4, 1998
ORGANIZATION "GTE Corporation & Trusted Information Systems Inc."
CONTACT-INFO
"
Comments should be sent to fwmib@tis.com
Subscribe: majordomo@tis.com
In message body: subscribe fwmib
Herbert Lin
Tel: +1-617-873-5920
E-mail: hlin@bbn.com
Cindy Grall
Tel: +1-310-737-1744
E-mail: grall@tis.com
Ephraim Vider
Tel: +972-3-753-4592 (Israel)
E-mail: eff@checkpoint.com
Mike Wittig
Tel: +1-954-973-5059
E-mail: mwittig@mail.cybg.com
Grall [Page 15]
Internet-Draft Firewall MIB 20 April 1998
"
DESCRIPTION
"The MIB module for entities implementing
firewalls."
- --@?@ What's the correct value here? MIBs that are RFCs seem to
- -- be using OIDs out of other MIB trees, like RFC1759 (the printer
- -- MIB) uses { mib-2 43 }. The Internet Drafts appear to use
- -- { experimental 9999 } here, I will go with bbn for now so
- -- the ASN.1 will compile.
::= { bbn 9999 }
- -- textual conventions
SnmpAdminString ::= TEXTUAL-CONVENTION
DISPLAY-HINT "255a"
STATUS current
DESCRIPTION "An octet string containing administrative
information, preferably in human-readable form.
To facilitate internationalization, this
information is represented using the ISO/IEC
IS 10646-1 character set, encoded as an octet
string using the UTF-8 transformation format
described in [RFC2044].
Since additional code points are added by
amendments to the 10646 standard from time
to time, implementations must be prepared to
encounter any code point from 0x00000000 to
0x7fffffff.
The use of control codes should be avoided.
When it is necessary to represent a newline,
the control code sequence CR LF should be used.
The use of leading or trailing white space should
be avoided.
For code points not directly supported by user
interface hardware or software, an alternative
means of entry and display, such as hexadecimal,
may be provided.
For information encoded in 7-bit US-ASCII,
the UTF-8 encoding is identical to the
US-ASCII encoding.
Grall [Page 16]
Internet-Draft Firewall MIB 20 April 1998
Note that when this TC is used for an object that
is used or envisioned to be used as an index, then
a SIZE restriction must be specified so that the
number of sub-identifiers for any object instance
does not exceed the limit of 128, as defined by
[RFC1905].
"
SYNTAX OCTET STRING (SIZE (0..255))
- -- The following list of event types is meant to enumerate the most common
- -- events that happen on a firewall.
- --
- -- The list is organized into sets of common events. Each set has an
- -- initial entry to designate the set. The next two events in a set are
- -- meant to represent generic "okay"/"good"/"up" conditions and generic
- -- "error"/"failed"/"down" conditions. The rest of the events in a set
- -- represent more detailed events (either good or bad). The sets will
- -- probably not represent all the possible events on every firewall, but
- -- they are meant to be a good representation of events. If an event
- -- just does not fit any of the sets, then use the 'other' choices.
- --
EventTypeUnitTC ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Enumeration of types of events on the firewall"
SYNTAX INTEGER {
-- Undefined Events
other(0), -- the event type is not in this list
otherOkay(1), -- a normal event occurred
otherError(2), -- an error event occurred
unknown(3), -- could not determine the event type
-- Resource events, could be hardware problems, operating system
-- problems, or services problems
resource(100),
resourceOkay(101),
resourceError(102),
resourceUp(103),
resourceUse(104), --normal use of a resource
resourceDown(105),
resourceStarting(106),
resourceRestarting(107), -- the resource is going down and
-- coming back up
resourceHalting(108), -- eg., the firewall is going down
resourceExiting(109),
resourceOverTemperature(110),
Grall [Page 17]
Internet-Draft Firewall MIB 20 April 1998
resourceHighUse(111), -- eg., the CPU usage is high
resourceTestFailed(112),
resourceBusy(113),
resourceNoMedia(114), -- a device doesn't have its needed media
resourceBackup(116), -- processing has switched to the backup
resourceNoBackup(117), -- there is no backup to switch to
resourceNoMemory(118),
resourceNoBuffers(119),
resourceSyscallFailed(120),
resourceHighLoad(121),
-- Events about the basic health of the firewall or particular modules
fwmodule(300),
fwmoduleUp(301), -- the module is up
fwmoduleError(302),
fwmoduleDown(303), -- the module is down
fwmoduleStarting(304), -- the module is coming up
fwmoduleExiting(305),
fwmoduleRestarting(306),
fwmoduleLicenseExceeded(307),
-- Management events, these are events related to overall management
-- tasks on the firewall. For example, the configuration is being
-- changed or a patch has been applied. This is from the perspective
-- of the firewall, it is not a remote mgmt tool reporting on the
-- activities it is doing.
mgmt(400),
mgmtOkay(401), -- a normal management event
mgmtError(402), -- an error while performing firewall
-- management functions
mgmtNoResponse(403), -- the firewall expected and received no
-- response from a mgmt tool
mgmtReadConfigLocal(404), -- configuration information has been
-- read
mgmtReadConfigRemote(405), -- configuration information has been
-- uploaded to a remote mgmt tool
mgmtLoadedConfigLocal(406), -- a local mgmt tool loaded/applied a
-- new config
mgmtLoadedConfigRemote(407), -- a remote mgmt tool loaded/applied a
-- new config.
mgmtPatch(408), -- This event is used by the patching mechanism to
-- record what it patched. The genericService OID
-- would be the patching tool and the mgmtObjManaged
-- in the mgmtEventLogEntry would be the service
-- OID patched. This would not be used by the
-- service being patched. This alleviates the
-- confusion when the patching mechanism is patched.
Grall [Page 18]
Internet-Draft Firewall MIB 20 April 1998
-- Log file events
logging(500),
loggingUp(501), -- logging is functioning normally
loggingError(502), -- the logging facility had an error
loggingStarting(503), -- the log daemon was started
loggingExiting(504), -- the log daemon is exiting
loggingRestarting(505), -- the log daemon was restarted
loggingDown(506), -- the log daemon is not running
loggingRolloverStarted(507), -- logging is switching to another file
loggingFileFull(508), -- the log file/partition is full
loggingFileOverwrite(509), -- the log file is being overwritten
loggingFileMessagesLost(510), -- messages have been lost
loggingStopped(511), -- logging is stopped until other
-- problems are resolved (eg., space is
-- free'd)
loggingRolloverCompleted(512),
loggingRolloverFailed(513),
-- Routing events
routing(600),
routingOkay(601),
routingError(602),
routingNoRouteToHost(603),
routingICMPRedirect(604),
-- Packet handling
packet(700),
packetAccepted(701), -- accepted the packet
packetError(702), -- unknown error with packet
packetDropped(703), -- dropped packets (eg., internal buffer is full),
-- didn't even look at them, they could be
-- good or bad...
packetInvalid(704), -- these are "bad" packets, see section 4.0
packetIgnored(705), -- the packet was not meant for the firewall
packetRejected(706), -- rejected packets based on rule(s)
packetForwarded(707), -- forwarded packets based on rule(s)
packetEncrypted(708),
packetFragmented(709),
-- En(De)cryption events
encryption(800), -- generic/successful event
encryptionUp(801), --encryption is functioning
encryptionError(802), -- there was an encryption error
encryptionDown(803),
encryptionEncryptFailed(804),
encryptionDecryptFailed(805),
encryptionEncryptSucceeded(806),
encryptionDecryptSucceeded(807),
Grall [Page 19]
Internet-Draft Firewall MIB 20 April 1998
-- Network events
network(900),
networkUp(901),
networkError(902),
networkDown(903),
networkCollision(904),
networkDuplicateAddress(905),
networkMyAddressInUse(906),
networkNetUnreachable(907),
networkStarting(908),
networkRestarting(909),
networkHostUnreachable(910),
networkNoResponse(911),
-- protocol related events
protocol(1000), -- an event related to a protocol supported
protocolEnabled(1001),
protocolError(1002),
protocolDisabled(1003), -- the requested protocol is disabled
protocolNoDaemon(1004), -- there is no daemon for this protocol
-- Service connection/network connectivity events
connection(1100), -- a generic connection event
connectionAccepted(1101),
connectionError(1102),
connectionDropped(1103),
connectionClosed(1104),
connectionTimedout(1105),
connectionRefused(1106),
connectionReset(1107),
connectionNoResponse(1108),
-- Configuration events, represent errors or problems with the
-- configuration for the system or a service.
configuration(1300),
configurationOkay(1301),
configurationError(1302), -- an error in processing the configuration
configurationBadConfig(1303), -- the config provided is corrupt,
-- invalid, or incomplete
configurationArgumentError(1304), -- wrong arguments were provided
configurationPortInUse(1305),
configurationNoData(1306), -- the required data was not provided
-- Access
access(1400),
accessGranted(1401), -- a service allowed use based on all its checks
accessError(1402),
accessDenied(1403), -- a client was denied use of a service
Grall [Page 20]
Internet-Draft Firewall MIB 20 April 1998
accessDeniedSource(1404), -- client denied based on its source IP
accessDeniedPolicy(1405), -- client denied based on the sec. policy
accessDeniedUser(1406), -- client denied based on the userid
accessDeniedDest(1407), -- client denied based on the destination IP
accessDeniedDestPort(1408), -- client denied based on dest. port
accessDeniedFileRead(1409), -- the policy denied read access to a file
accessDeniedFileWrite(1410), -- the policy denied write access to
-- a file
accessDeniedNetworkInterface(1411), -- the policy denied access to a
-- particular net. int.
accessDeniedDevice(1412), -- the policy denied access to a device
-- Authentication and login events
authentication(1500),
authenticationSucceeded(1501), -- a user had a successful auth
authenticationError(1502), -- error while auth'ing
authenticationFailed(1503), -- a user failed an auth
authenticationSucceededPriv(1504), -- a user logged in with or
-- gained privilege
authenticationFailedPrivileged(1505), -- user failed to gain/login
-- with privilege
authenticationFailedMulti(1506), -- multiple failed auth attempts
-- by a user
-- Security attack events, these represent events that could
-- be or that indicate a security attack is taking place on the
-- firewall
attack(1600),
attackNone(1601),
attackDenialOfService(1602),
attackPing(1603), -- a ping of death attack
attackPacketForward(1604), --
attackSYNFlood(1605), -- a TCP SYN flood attack
attackIPSpoof(1606), -- an IP address is being spoofed
attackPortScan(1607), -- a port scan is/has taken place
attackNameSpoof(1608), -- a name service (eg., DNS) name is spoofed
attackSmurf(1609), -- see:
-- http://www.quadrunner.com/~chuegen/smurf.txt
attackTeardrop(1610),
-- Content inspection events, these events just report that
-- something was found. The details entry in for the event can
-- report on what was found (eg., virus, company private info.,
-- etc), what it was found in (eg., html, win32 executable, e-mail),
-- and what was done with it (eg., the quarantine location).
contentInspection(1700),
contentInspectionOkay(1701), -- the check of the content was okay,
-- nothing "bad" found
Grall [Page 21]
Internet-Draft Firewall MIB 20 April 1998
contentInspectionError(1702), -- there was an error while checking
-- content
contentInspectionFound(1703), -- found something
contentInspectionFoundCleaned(1704), -- found something and cleaned
-- the content of it
contentInspectionFoundRejected(1705), -- found something and threw
-- the content away
contentInspectionFoundSaved(1706), -- found something and saved the
-- content in quarantine
contentInspectionFoundNotified(1707), -- found something and
-- notified someone
-- Debugging event
debug(1800),
debugOkay(1801),
debugError(1802),
debugOn(1803), -- debugging mode is on/was turned on
debugOff(1804), -- debugging mode is off/was turned off
-- Testing events
test(1900),
testPassed(1901), -- a test passed
testFailed(1902), -- a test failed
testNoResponse(1903) -- there was no response for running a test
}
ProtocolUnitTC ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Enumeration of network protocols commonly used on firewalls."
SYNTAX INTEGER {
tcp(1),
udp(2),
icmp(3),
ip(4),
ipsec(5),
igmp(6),
arp(7),
ggp(8),
egp(9),
rip(10),
other(11) }
- -- This fwmib is divided into four main groups. The first, fwmib.service,
Grall [Page 22]
Internet-Draft Firewall MIB 20 April 1998
- -- Service identifiers, defines OIDs used by other areas of the MIB. The
- -- second, fwmib.fwevent, Event variables and logs, is described briefly
- -- above in the trap examples text. Third main group is fwmib.fwquery,
- -- the set of variables for queries. For a firewall this set is read only.
- -- The fourth group, fwmib.fwtrap, defines the traps for notification of
- -- extraordinary events on the firewall.
- --
- -- There is also a group for specifying MIB conformance as described in
- -- RFC1444, "Conformance Statements for version 2 of the Simple Network
- -- Management Protocol (SNMPv2)".
- -- @?@ bbn OIDs will change when this becomes an RFC...
bbn OBJECT IDENTIFIER ::= { enterprises 14 }
products OBJECT IDENTIFIER ::= { bbn 3 }
fwmib OBJECT IDENTIFIER ::= { products 9 }
- --
- -- service group
- --
- -- The service group defines OIDs that are used by other parts of the MIB.
- -- The OIDs are used by traps to designate the generic service type
- -- causing the trap. Expect this list to change occasionally as new service
- -- types emerge in the network/firewall community. Once a service type
- -- is in use by two or more firewall vendors it can be considered for
- -- inclusion in the services group. This change is treated as any other
- -- update to the MIB and will be included during a revision cycle.
- -- This list does not differentiate between a local service (eg., local
- -- login into the firewall via telnet) and a proxied service (eg., use of
- -- a telnet application gateway). This information can be provided in a
- -- string, since each use of these OIDs in a MIB variable (usually as
- -- part of a table entry) has a corresponding description or information
- -- variable.
- -- Use of these OIDs in the MIB variables:
- --
- -- If a new service emerges that is not in the MIB yet, but that has been
- -- assigned a port number or other identifying number, then it can be
- -- represented by choosing the appropriate service category and using the
- -- assigned number. For example, a new service called Foo Protocol (fp)
- -- is the latest rage on the Internet. It is a multi-media protocol and
- -- has been assigned port number XXX. The OID used to represent the
- -- service would be fwmib.service.svcMultimedia.XXX. The corresponding
- -- information variable can provide the protocol name.
- --
- -- If the firewall supports a service or protocol that is unique or
- -- specific to that firewall, then the OID used to represent the service
- -- will include that vendor's enterprise number. For example, the Foo
Grall [Page 23]
Internet-Draft Firewall MIB 20 April 1998
- -- firewall has a Bar service. The firewall company's enterprise number
- -- is ZZZ and they have chosen W to represent the Bar service. The
- -- OID used would be fwmib.service.svcOther.ZZZ.W It is the vendor's
- -- responsibility to publish definitions of the numbers used.
- --
- -- In any of the cases above where a service listed below cannot be used,
- -- the service can be further described with the serviceInformation object.
- --
- -- The numbers assigned in the list correspond, when possible, to the
- -- assigned port number for a protocol or other assigned number as
- -- appropriate (eg., the protocol number for IP protocols).
- --
- -- Alternatively a vendor can define an OID in their enterprise tree and
- -- use that value for genericService. It is the vendor's responsibility
- -- to publish these OIDs.
- --
service OBJECT IDENTIFIER ::= { fwmib 1 }
- -- represents the firewall as a whole, useful when statistics or events
- -- apply to the whole firewall
- --
svcFirewall OBJECT IDENTIFIER ::= { service 1 }
- --
svcOther OBJECT IDENTIFIER ::= { service 2 }
- --
svcFileTransfer OBJECT IDENTIFIER ::= { service 3 }
ftp OBJECT IDENTIFIER ::= { svcFileTransfer 21 }
tftp OBJECT IDENTIFIER ::= { svcFileTransfer 69 }
ftps OBJECT IDENTIFIER ::= { svcFileTransfer 990 } -- ftp over ssl
- --
svcLogin OBJECT IDENTIFIER ::= { service 4 }
login OBJECT IDENTIFIER ::= { svcLogin 1 } -- a login/su program
telnet OBJECT IDENTIFIER ::= { svcLogin 23 }
rlogin OBJECT IDENTIFIER ::= { svcLogin 513 }
telnets OBJECT IDENTIFIER ::= { svcLogin 992 } -- telnet over ssl
- --
svcRemoteExecution OBJECT IDENTIFIER ::= { service 5 }
sunRPC OBJECT IDENTIFIER ::= { svcRemoteExecution 111 }
rsh OBJECT IDENTIFIER ::= { svcRemoteExecution 514 }
xserver OBJECT IDENTIFIER ::= { svcRemoteExecution 6000 }
- --
svcWeb OBJECT IDENTIFIER ::= { service 6 }
Grall [Page 24]
Internet-Draft Firewall MIB 20 April 1998
gopher OBJECT IDENTIFIER ::= { svcWeb 70 }
http OBJECT IDENTIFIER ::= { svcWeb 80 }
pointcast OBJECT IDENTIFIER ::= { svcWeb 90 }
https OBJECT IDENTIFIER ::= { svcWeb 443 } -- also know as shttp
- --
svcMail OBJECT IDENTIFIER ::= { service 7 }
sendmail OBJECT IDENTIFIER ::= { svcMail 1 }
smtp OBJECT IDENTIFIER ::= { svcMail 25 }
pop2 OBJECT IDENTIFIER ::= { svcMail 109 }
pop3 OBJECT IDENTIFIER ::= { svcMail 110 }
smtps OBJECT IDENTIFIER ::= { svcMail 465 } -- smtp over ssl
pop3s OBJECT IDENTIFIER ::= { svcMail 995 } -- pop3 over ssl
- --
svcNews OBJECT IDENTIFIER ::= { service 8 }
nntp OBJECT IDENTIFIER ::= { svcNews 119 }
nntps OBJECT IDENTIFIER ::= { svcNews 563 } -- nntp over ssl
- --
svcMultimedia OBJECT IDENTIFIER ::= { service 9 }
irc OBJECT IDENTIFIER ::= { svcMultimedia 194 }
talk OBJECT IDENTIFIER ::= { svcMultimedia 517 }
ircs OBJECT IDENTIFIER ::= { svcMultimedia 994 } -- irc over ssl
streamworks OBJECT IDENTIFIER ::= { svcMultimedia 1558 }
h323 OBJECT IDENTIFIER ::= { svcMultimedia 1718 }
netShow OBJECT IDENTIFIER ::= { svcMultimedia 1755 }
vDOLive OBJECT IDENTIFIER ::= { svcMultimedia 7000 }
realAV OBJECT IDENTIFIER ::= { svcMultimedia 7070 }
- --
svcDatabase OBJECT IDENTIFIER ::= { service 10 }
dbSybas OBJECT IDENTIFIER ::= { svcDatabase 1 }
dbInformix OBJECT IDENTIFIER ::= { svcDatabase 3 }
-- for sql*net
dbOracle OBJECT IDENTIFIER ::= { svcDatabase 66 }
dbMSsql OBJECT IDENTIFIER ::= { svcDatabase 1433 }
- -- these are the current areas that are checked for today, eg., there
- -- are products or engines that scan in these areas
svcContentInspection OBJECT IDENTIFIER ::= { service 11 }
virus OBJECT IDENTIFIER ::= { svcContentInspection 1 }
certificate OBJECT IDENTIFIER ::= { svcContentInspection 2 }
-- eg., Java, Active-X
programLanguage OBJECT IDENTIFIER ::= { svcContentInspection 3 }
url OBJECT IDENTIFIER ::= { svcContentInspection 4 }
mailHeader OBJECT IDENTIFIER ::= { svcContentInspection 5 }
-- eg., company private
Grall [Page 25]
Internet-Draft Firewall MIB 20 April 1998
proprietaryData OBJECT IDENTIFIER ::= { svcContentInspection 6 }
prohibitedLanguage OBJECT IDENTIFIER ::= { svcContentInspection 7 }
- --
svcDirectory OBJECT IDENTIFIER ::= { service 12 }
nis OBJECT IDENTIFIER ::= { svcDirectory 1 }
dns OBJECT IDENTIFIER ::= { svcDirectory 53 }
netbiosns OBJECT IDENTIFIER ::= { svcDirectory 137 }
netbiosdgm OBJECT IDENTIFIER ::= { svcDirectory 138 }
netbiosssn OBJECT IDENTIFIER ::= { svcDirectory 139 }
ldap OBJECT IDENTIFIER ::= { svcDirectory 389 }
wins OBJECT IDENTIFIER ::= { svcDirectory 1512 }
- --
svcOperatingSystem OBJECT IDENTIFIER ::= { service 13 }
inetd OBJECT IDENTIFIER ::= { svcOperatingSystem 1 }
cron OBJECT IDENTIFIER ::= { svcOperatingSystem 2 }
kernel OBJECT IDENTIFIER ::= { svcOperatingSystem 3 }
fileSystem OBJECT IDENTIFIER ::= { svcOperatingSystem 4 }
printer OBJECT IDENTIFIER ::= { svcOperatingSystem 515 }
- --
svcManagement OBJECT IDENTIFIER ::= { service 14 }
mgmtTool OBJECT IDENTIFIER ::= { svcManagement 1 }
patchTool OBJECT IDENTIFIER ::= { svcManagement 2 }
snmp OBJECT IDENTIFIER ::= { svcManagement 161 }
- --
svcEncryption OBJECT IDENTIFIER ::= { service 15 }
ipsec OBJECT IDENTIFIER ::= { svcEncryption 1 }
vpn OBJECT IDENTIFIER ::= { svcEncryption 2 }
kerberos OBJECT IDENTIFIER ::= { svcEncryption 88 }
isakmp OBJECT IDENTIFIER ::= { svcEncryption 500 }
- --
svcPacketFilter OBJECT IDENTIFIER ::= { service 16 }
- -- network address translation
svcNAT OBJECT IDENTIFIER ::= { service 17 }
- --
svcAuthentication OBJECT IDENTIFIER ::= { service 18 }
password OBJECT IDENTIFIER ::= { svcAuthentication 1 }
skey OBJECT IDENTIFIER ::= { svcAuthentication 2 }
-- Digital Pathways
snk OBJECT IDENTIFIER ::= { svcAuthentication 3 }
-- Enigma Logics
silvercard OBJECT IDENTIFIER ::= { svcAuthentication 4 }
crytocard OBJECT IDENTIFIER ::= { svcAuthentication 5 }
Grall [Page 26]
Internet-Draft Firewall MIB 20 April 1998
-- Digital Pathways server
dss OBJECT IDENTIFIER ::= { svcAuthentication 6 }
-- Enigma Logics
safeword OBJECT IDENTIFIER ::= { svcAuthentication 7 }
vasco OBJECT IDENTIFIER ::= { svcAuthentication 8 }
apop OBJECT IDENTIFIER ::= { svcAuthentication 9 }
digipass OBJECT IDENTIFIER ::= { svcAuthentication 10 }
secureID OBJECT IDENTIFIER ::= { svcAuthentication 755 }
- --
svcLog OBJECT IDENTIFIER ::= { service 19 }
syslog OBJECT IDENTIFIER ::= { svcLog 514 }
- --
svcTime OBJECT IDENTIFIER ::= { service 20 }
time OBJECT IDENTIFIER ::= { svcTime 37 }
ntp OBJECT IDENTIFIER ::= { svcTime 123 }
timed OBJECT IDENTIFIER ::= { svcTime 525 }
- --
svcGroupware OBJECT IDENTIFIER ::= { service 21 }
exchange OBJECT IDENTIFIER ::= { svcGroupware 1 } -- Microsoft
lotusNotes OBJECT IDENTIFIER ::= { svcGroupware 1352 }
- --
svcHardware OBJECT IDENTIFIER ::= { service 22 }
memory OBJECT IDENTIFIER ::= { svcHardware 1 }
disk OBJECT IDENTIFIER ::= { svcHardware 2 }
power OBJECT IDENTIFIER ::= { svcHardware 3 }
netinterface OBJECT IDENTIFIER ::= { svcHardware 4 }
tape OBJECT IDENTIFIER ::= { svcHardware 5 }
controller OBJECT IDENTIFIER ::= { svcHardware 6 }
- --
svcQuery OBJECT IDENTIFIER ::= { service 23 }
whois OBJECT IDENTIFIER ::= { svcQuery 43 }
finger OBJECT IDENTIFIER ::= { svcQuery 79 }
ident OBJECT IDENTIFIER ::= { svcQuery 113 }
- --
svcFileShare OBJECT IDENTIFIER ::= { service 24 }
nfsStatus OBJECT IDENTIFIER ::= { svcFileShare 1110 }
nfs OBJECT IDENTIFIER ::= { svcFileShare 2049 }
- -- mainly used in the module and statistics tables to designate that
- -- information applies to the protocol class chosen
svcProtocol OBJECT IDENTIFIER ::= { service 25 }
icmp OBJECT IDENTIFIER ::= { svcProtocol 1 }
igmp OBJECT IDENTIFIER ::= { svcProtocol 2 }
Grall [Page 27]
Internet-Draft Firewall MIB 20 April 1998
tcp OBJECT IDENTIFIER ::= { svcProtocol 6 }
udp OBJECT IDENTIFIER ::= { svcProtocol 17 }
ip OBJECT IDENTIFIER ::= { svcProtocol 255 }
- --
- -- The firewall event group
- --
- -- The firewall event group defines a set of variables and tables used to
- -- log and track extraordinary firewall events. The tables are filled in
- -- when an event occurs and then a trap is sent referencing the filled in
- -- row.
- -- For any particular event up to three tables will be referenced. The
- -- general event information will go into one table and the details are
- -- placed in another. A third vendor defined table can also be used.
- -- There is only one table defined for general information.
- -- The table chosen for event details depends on the event type and the
- -- set of detailed information available at the time the event took place.
- -- The general table has a value to point to the table and row containing
- -- the event's details. A trap is sent once the relevant tables are
- -- filled in. The trap contains pointers to the tables used.
- -- A management station can wait for a trap to get details on an event.
- -- Alternatively the management station can query the objects in this
- -- group at any time to retrieve event information.
fwevent OBJECT IDENTIFIER ::= { fwmib 2 }
- --
- -- BASIC EVENTS LOG
- --
- -- This group defines the basic table containing information that is
- -- logged for every event on the firewall. The table is defined along
- -- with one variable to obtain the index value of the last valid row in
- -- the table. To obtain the first valid index value, query the table
- -- (via GETNEXT) for the first entry in the table.
- --
- -- The index of the last valid row also indicates the total number of
- -- events logged in the table since reboot.
- --
basicEventsLog OBJECT IDENTIFIER ::= { fwevent 1 }
basicEventsLogTableLastValidRow OBJECT-TYPE
SYNTAX INTEGER(1..2147483647)
MAX-ACCESS read-only
Grall [Page 28]
Internet-Draft Firewall MIB 20 April 1998
STATUS current
DESCRIPTION
"The index value of the last valid row in the basicEventsLogTable."
::= { basicEventsLog 1 }
basicEventsLogTableTrapIndex OBJECT-TYPE
SYNTAX INTEGER(1..2147483647)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The index value of the row provided in the traps."
::= { basicEventsLog 2 }
basicEventsLogTable OBJECT-TYPE
SYNTAX SEQUENCE OF BasicEventsLogEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Table of basic data for firewall events."
::= { basicEventsLog 3 }
basicEventsLogEntry OBJECT-TYPE
SYNTAX BasicEventsLogEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry in the table, containing general information
about an event."
INDEX { basicEventLogIndex }
::= { basicEventsLogTable 1 }
BasicEventsLogEntry ::= SEQUENCE {
basicEventLogIndex INTEGER(1..2147483647),
basicEventTime TimeStamp,
basicEventSource IpAddress,
basicEventType EventTypeUnitTC,
basicEventDescription SnmpAdminString,
basicEventDetailsTableRow OBJECT IDENTIFIER,
basicEventVendorDetailsTableRow OBJECT IDENTIFIER
}
Grall [Page 29]
Internet-Draft Firewall MIB 20 April 1998
basicEventLogIndex OBJECT-TYPE
SYNTAX INTEGER(1..2147483647)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An index that uniquely identifies an entry
in the log table. These indices are assigned
beginning with 1 and increase by one with each
new log entry. The agent may choose to delete the
instances of basicEventEntry as required
because of lack of memory. It is an implementation
specific matter as to when this deletion may occur and
as to which log entries are deleted."
::= { basicEventsLogEntry 1 }
basicEventTime OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The time that the Event occurred."
::= { basicEventsLogEntry 2 }
basicEventSource OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The IP address of the firewall entity where the event
occurred, the IP address of the entity. If there are two
or more IP addresses there is no guarantee which IP
address will be used."
::= { basicEventsLogEntry 3 }
basicEventType OBJECT-TYPE
SYNTAX EventTypeUnitTC
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"What type of event this is."
Grall [Page 30]
Internet-Draft Firewall MIB 20 April 1998
::= { basicEventsLogEntry 4 }
basicEventDescription OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"An (optional) description of the event."
::= { basicEventsLogEntry 5 }
basicEventDetailsTableRow OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A pointer to a row in the table containing details about this
event. It will be one of the tables defined in this
MIB. One of type1NetEventsLogTable, type2NetEventsLogTable,
type3NetEventsLogTable, healthEventsLogTable,
managementEventsLogTable. The last sub-identifier(s) of the OID
represents the specific row index values for the row in the table
that contains the data."
::= { basicEventsLogEntry 6 }
basicEventVendorDetailsTableRow OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This value is vendor defined. Generally this will be a
pointer to a table and row containing vendor specific details
about this event. It is up to firewall vendor to define how
this value should be interpreted and to publish this information.
If a vendor private table is not supported, then the NULL OID
value (0.0) should be provided."
::= { basicEventsLogEntry 7 }
- -- NETWORK EVENTS LOG
- --
- -- A details table with information related to network events
- -- or events involving "users" of the firewall resources and services
Grall [Page 31]
Internet-Draft Firewall MIB 20 April 1998
- -- (eg., traffic flows through the firewall or a user authenticating
- -- to use a firewall service).
netEventsLog OBJECT IDENTIFIER ::= { fwevent 4 }
netEventsLogTableLastValidRow OBJECT-TYPE
SYNTAX INTEGER(1..2147483647)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The index value of the last valid row in the netEventsLogTable."
::= { netEventsLog 1 }
netEventsLogTable OBJECT-TYPE
SYNTAX SEQUENCE OF NetEventsLogEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Table of detailed data for transport events."
::= { netEventsLog 2}
netEventsLogEntry OBJECT-TYPE
SYNTAX NetEventsLogEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry in the table, containing detailed information
about an event."
INDEX { netEventLogIndex }
::= { netEventsLogTable 1 }
NetEventsLogEntry ::= SEQUENCE {
netEventLogIndex INTEGER(1..2147483647),
netEventInterface InterfaceIndex,
netEventProtocol ProtocolUnitTC,
netEventICMPCommand INTEGER,
netEventSrcIpAddress IpAddress,
netEventMappedSrcIpAddress IpAddress,
netEventDstIpAddress IpAddress,
netEventMappedDstIpAddress IpAddress,
netEventSrcIpPort INTEGER(0..65535),
netEventMappedSrcIpPort INTEGER(0..65535),
Grall [Page 32]
Internet-Draft Firewall MIB 20 April 1998
netEventDstIpPort INTEGER(0..65535),
netEventMappedDstIpPort INTEGER(0..65535),
netEventService OBJECT IDENTIFIER,
netEventServiceInformation SnmpAdminString,
netEventAuthdEntity SnmpAdminString,
netEventRuleID INTEGER(0..65535),
netEventActionReason SnmpAdminString
}
netEventLogIndex OBJECT-TYPE
SYNTAX INTEGER(1..2147483647)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An index that uniquely identifies an entry
in the log table. These indices are assigned
beginning with 1 and increase by one with each
new log entry. The agent may choose to delete the
instances of basicEventEntry as required
because of lack of memory. It is an implementation
specific matter as to when this deletion may occur and
as to which log entries are deleted."
::= { netEventsLogEntry 1 }
netEventInterface OBJECT-TYPE
SYNTAX InterfaceIndex
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The interface number that any packets may have arrived on
or that activity may have taken place on. [Will be zero if
no interface was involved.]"
::= { netEventsLogEntry 2 }
netEventProtocol OBJECT-TYPE
SYNTAX ProtocolUnitTC
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Enumeration of possible network protocols."
::= { netEventsLogEntry 3 }
Grall [Page 33]
Internet-Draft Firewall MIB 20 April 1998
netEventICMPCommand OBJECT-TYPE
SYNTAX INTEGER {
echoreply(0),
destunreach(3),
sourcequench(4),
redirect(5),
echo(8),
timeexceeded(11),
paramprob(12),
timestamp(13),
timestampreply(14),
mask(17),
maskreply(18),
traceroute(30),
notICMP(41) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Enumeration of the most common types of ICMP packets, the
numbers used above represent the ICMP Type number currently
assigned by IANA."
::= { netEventsLogEntry 4 }
netEventSrcIpAddress OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Source IP address as provided in an IP packet."
::= { netEventsLogEntry 5 }
netEventMappedSrcIpAddress OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Source IP address after network address translation
has been applied."
::= { netEventsLogEntry 6 }
netEventDstIpAddress OBJECT-TYPE
SYNTAX IpAddress
Grall [Page 34]
Internet-Draft Firewall MIB 20 April 1998
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Destination IP address as provided in an IP packet
or by a service user."
::= { netEventsLogEntry 7 }
netEventMappedDstIpAddress OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Destination IP address after network address translation
has been applied."
::= { netEventsLogEntry 8 }
netEventSrcIpPort OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Source UDP/TCP port as provided in an IP packet."
::= { netEventsLogEntry 9 }
netEventMappedSrcIpPort OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Source UDP/TCP port after any port translation or change
has been applied."
::= { netEventsLogEntry 10 }
netEventDstIpPort OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Destination UDP/TCP port as provided in an IP packet
Grall [Page 35]
Internet-Draft Firewall MIB 20 April 1998
or by a service user."
::= { netEventsLogEntry 11 }
netEventMappedDstIpPort OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Destination UDP/TCP port after any port translation or change
has been applied."
::= { netEventsLogEntry 12 }
netEventService OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The identification of the type of service notifying about the
event. This value may be chosen from the fwmib.service
or vendor specific trees. The description in serviceInformation
can be used to designate a particular service from within this
service type."
::= { netEventsLogEntry 13 }
netEventServiceInformation OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Specific service information. This can be used to
designate the particular service within a genericService
type and/or it can designate whether the service is a local
service or a gateway service. For example, if the value
for genericService is service.svcLogin.telnet, then the
string provided might be local telnet."
::= { netEventsLogEntry 14 }
netEventAuthdEntity OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
Grall [Page 36]
Internet-Draft Firewall MIB 20 April 1998
DESCRIPTION
"A userid, username, processid or other identifier for the entity
using the service. If there is no such information then 'none'
must be provided."
::= { netEventsLogEntry 15 }
netEventRuleID OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"INTEGER representation of a rule identifier. How
to interpret the number provided is defined by the
firewall vendor. Eg., it may represent a configuration
line number in a file, or a rule number in a table."
::= { netEventsLogEntry 16 }
netEventActionReason OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A detailed description of the reason the ruleAction took
place. Could be a copy of the rule used."
::= { netEventsLogEntry 17 }
- -- HEALTH EVENTS LOG
- --
- -- This table is used for events related to the firewall's health and
- -- status. The events can be for hardware or software resources.
healthEventsLog OBJECT IDENTIFIER ::= { fwevent 5 }
healthEventsLogTableLastValidRow OBJECT-TYPE
SYNTAX INTEGER(1..2147483647)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The index value of the last valid row in the healthEventsLogTable."
::= { healthEventsLog 1 }
Grall [Page 37]
Internet-Draft Firewall MIB 20 April 1998
healthEventsLogTable OBJECT-TYPE
SYNTAX SEQUENCE OF HealthEventsLogEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Table of detailed data for firewall health events."
::= { healthEventsLog 2 }
healthEventsLogEntry OBJECT-TYPE
SYNTAX HealthEventsLogEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry in the table, containing detailed information
about a health event."
INDEX { healthEventLogIndex }
::= { healthEventsLogTable 1 }
HealthEventsLogEntry ::= SEQUENCE {
healthEventLogIndex INTEGER(1..2147483647),
healthEventResourceType OBJECT IDENTIFIER,
healthEventResourceDetails SnmpAdminString,
healthEventProblemDetail SnmpAdminString
}
healthEventLogIndex OBJECT-TYPE
SYNTAX INTEGER(1..2147483647)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An index that uniquely identifies an entry
in the log table. These indices are assigned
beginning with 1 and increase by one with each
new log entry. The agent may choose to delete the
instances of basicEventEntry as required
because of lack of memory. It is an implementation
specific matter as to when this deletion may occur and
as to which log entries are deleted."
::= { healthEventsLogEntry 1 }
healthEventResourceType OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
Grall [Page 38]
Internet-Draft Firewall MIB 20 April 1998
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The identification of the type of resource notifying about the
problem. This value may be chosen from the fwmib.service
or vendor specific trees. The description in
healthEventResourceDetails can be used to provide more details
about the resource."
::= { healthEventsLogEntry 2 }
healthEventResourceDetails OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Specific resource information. This can be used to
designate details about the service OID chosen."
::= { healthEventsLogEntry 3 }
healthEventProblemDetail OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Details on the problem being reported. Used if more
detail is needed to interpret the value used in
basicEventType from the basicEventsTable entry."
::= { healthEventsLogEntry 4 }
- -- MANAGEMENT EVENTS LOG
- --
- -- This table is used for reporting events related to management of the
- -- firewall.
managementEventsLog OBJECT IDENTIFIER ::= { fwevent 6 }
managementEventsLogTableLastValidRow OBJECT-TYPE
SYNTAX INTEGER(1..2147483647)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
Grall [Page 39]
Internet-Draft Firewall MIB 20 April 1998
"The index value of the last valid row in the
managementEventsLogTable."
::= { managementEventsLog 1 }
managementEventsLogTable OBJECT-TYPE
SYNTAX SEQUENCE OF ManagementEventsLogEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Table of detailed data for firewall management events."
::= { managementEventsLog 2 }
managementEventsLogEntry OBJECT-TYPE
SYNTAX ManagementEventsLogEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry in the table, containing detailed information
about a management event."
INDEX { managementEventLogIndex }
::= { managementEventsLogTable 1 }
ManagementEventsLogEntry ::= SEQUENCE {
managementEventLogIndex INTEGER(1..2147483647),
managementEventSubjectName SnmpAdminString,
managementEventSubjectAction EventTypeUnitTC,
managementEventActionDetail SnmpAdminString,
managementEventObjectManaged OBJECT IDENTIFIER
}
managementEventLogIndex OBJECT-TYPE
SYNTAX INTEGER(1..2147483647)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An index that uniquely identifies an entry
in the log table. These indices are assigned
beginning with 1 and increase by one with each
new log entry. The agent may choose to delete the
instances of basicEventEntry as required
because of lack of memory. It is an implementation
specific matter as to when this deletion may occur and
Grall [Page 40]
Internet-Draft Firewall MIB 20 April 1998
as to which log entries are deleted."
::= { managementEventsLogEntry 1 }
managementEventSubjectName OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The userid, processid, or other unique information that
designates which subject is causing the management event
event."
::= { managementEventsLogEntry 2 }
managementEventSubjectAction OBJECT-TYPE
SYNTAX EventTypeUnitTC
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"What a subject did on the firewall."
::= { managementEventsLogEntry 3 }
managementEventActionDetail OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Details on the management event based on the
subjectAction chosen."
::= { managementEventsLogEntry 4 }
managementEventObjectManaged OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The identification of the type of resource begin managed.
This value may be chosen from the fwmib.service or vendor specific
trees. "
::= { managementEventsLogEntry 5 }
Grall [Page 41]
Internet-Draft Firewall MIB 20 April 1998
- --
- -- fwquery group
- --
- -- The query group defines status and statistical data at the firewall.
- -- The data included here concentrate on variables not covered by
- -- other MIBs.
- -- All data are designated as read-only. Changes to a firewall's
- -- configuration or any of the data here is assumed to take place via
- -- a different channel.
- -- We encourage the firewall to support MIB-II for resource information
- -- when possible. To that extent, this query group does not include any
- -- objects that are covered by MIB-II.
fwquery OBJECT IDENTIFIER ::= { fwmib 3 }
fwinformation OBJECT IDENTIFIER ::= { fwquery 1 }
fwstatus OBJECT IDENTIFIER ::= { fwquery 2 }
fwstatistic OBJECT IDENTIFIER ::= { fwquery 3 }
- -- The firewall product related queries
fwProductName OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The product name of the firewall."
::= { fwinformation 1 }
fwVersionMajor OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The major version of the firewall as a whole."
::= { fwinformation 2 }
fwVersionMinor OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
Grall [Page 42]
Internet-Draft Firewall MIB 20 April 1998
"The minor version of the firewall as a whole."
::= { fwinformation 3 }
fwOSName OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The specific vendor's name for the operating system the firewall
is running on. For Unix type operating systems this would usually be
the output from 'uname -s'."
::= { fwinformation 4 }
fwOSVersion OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The specific vendor's version for the operating system the firewall
is running on. For Unix type operating systems this would usually be
the output from 'uname -r'."
::= { fwinformation 5 }
- -- The firewall module table is used to provide additional version and
- -- status information for firewall modules. The definition of a module
- -- is vendor specific. At the least the firewall should provide one row
- -- for this table to represent the firewall system as a whole (ie, the
- -- value used for fwModuleType would be services.svcFirewall). For values
- -- in this table that the firewall module does not support (eg., the
- -- module does not support serial numbers), the value used would be
- -- "NULL".
fwModuleInfoTable OBJECT-TYPE
SYNTAX SEQUENCE OF FwModuleInfoEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Table of firewall Module entries that provide
version and status information."
::= { fwinformation 6 }
Grall [Page 43]
Internet-Draft Firewall MIB 20 April 1998
fwModuleInfoEntry OBJECT-TYPE
SYNTAX FwModuleInfoEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry in the table, containing information about a
module."
INDEX { fwModuleType }
::= { fwModuleInfoTable 1 }
FwModuleInfoEntry ::= SEQUENCE {
fwModuleType OBJECT IDENTIFIER,
fwModuleInformation SnmpAdminString,
fwModuleVersion SnmpAdminString,
fwModulePatchLevel SnmpAdminString,
fwModuleLicenseKey SnmpAdminString,
fwModuleSerialNumber SnmpAdminString,
fwModuleCfgID SnmpAdminString,
fwModuleCfgDate TimeStamp,
fwModuleCfgState INTEGER }
fwModuleType OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Firewall module type. This can be an OID from the services
group, or the vendor can choose to define OIDs in their
enterprise group."
::= { fwModuleInfoEntry 1 }
fwModuleInformation OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Detailed information to designate the specific firewall
module or service based on the type chosen for fwModuleInfoType."
::= { fwModuleInfoEntry 2 }
fwModuleVersion OBJECT-TYPE
SYNTAX SnmpAdminString
Grall [Page 44]
Internet-Draft Firewall MIB 20 April 1998
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Module Version."
::= { fwModuleInfoEntry 3 }
fwModulePatchLevel OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Module Patch Level."
::= { fwModuleInfoEntry 4 }
fwModuleLicenseKey OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Module license key"
::= { fwModuleInfoEntry 5 }
fwModuleSerialNumber OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Module serial number."
::= { fwModuleInfoEntry 6 }
fwModuleCfgID OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Module configuration ID."
::= { fwModuleInfoEntry 7 }
Grall [Page 45]
Internet-Draft Firewall MIB 20 April 1998
fwModuleCfgDate OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Module configuration date."
::= { fwModuleInfoEntry 8 }
fwModuleCfgState OBJECT-TYPE
SYNTAX INTEGER {
inprogress(1),
done(2),
reconfigFailed(3)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Enumeration of the state the module's
configuration is in."
::= { fwModuleInfoEntry 9 }
- -- The resource information related queries, this table is for
- -- providing the status of the resources on the firewall. Resources
- -- can include hardware or software modules on the firewall.
resourceStatusTable OBJECT-TYPE
SYNTAX SEQUENCE OF ResourceStatusEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Table of firewall resource entries"
::= { fwstatus 1 }
resourceStatusEntry OBJECT-TYPE
SYNTAX ResourceStatusEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry in the table, containing information about a
resource."
Grall [Page 46]
Internet-Draft Firewall MIB 20 April 1998
INDEX { resourceType }
::= { resourceStatusTable 1 }
ResourceStatusEntry ::= SEQUENCE {
resourceType OBJECT IDENTIFIER,
resourceInformation SnmpAdminString,
resourceStatusDetail EventTypeUnitTC,
resourceStatusInfo SnmpAdminString
}
resourceType OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Resource type. This can be an OID from the services
group, or the vendor can choose to define OIDs in their
enterprise group."
::= { resourceStatusEntry 1 }
resourceInformation OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Detailed information to further designate the specific firewall
resource or service reporting status."
::= { resourceStatusEntry 2 }
resourceStatusDetail OBJECT-TYPE
SYNTAX EventTypeUnitTC
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Enumeration of firewall resource status/events. This
list applies to hardware and software resources provided
and used by the firewall."
::= { resourceStatusEntry 3 }
resourceStatusInfo OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
Grall [Page 47]
Internet-Draft Firewall MIB 20 April 1998
STATUS current
DESCRIPTION
"Detailed information to further describe the status of
the resource if the value for resourceStatusDetails is not
descriptive enough."
::= { resourceStatusEntry 4 }
- -- The statistic related queries
- -- This group contains several tables, each table can be used to provide
- -- the indicated statistics for any firewall resource or service. The tables
- -- all contain rows for (and are indexed by) each service that the statistic
- -- applies to.
- --
- -- The tables in this group can be used to provide statistics on:
- --
- -- packet level data (packetStatTable)
- -- service level data (fwStatTable)
- --
- -- The packetStatTable includes variables to record the number of packets
- -- handled by the firewall in various ways.
- --
- -- In all the tables, for any Counter32 objects that are not supported,
- -- a value of "0" is returned.
packetStatTable OBJECT-TYPE
SYNTAX SEQUENCE OF PacketStatEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Table of firewall packet statistic entries."
::= { fwstatistic 1 }
packetStatEntry OBJECT-TYPE
SYNTAX PacketStatEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry in the table, containing information about a
statistic."
INDEX { packetStatServiceType, packetNetInterface }
::= { packetStatTable 1 }
Grall [Page 48]
Internet-Draft Firewall MIB 20 April 1998
PacketStatEntry ::= SEQUENCE {
packetStatServiceType OBJECT IDENTIFIER,
packetNetInterface InterfaceIndex,
packetStatServiceDetail SnmpAdminString,
packetsAccepted Counter32,
packetsDropped Counter32,
packetsEncrypted Counter32,
packetsInvalid Counter32,
packetsIgnore Counter32,
packetsRejected Counter32,
packetsForwarded Counter32,
packetsFragmented Counter32
}
packetStatServiceType OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The identification of the type of service notifying about the
event. This value may be chosen from the fwmib.service
or vendor specific trees. The description in packetStatServiceDetail
can be used to designate a particular service from within this
service type."
::= { packetStatEntry 1 }
packetNetInterface OBJECT-TYPE
SYNTAX InterfaceIndex
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The interface number that the packet(s) arrived on."
::= { packetStatEntry 2 }
packetStatServiceDetail OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Specific service information. This can be used to
further designate the particular service. It can also be
used to designate different types of packet statistics from
the same service (e.g., the kernel counts rejected packets
Grall [Page 49]
Internet-Draft Firewall MIB 20 April 1998
meant to be forwared and meant to be accepted as two seperate
counts)."
::= { packetStatEntry 3 }
packetsAccepted OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of packets accepted."
::= { packetStatEntry 4 }
packetsDropped OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of packets dropped."
::= { packetStatEntry 5 }
packetsEncrypted OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of packets encrypted."
::= { packetStatEntry 6 }
packetsInvalid OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of bad (see section 4.0) packets received."
::= { packetStatEntry 7 }
packetsIgnore OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
Grall [Page 50]
Internet-Draft Firewall MIB 20 April 1998
"Number of bad (see section 4.0) packets ignored."
::= { packetStatEntry 8 }
packetsRejected OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of packets rejected."
::= { packetStatEntry 9 }
packetsForwarded OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of packets forwarded."
::= { packetStatEntry 10 }
packetsFragmented OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of packets fragmented."
::= { packetStatEntry 11 }
- -- The Firewall Statistics Table Definition
- --
- -- This table can be used to provide the statistics
- -- for any firewall resource or service. This table contains rows for
- -- (and are indexed by) each service to which the statistic applies.
- --
- -- This table can be used to provide statistics on any of the events
- -- that are also reported via traps, as well as any other events included
- -- in EventTypeUnitTC. For example to report on the number of users
- -- that where denied access to the ftp service you could use the following:
- --
- -- resource = OID (service.svcFileTransfer.ftp)
- -- resourceDetails = STRING ("the ftp proxy")
- -- statisticType = accessDenied(1403)
Grall [Page 51]
Internet-Draft Firewall MIB 20 April 1998
- -- statsDataType = count
- -- statsValue = INTEGER (35)
- -- statDescription = STRING ("The number of users of the ftp proxy that...")
- -- statStartTime = TimeStamp (####)
- -- statElapsedTime = ??
- --
- -- The table contains a column to provide details about the statistic
- -- being reported on. So, for example, if the statistic is for a particular
- -- user, this can be provided in the statDescription.
resourceStatTable OBJECT-TYPE
SYNTAX SEQUENCE OF ResourceStatEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Table of firewall statistic entries."
::= { fwstatistic 2 }
resourceStatEntry OBJECT-TYPE
SYNTAX ResourceStatEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry in the table, containing information about a
firewall statistic."
INDEX { statResourceType, statType }
::= { resourceStatTable 1 }
ResourceStatEntry ::= SEQUENCE {
statResourceType OBJECT IDENTIFIER,
statResourceDetails SnmpAdminString,
statType EventTypeUnitTC,
statDataType INTEGER,
statValue OCTET STRING,
statDescription SnmpAdminString
}
statResourceType OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The identification of the type of service providing statistics
Grall [Page 52]
Internet-Draft Firewall MIB 20 April 1998
This value may be chosen from the fwmib.service
or vendor specific trees. The description in
statResourceDetails can be used to designate a
particular service from within this service type."
::= { resourceStatEntry 1 }
statResourceDetails OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Specific service information. This can be used to
designate the particular service reporting the statistic."
::= { resourceStatEntry 2 }
statType OBJECT-TYPE
SYNTAX EventTypeUnitTC
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The type of statistic this row is reporting on. This along with
statResourceType provides a unique index into the table."
::= { resourceStatEntry 3 }
statDataType OBJECT-TYPE
SYNTAX INTEGER {
counter(1),
int(2),
percent(3),
gauge(4),
timestmp(5) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The data type of the statistic value in this row. This value
is used to interpret the data provided in statValue."
::= { resourceStatEntry 4 }
statValue OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(1..8))
MAX-ACCESS read-only
Grall [Page 53]
Internet-Draft Firewall MIB 20 April 1998
STATUS current
DESCRIPTION
"The value of the statistic, the type of this value is provided
in statDataType. Regardless of the type of the value, the
bytes are interpreted in network byte order. @?@ any opinions @?@
If the statDataType value is 'counter' then @?@ any restrictions?
If the statDataType value is 'int' then this value shall be
@?@X bytes long maximum. @?@ any opinions?
If the statDataType value is 'percent' then this value shall
be an integer value between 00 and 100 inclusive.
If the statDataType value is 'gauge' then this value shall
be @?@.
If the statDataType value is 'timestmp' then this value shall
be @?@."
::= { resourceStatEntry 5 }
statDescription OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A more detailed description of the statistic provided in
case the statType does not give a good indication of what
the data in statValue represents."
::= { resourceStatEntry 6 }
- --
- -- fwtrap group
- --
- -- The fwtrap group defines the trap types that a firewall may
- -- send.
fwtrap OBJECT IDENTIFIER ::= { fwmib 4 }
- -- Traps are defined using the conventions in SNMPv2-SMI
- --
- -- The networkEventTrap is used for events related to the network
- -- operation in the firewall. This includes packet screening events and
Grall [Page 54]
Internet-Draft Firewall MIB 20 April 1998
- -- service events. The trap contains the OID/row index of the
- -- netEventDetailsTable and the OID/row and index of the vendor private
- -- table. Then the management station can choose to access the event
- -- details without having to query the base table.
networkEventTrap NOTIFICATION-TYPE
OBJECTS {
basicEventsLogTableTrapIndex,
basicEventTime,
basicEventSource,
basicEventType,
basicEventDescription,
basicEventDetailsTableRow,
basicEventVendorDetailsTableRow
}
STATUS current
DESCRIPTION
"Network event notification from network components."
::= { fwtrap 1 }
-- Example use: see introduction.
- -- The healthEventTrap is used for events related to configuration problems,
- -- resource problems, service problems, and system problems. The
- -- basicEventDetailsTableIndex represents the index of the row in
- -- the healthEventDetailsTable related to this event.
healthEventTrap NOTIFICATION-TYPE
OBJECTS {
basicEventsLogTableTrapIndex,
basicEventTime,
basicEventSource,
basicEventType,
basicEventDescription,
basicEventDetailsTableRow,
basicEventVendorDetailsTableRow
}
STATUS current
DESCRIPTION
"Notification on events concerning the status and
health of the firewall"
::= { fwtrap 2 }
Grall [Page 55]
Internet-Draft Firewall MIB 20 April 1998
-- Example use: see introduction.
- -- The managementEventTrap is for events that relate to configuration
- -- changes, operating system changes, and patches to components on the
- -- firewall. The basicEventDetailsTableIndex represents the index of
- -- the row in the mgmtEventDetailsTable related to this event.
managementEventTrap NOTIFICATION-TYPE
OBJECTS {
basicEventsLogTableTrapIndex,
basicEventTime,
basicEventSource,
basicEventType,
basicEventDescription,
basicEventDetailsTableRow,
basicEventVendorDetailsTableRow
}
STATUS current
DESCRIPTION
"Notification of a configuration related event."
::= { fwtrap 3 }
-- Example use: see introduction.
- -- conformance information, see RFC1444
fwmibConformance OBJECT IDENTIFIER ::= { fwmib 5 }
fwmibCompliances OBJECT IDENTIFIER ::= { fwmibConformance 1 }
fwmibGroups OBJECT IDENTIFIER ::= { fwmibConformance 2 }
- -- compliance statements
fwCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for SNMPv2 entities
which implement the Firewall MIB."
MODULE -- this module
GROUP basicEventsLogGroup
DESCRIPTION
"If the firewall will be sending traps, then the
Grall [Page 56]
Internet-Draft Firewall MIB 20 April 1998
basicEventsLog group is mandatory."
::= { fwmibCompliances 1 }
- -- units of conformance
basicEventsLogGroup OBJECT-GROUP
OBJECTS {
basicEventsLogTableLastValidRow,
basicEventsLogTableTrapIndex,
basicEventTime, basicEventSource,
basicEventType, basicEventDescription,
basicEventDetailsTableRow,
basicEventVendorDetailsTableRow
}
STATUS current
DESCRIPTION
"A collection of objects allowing the description of
events occurring on a firewall."
::= { fwmibGroups 1 }
otherEventsLogGroup OBJECT-GROUP
OBJECTS {
netEventsLogTableLastValidRow,
netEventInterface, netEventProtocol,
netEventICMPCommand, netEventSrcIpAddress,
netEventMappedSrcIpAddress, netEventDstIpAddress,
netEventMappedDstIpAddress, netEventSrcIpPort,
netEventMappedSrcIpPort, netEventDstIpPort,
netEventMappedDstIpPort, netEventService,
netEventServiceInformation, netEventAuthdEntity,
netEventRuleID, netEventActionReason,
healthEventsLogTableLastValidRow,
healthEventResourceType, healthEventResourceDetails,
healthEventProblemDetail, managementEventsLogTableLastValidRow,
managementEventSubjectName,
managementEventSubjectAction, managementEventActionDetail,
managementEventObjectManaged
}
STATUS current
DESCRIPTION
"A collection of objects allowing the description of
event details occurring on a firewall."
::= { fwmibGroups 2 }
Grall [Page 57]
Internet-Draft Firewall MIB 20 April 1998
fwqueryGroup1 OBJECT-GROUP
OBJECTS {
fwProductName, fwVersionMajor,
fwVersionMinor, fwOSName, fwOSVersion
}
STATUS current
DESCRIPTION
"A collection of objects allowing the collection of generic
information about the firewall."
::= { fwmibGroups 3 }
fwqueryGroup2 OBJECT-GROUP
OBJECTS {
fwModuleInformation, fwModuleVersion,
fwModulePatchLevel, fwModuleLicenseKey,
fwModuleSerialNumber,
fwModuleCfgID, fwModuleCfgDate, fwModuleCfgState
}
STATUS current
DESCRIPTION
"A collection of objects allowing the collection of information
about modules on the firewall."
::= { fwmibGroups 4 }
fwqueryGroup3 OBJECT-GROUP
OBJECTS {
resourceInformation,
resourceStatusDetail, resourceStatusInfo
}
STATUS current
DESCRIPTION
"A collection of objects allowing the collection of information
about service status on the firewall."
::= { fwmibGroups 5 }
fwqueryGroup4 OBJECT-GROUP
OBJECTS {
packetStatServiceDetail, packetsAccepted,
packetsDropped, packetsEncrypted, packetsInvalid, packetsIgnore,
packetsRejected, packetsForwarded, packetsFragmented
}
Grall [Page 58]
Internet-Draft Firewall MIB 20 April 1998
STATUS current
DESCRIPTION
"A collection of objects allowing the collection of packet statistics
on the firewall."
::= { fwmibGroups 6 }
fwqueryGroup5 OBJECT-GROUP
OBJECTS {
statResourceDetails,
statDataType, statValue,
statDescription
}
STATUS current
DESCRIPTION
"A collection of objects allowing the collection of statistics
about serivces/resources on the firewall."
::= { fwmibGroups 7 }
END
6. Acknowledgments
The Firewall MIB has benefitted greatly from the comments and instrumen-
tation work of many people. In addition to those already mentioned ear-
lier in this document, the following individuals have contributed to
this specification (with advance apologies to anyone who may have been
left out of this list):
Grall [Page 59]
Internet-Draft Firewall MIB 20 April 1998
Lee Brown
Dave Chouihard
Mike Coram
Holly Ding
Dorit Dor
Bill Funk
Dale Lancaster
Ken Laube
Herbert Lin
Ian McDonnell
Thomas Oeser
Ashok Nadkarni
Poornima Rao
Ephraim Vider
Cliff Wang
Michael Wittig
7. Security Considerations
@?@ Portions still TBD...
@?@ Address known threats
@?@ Address methods to mitigate threads and any residual risks
Users of this MIB will have access to data which is potentially not
secure. Users should take reasonable steps to protect the data for dis-
closure by using SNMPv3 or other encryption methods. It is not recom-
mended that objects in the MIB be supported or used in an "untrusted" or
unknown network environment unless privacy, authentication, and
integrity are provided (eg., use encryption).
There is the potential for unauthorized management stations to access
firewall MIB objects. Users should use SNMPv3 to provide management
identification and authentication.
Write operations to MIB objects are not supported, i.e., SNMP SETs are
currently not supported by this MIB. Many SNMP implementations and net-
work architectures do not support secure communications. After SNMPv3
is established the MIB may be expanded to include objects that can be
written.
The MIB defines very few objects related to configuration data. As
described in the section titled "Monitoring of Firewall Devices", there
is a risk of exposing a firewall's configuration, and possibly provide
Grall [Page 60]
Internet-Draft Firewall MIB 20 April 1998
an adversary information on a firewall's weaknesses.
8. References
[1] Cerf, V., "IAB Recommendations for the Development of Internet Net-
work Management Standards", RFC 1052, NRI, April 1988.
[2] Cerf, V., "Report of the Second Ad Hoc Network Management Review
Group", RFC 1109, NRI, August 1989.
[3] Rose M., and K. McCloghrie, "Structure and Identification of Manage-
ment Information for TCP/IP-based internets", STD 16, RFC 1155,
Performance Systems International, Hughes LAN Systems, May 1990.
[4] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S.
Waldbusser, "Structure of Management Information for Version 2 of
the Simple Network Management Protocol (SNMPv2)", RFC 1902, January
1996.
[5] McCloghrie K., and M. Rose, Editors, "Management Information Base
for Network Management of TCP/IP-based internets", STD 17, RFC
1213, Performance Systems International, March 1991.
[6] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network
Management Protocol", STD 15, RFC 1157, SNMP Research, Performance
Systems International, Performance Systems International, MIT
Laboratory for Computer Science, May 1990.
[7] SNMPv2 working Group, Case, J., McCloghrie, K., Rose, M., and S.
Waldbusser, "Protocol Operations for Version 2 of the Simple Net-
work Management Protocol (SNMPv2)", RFC 1905, January 1996.
[8] McCloghrie, K., and F. Kastenholz, "Evolution of the Interfaces
Group of MIB-II", RFC 1573, Hughes LAN Systems, FTP Software, Janu-
ary 1994.
[9] Information processing systems - Open Systems Interconnection -
Specification of Abstract Syntax Notation One (ASN.1), Interna-
tional Organization for Standardization. International Standard
8824, (December, 1987).
[10] Information processing systems - Open Systems Interconnection -
Specification of Basic Encoding Rules for Abstract Notation One
(ASN.1), International Organization for Standardization. Interna-
tional Standard 8825, (December, 1987).
[11] Rose, M., and K. McCloghrie, Editors, "Concise MIB Definitions",
Grall [Page 61]
Internet-Draft Firewall MIB 20 April 1998
RFC 1212, Performance Systems International, Hughes LAN Systems,
March 1991.
[12] Rose, M., Editor, "A Convention for Defining Traps for use with the
SNMP", RFC 1215, Performance Systems International, March 1991.
[13] Harrington, D., Presuhn, R., Wijnen, B., "An Architecture for
Describing SNMP Management Frameworks", RFC 2261, Cabletron Sys-
tems, Inc., January 1998.
9. Author's Address
Cindy Grall
Trusted Information Systems
3415 S. Sepulvida Blvd., suite 700
Los Angeles, CA 90034
Phone: (310) 737-1744
EMail: grall@tis.com
Appendix A: Sample Configurations and Scripts
This appendix will contain configuration and script samples for using
this MIB with some popular SNMP management products.
Appendix B: Changes
This section will be removed before final submittal as an RFC.
Since draft 00 (24 November 1997) of the Firewall MIB, the following
changes were made:
Grall [Page 62]
Internet-Draft Firewall MIB 20 April 1998
* The textual convention SnmpAdminString was added and all objects
using Utf8String where changed to use SnmpAdminString.
* More words were added to address things this MIB is NOT meant
to address.
* The three network event log tables were combined into one table,
references throughout the MIB to the old tables were removed/changed
as needed.
* Examples were moved into the RFC text and updated to reflect latest
MIB definition.
* The main OID name for the mib changed from 'spfw' to 'fwmib'.
* Some tables now use the InterfaceIndex textual convention
from RFC 2233.
* Some values (hardware, system, service) in EventTypeUnitTC were
combined into one resource set.
* Several new entries in EventTypeUnitTC were added.
* A resourceStatusInfo object was added to the resource status table.
* The service statistics table was redone.
* Each trap has a one-to-one correspondence to an event log table,
so reference for the OID to the details table was removed from
the trap's objects.
* The conformance groups were split up so that more MIB objects
can be optional.
* All index objects were changed to be 'not-accessible' as a result
basicEventLogIndex could not be used in the traps, so a new object
called basicEventsLogTableTrapIndex was created for this purpose.
Note that this list does not reflect minor changes in wording or correc-
tion of typographical or grammatical errors.
Grall [Page 63]