[Search] [txt|pdf|bibtex] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01                                                         
Internet Engineering Task Force                                 C. Grall
INTERNET-DRAFT                               Trusted Information Systems
Expires 25 October 1998                                    20 April 1998



                  Firewall Management Information Base


                   <draft-grall-firewall-mib-01.txt>



Status of this Memo

   This document is an Internet-Draft.  Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas,
   and its working groups.  Note that other groups may also distribute
   working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet- Drafts as reference
   material or to cite them other than as "work in progress."

   To view the entire list of current Internet-Drafts, please check the
   "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
   Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe),
   munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or
   ftp.isi.edu (US West Coast).

Abstract

   This document defines a portion of the Management Information Base
   (MIB) for use with network management protocols in TCP/IP-based
   internets.  In particular, it defines objects for monitoring firewall
   devices.

Table of Contents

   Abstract
   Table of Contents
   The Network Management Framework
   Overview
       Textual Conventions
           SnmpAdminString
           EventTypeUnitTC
           ProtocolUnitTC



Grall                                                          [Page 1]


Internet-Draft                Firewall MIB                 20 April 1998


       Structure of MIB
           The Service Identifiers Group
           The Firewall Event Variables and Logs Group
           The Status and Statistics Group
           The Firewall Traps Group
   Monitoring of Firewall Devices
       Events
           Event Logs and Traps
           Details Table Use
           Trap Flooding
           Thresholds
           Log Tables
   Conventions
   Definitions
   Acknowledgments
   Security Considerations
   References
   Author's Address
   Appendix A: Sample Configurations and Scripts




1.  The Network Management Framework

The Internet-standard Network Management Framework consists of three
components.  They are:


     RFC 1902 [4] which defines the SMI, the mechanisms used for
     describing and naming objects for the purpose of management.


     STD 17, RFC 1213 [5] defines MIB-II, the core set of managed
     objects for the Internet suite of protocols.


     RFC 1157 [6], RFC 1905 [7], and RFC 2261 [13] which define three
     versions of the protocol used for network access to managed
     objects.

     The Framework permits new objects to be defined for the purpose of
     experimentation and evaluation.

     Managed objects are accessed via a virtual information store,
     termed the Management Information Base or MIB.  Within a given MIB
     module, objects are defined using RFC 1902's OBJECT-TYPE macro.  At
     a minimum, each object has a name, a syntax, an access-level, and



Grall                                                          [Page 2]


Internet-Draft                Firewall MIB                 20 April 1998


     an implementation-status.

     The name is an object identifier, an administratively assigned
     name, which specifies an object type.  The object type together
     with an object instance serves to uniquely identify a specific
     instantiation of the object.  For human convenience, we often use a
     textual string, termed the object descriptor, to also refer to the
     object type.

     The syntax of an object type defines the abstract data structure
     corresponding to that object type.  The ASN.1[9] language is used
     for this purpose.  However, RFC 1155[3] purposely restricts the
     ASN.1 constructs which may be used.  These restrictions are expli-
     citly made for simplicity.


2.  Overview

This document specifies a working draft of a Management Information Base
(MIB) definition intended for use in monitoring firewall systems with
network management protocols in TCP/IP-based internets.  All object
identifiers defined herein are under the private enterprises MIB tree.
This positioning would change if and when this MIB is adopted as stan-
dard.


2.1.  Textual Conventions

Several new data types are introduced including EventTypeUnitTC, and
ProtocolUnitTC.  The SnmpAdminString as proposed in the SNMPV3 documents
is also used.


2.1.1.  SnmpAdminString

The SnmpAdminString textual convention is used for all string variables.
The definition from the current RFC [13] is included in this MIB (rather
than referenced) until the RFC becomes a standard.


2.1.2.  EventTypeUnitTC

This textual convention enumerates many kinds of common events that may
happen on a firewall.  The list represents error conditions, unusual
events, and normal activities.






Grall                                                          [Page 3]


Internet-Draft                Firewall MIB                 20 April 1998


2.1.3.  ProtocolUnitTC

This textual convention is an enumeration of the most common protocols
used with TCP/IP-based network firewalls.


2.2.  Structure of MIB

The objects are arranged into the following groups:

        - service identifiers (service)

        - firewall event variables and logs (fwevent)

        - firewall status and statistics data (fwquery)

        - firewall traps (fwtrap)

These groups are the basic units of conformance.  If a firewall imple-
ments a group, then it should implement all objects in that group.  The
fwevent, fwquery and fwtrap groups are optional.  If the fwtrap group is
implemented, the fwevent group must also be implemented. The services
group must be supported if any of the other groups are implemented.

These groups are defined to provide a means of assigning object identif-
iers, and to provide a method for managed agents to know which objects
they must implement.


2.2.1.  The Service Identifiers Group

The service group defines object identifiers (OIDs) for resource,
classes of services, and particular services handled by firewalls.
These OIDs are used as values in variables in other groups of the MIB to
designate a service.

In this document and the MIB definition, "resource" is defined as any
service, application, proxy, hardware unit, utility, operating system,
product, engine, etc. on the firewall.  Resource can also refer to the
firewall as a whole.  Also, the term "service" is used interchangeably
with "resource" throughout the document and MIB.


2.2.2.  The Firewall Event Variables and Logs Group

The fwevent group defines tables for logging events that take place on
the firewall.  Management stations are notified of the events via traps
from the fwtrap group.



Grall                                                          [Page 4]


Internet-Draft                Firewall MIB                 20 April 1998


2.2.3.  The Status and Statistics Group

The fwquery group contains status and statistic information.  It
includes version information for the firewall and its resouces and ser-
vices.  It includes version information, staus details, and statistics
measured by firewall resources and services.


2.2.4.  The Firewall Traps Group

The fwtrap group defines the traps that a firewall can send.


3.  Monitoring of Firewall Devices

The scope of the MIB defined here is to provide information for the pur-
pose of monitoring firewall activity. The objects defined here provide
information about urgent events, security, health and status, and per-
formance of a firewall.  This information is provided in two ways, via
traps and through objects that must be queried. The traps also have
associated information that can be queried.

It is worth noting areas this MIB is not meant to address.  It is not
meant to replicate all firewall audit information or perform all of a
firewall's logging.  The information provided by the MIB objects is not
necessarily all the information needed for a full audit capability.  For
example, suspicious monitoring entities would probably require audit
information which would not be provided as part of this MIB.

The MIB is also not meant to be used for reporting about the configura-
tion of a firewall.  Currently, most firewall's use unique and/or
proprietary protocols and representations for dealing with the confi-
guration and 'policy'.  It was decided it would be too difficult to try
to create a generic set of MIB objects that could represent most
firewall configurations.  This MIB does not have many variables related
to configuration items.

Write operations to MIB objects are not supported, i.e., SNMP SETs are
currently not supported by this MIB.  One motivation for this is that
many SNMP implementations and network architectures do not support
secure communications.  Once SNMPv3 is established this can be revisted
and the MIB can be expanded to include objects that can be written.
Another motivation for not addressing SETs is that values typically
"SET" on a firewall would deal with the firewall's configuration and
'policy'.  Without a secure connection, the firewall's configuration
could be exposed.

This section provides details on the expected use of the objects defined



Grall                                                          [Page 5]


Internet-Draft                Firewall MIB                 20 April 1998


in section "Definitions" below.  It also presents some implementation
issues.


3.1.  Events

Many of the objects in the MIB are related to events on the firewall.
An event as far as this MIB is concerned is what a trap is created for,
and what is stored in the event logs.  An event can represent the
activity of a single user on the firewall, the status of a program on
the firewall, or a collection of firewall activities.  It is up to the
firewall vendor to decide what activities on the firewall are
represented as events in the MIB.

In order to provide a common set of events for MIB users and management
status, the MIB includes an enumeration of event types, EventTypeUnitTC.
The list includes the most common events that happen on a firewall.  The
comments included in the list describe the firewall activities each
entry is meant to represent.  It is understood that the list will prob-
ably not represent all possible events any particular firewall may
report on and there are generic entries that can be used for these
cases.

While the MIB's main purpose is to report about "unusual" events on a
firewall, it was felt that the MIB should not disallow reporting related
to "normal" events.  Items are included in EventTypeUnitTC to represent
"normal", "okay", "good", and "up" activities and conditions.  A
firewall vender can then choose to report any kind of activity through
MIB events.  For example, a firewall could equate a MIB event with an
audited event and report on all firewall activity with the MIB.


3.1.1.  Event Logs and Traps

The fwevent group defines a set of log tables for storing information
about events.  The fwtrap group defines a set of traps for reporting
about the events that have been recorded in the logs.  These two groups
are meant to work together.  Although it is possible to implement the
fwevent group without any trap support, this is not the purpose of the
logs in the fwevent group.

The event logs are represented by a set of tables.  There is a basic
table that holds information common to every event, and there are other
tables that contain different sets of detailed information.  Figure 1
provides a conceptual view of the tables.  The basic table points to one
of the MIB detail tables by table OID and row index.  The basic table
also (optionally) points to a firewall vendor defined details table.




Grall                                                          [Page 6]


Internet-Draft                Firewall MIB                 20 April 1998



                                           details table
         basic table entries               ------------------------
        ---------------------------|      |                      |
        |index                     |      |                      |
        |time                      |      |                      |
        |source                    |      |                      |
        |type                      |     /|                      |
        |description               |    / ------------------------
        |                          |   /
        |details table row         |--/
        |                          |
        |vendor details table row  |-\     vendor details table
        |                          |  \   ------------------------
        ----------------------------   \  |                      |
                                        \ |                      |
                                         \|                      |
                                          |                      |
                                          ------------------------

             Figure 1: Conceptual view of event log tables.

When an event (see section "Events") occurs on the firewall, the basic
table information is collected and, based on the event, a details table
is chosen and its information is collected as well.  This information is
stored on the firewall and a trap from the fwtrap group is sent.  The
trap contains the same information contained in the basic table.  The
management station then has the option to query the firewall and ask for
the rows from the tables specified in the trap.

Which trap is sent depends on the details table chosen.  For the
netEventsLogTable details table use the networkEventTrap trap.  For the
healthEventsLogTable details table use the healthEventTrap.  For the
managementEventsLogTable details table use the managementEventTrap.
There is a one-to-one mapping between a detail table and a trap.  Which
details table to query is chosen based on the trap that was sent.

Since the trap contains the EventTypeUnitTC and EventDescription values
for the event, a user or management station can use these values to make
decisions on whether the event details are useful or not.  The retrieval
of the details can be automated for many management stations.  Appendix
A contains some configuration and script examples for some of the more
popular management tools.


3.1.2.  Details Table Use

The MIB defines three log tables to record details about an event.  Each



Grall                                                          [Page 7]


Internet-Draft                Firewall MIB                 20 April 1998


table includes a different set of information.  Multiple tables were
defined rather than have one large table to lower the likelihood that
queries (and traps) would have many unneeded or undefined values.

The MIB does not dictate which details table must be used for recording
a particular event.  In order to ease management station configuration
this section lists the preferred details table for each of the sets of
event in EventTypeUnitTC.

The following lists each of the sets from the EventTypeUnitTC and the
preferred details table used:


                EventTypeUnitTC set     Details Table
                ------------------------------------------------
                other                   [any]
                hardware                healthEventsLogTable
                system                  healthEventsLogTable
                fwmodule                healthEventsLogTable
                mgmt                    managementEventsLogTable
                logging                 healthEventsLogTable
                routing                 netEventsLogTable
                packet                  netEventsLogTable
                encryption              netEventsLogTable
                network                 netEventsLogTable
                protocol                healthEventsLogTable
                service                 healthEventsLogTable
                configuration           healthEventsLogTable
                access                  netEventsLogTable
                authentication          netEventsLogTable
                attack                  netEventsLogTable
                contentInspection       netEventsLogTable
                debug                   healthEventsLogTable
                test                    healthEventsLogTable



3.1.3.  Trap Flooding

Under normal network conditions, one should not see many traps sent by a
firewall to a management station.  There is a potential for a large
number of traps to be sent by a firewall implementing this MIB.  This
depends on how the firewall maps activities to events and how many of a
particular event can occur in a short time.  The MIB has no variables
related to controlling which traps are sent or to limit the number of
traps sent. If this turns out to be a widespread problem after initial
reference implementation testing, it will be addressed in a later draft
of this MIB.



Grall                                                          [Page 8]


Internet-Draft                Firewall MIB                 20 April 1998


To provide firewall and SNMP management users some control it is sug-
gested that an agent implementation provide some on/off configuration
options for the events a firewall will report about.  Whether and how to
implement this and the granularity of the configuration control is
beyond the scope of this document.


3.1.4.  Thresholds

It was stated earlier that a particular firewall vendor defines what a
MIB event is on their firewall.  It is expected that some MIB events
will actually represent a set of activities on the firewall.  For exam-
ple, EventTypeUnitTC has an event called login attempts.  What is not
specified by the MIB is how many attempts happened before the event was
handled by the SNMP agent.

Individual thresholds for controlling which firewall activities are
represented as events in the MIB or for controlling which events should
generate traps are not specified in this MIB.  Some activities are unin-
teresting when they occur occasionally, but more interesting when they
are more frequent.  Firewall vendors decide which activities have thres-
holds and what kind of thresholds are available.


3.1.5.  Log Tables

All of the log tables defined in the fwevent group are used and indexed
in the same way.  This section addresses some implementation issues to
consider.  The MIB does not dictate how the tables are implemented, just
how the values of the variables in a table row are used.


3.1.5.1.  Table Size and Index Value

Table size is an implementation specific matter.  Each table has an
index variable to uniquely identify a row in the table.  The index is
assigned beginning with 1 when the table is created and increases by one
with each new log entry. Table creation will generally happen at
firewall system reboot, but may happen at any time (eg., when the
firewall's SNMP agent is restarted).

An agent implementation may even preserve data in the tables between
periods of down time (e.g., between firewall reboots).  Note that this
MIB does not require preservation of table information.  An example of a
reason for maintaining the data is for management stations that would
like to try and find out (quickly) why a machine rebooted.  Note thought
that this MIB is not trying to recreate a reliable logging function.




Grall                                                          [Page 9]


Internet-Draft                Firewall MIB                 20 April 1998


The agent may choose to delete the rows of a table as needed.  This may
be due to lack of space for the entries or due to other reasons (eg.,
the entries are too old).  A query to the table cannot assume anything
about the table's size or whether a particular index value in the table
is valid or not.

Deletion of rows in the table may be based on age (ie., the smallest
valid index is deleted) or based on some other scheme (eg., the priority
of the event is lower than other events in the log).  The MIB does not
place any requirements on which rows may or may not be deleted.

Each log table has a corresponding '...LogTableLastValidRow' object.
This variable can be used to obtain the index value of the last (or
newest) valid row in the table. Since the index value starts at 1 and
monotonically increases with each new entry, one can see how many events
have been recorded since the creation of the table by obtaining this
variable.


3.1.5.2.  Entry Order

The MIB places no requirements on the order of entries in the log
tables.  The order of entries in a table might not necessarily be in the
same order as the traps that arrive at the management station.  The
order of the entries in the basicEventsLogTable will not necessarily be
in order by the basicEventTime value.


3.1.5.3.  MIB Walks

There is a concern that for implementations that choose to use a large
log table size (eg., thousands of entries), that a MIB walk into the log
table will take a long time and will not necessarily be what the MIB
walker had in mind.  One way to address this concern is to allow the
administrator to be able to choose the maximum size of the log tables.


3.1.5.4.  Table Status

Section left in for now for historical reference, will be deleted.

[@?@ Earlier discussions addressed issues related to the status of the
various tables.  For example, a value for the time when old rows in a
table were deleted, a value for how many events are in the table, a
value for how "full" the table is, and a trap for when the table gets X%
full.  The majority opinion at that time was that overall these values
would not be useful, would unnecessarily complicate the MIB and instru-
mentation at the firewall, and could potentially cause too many traps



Grall                                                         [Page 10]


Internet-Draft                Firewall MIB                 20 April 1998


(since these kinds of values would probably end up as traps).  So most
of the table management information was left out of the MIB objects
until we get a better feel for how the MIB will be used.  Of course a
vendor can implement values like these in their private table.  Keep in
mind that event information should not be lost since these tables are
not meant to replace a robust logging mechanism.]


3.1.5.5.  Examples

The following examples are included to illustrate the use of object
identifiers and additional trap variables in a TRAP to describe a
firewall event.


3.1.5.5.1.  Network Event Example

Event: a telnet proxy running on a firewall system 199.94.211.1, is con-
figured to deny access to users not connecting from a network, say
199.94.200.0.  When denying access to a connection coming from
199.94.222.2, the proxy service might generate the following trap.

The trap type is set to 6 (enterprise specific).  A specific trap of
type 1 (networkEventTrap) is chosen to best describe this event.  The
networkEventTrap includes variables to point to the basicEventLogTable
and the netEventDetailsTable.

For this specific event the details table describes the entity making
the connection attempt and why the attempt failed.

TRAP networkEventTrap:

        trap type = 6 (enterprise specific)
        enterprise specific type = 1 (networkEventTrap)


Values set in the basicEventLogTable, the networkEventTrap contains the
same values except that it does not include basicEventDetailsTableOID:

        basicEventLogIndex = INTEGER (217)
        basicEventTime = TimeStamp
        basicEventSource = IpAddress (199.94.211.1)
        basicEventType = accessDeniedSource(1404)
        basicEventDescription = String ("XXX")
        basicEventDetailsTableRow = OID (netEventsLogTable.16)
        basicEventVendorDetailsTableRow = OID (0.0)





Grall                                                         [Page 11]


Internet-Draft                Firewall MIB                 20 April 1998

The netEventsLogTable would have a row containing the following:

        netEventLogIndex = INTEGER (16)
        netEventInterface = INTEGER (1)
        netEventProtocol = TCP (1)
        netEventICMPCommand =
        netEventSrcIpAddress = IpAddress (199.94.222.2)
        netEventMappedSrcIPAddress = IpAddress (NULL)
        netEventDstIPAddress = IpAddress (NULL)
        netEventMappedDstIPAddress = IpAddress (NULL)
        netEventSrcIPPort = INTEGER (3333)
        netEventMappedSrcIPPort = INTEGER (NULL)
        netEventDstIPPort = INTEGER (23)
        netEventMappedSrcIPort = INTEGER (NULL)
        netEventGenericService = OID (fwmib.service.svcLogin.telnet)
        netEventServiceInformation = String ("tn-gw")
        netEventAuthdEntity = String ("unknown")
        netEventRuleID = INTEGER (27, eg., the config. file line number)
        netEventActionReason = String ("source IP address denied")



3.1.5.5.2.  Health Event Example

A service on the firewall is misconfigured.  The firewall has an http
service and the system administrator configured it to run on port 8000.
But there is already another service running on port 8000.  The http
service cannot bind to the port.

The trap type is set to 6 (enterprise specific).  A specific trap of
type 2 (healthEventTrap) is chosen to best describe the event.

Values set in the basicEventLogTable, the healthEventTrap contains the
same values except that it does not include basicEventDetailsTableOID:

    basicEventLogIndex = INTEGER (12)
    basicEventTime = TimeStamp
    basicEventSource = IpAddress (201.217.12.1)
    basicEventType = configurationPortInUse(1305)
    basicEventDescription = String ("XXX")
    basicEventDetailsTableRow = OID (healthEventsLogTable.70)
    basicEventVendorDetailsTableRow = OID (0.0)


The healthEventsLogTable would have a row containing the following:






Grall                                                         [Page 12]


Internet-Draft                Firewall MIB                 20 April 1998


    healthEventLogIndex = INTEGER (70)
    healthEventResourceType    = OID (fwmib.service.svcWeb.http)
    healthEventResourceDetails = String ("http proxy")
    healthEventProblemDetail = String ("cannot bind to port 8000")



3.1.5.5.3.  Management Event Example

A new configuration effecting the whole firewall was loaded by a remote
configuration utility.

The trap type is set to 6 (enterprise specific).  A specific trap of
type 3 (managementEventTrap) is chosen to best describe the event.

Values set in the basicEventLogTable, the managementEventTrap contains
the same values except that it does not include basicEventDetailsTa-
bleOID:

    basicEventLogIndex = INTEGER (743)
    basicEventTime = TimeStamp
    basicEventSource = IpAddress (198.198.198.198)
    basicEventType = mgmtLoadedConfigRemote(407)
    basicEventDescription = String ("XXX")
    basicEventDetailsTableRow = OID (managementEventsLogTable.66)
    basicEventVendorDetailsTableRow = OID (0.0)


The managementEventsLogTable would have a row containing the following:

    managementEventLogIndex = INTEGER(66)
    managementEventSubjectName = String ("root")
    managementEventSubjectAction = mgmtLoadedConfigRemote(407)
    managementEventActionDetail = String ("new config. loaded")
    managementEventObjectManaged = OID (fwmib.service.svcFirewall)



4.  Conventions

The following conventions are used throughout the Firewall MIB.

   Good Packets

   Good packets are error-free packets that have a valid frame length.
   For example, on Ethernet, good packets are error-free packets that
   are between 64 octets long and 1518 octets long.  They follow the
   form defined in IEEE 802.3 section 3.2.all.



Grall                                                         [Page 13]


Internet-Draft                Firewall MIB                 20 April 1998


   Bad Packets

   Bad packets are packets that have proper framing and are therefore
   recognized as packets, but contain errors within the packet or have
   an invalid length.  For example, on Ethernet, bad packets have a
   valid preamble and SFD, but have a bad CRC, or are either shorter
   than 64 octets or longer than 1518 octets.


5.  Definitions









































Grall                                                         [Page 14]


Internet-Draft                Firewall MIB                 20 April 1998


FireWallMIB DEFINITIONS ::= BEGIN

- -- SUBTREE: 1.3.6.1.4.1.14.3.9
- -- iso.org.dod.internet.private.enterprises.bbn.products.fwmib

IMPORTS
        -- RFC 1904
        OBJECT-GROUP,
        MODULE-COMPLIANCE               FROM SNMPv2-CONF
        -- RFC 1902
        MODULE-IDENTITY,
        OBJECT-TYPE,
        NOTIFICATION-TYPE,
        IpAddress,
        enterprises,
        TimeTicks,
        Counter32                       FROM SNMPv2-SMI
        -- RFC 1903
        TEXTUAL-CONVENTION,
        TimeStamp                       FROM SNMPv2-TC
        -- RFC 2233
        InterfaceIndex                  FROM IF-MIB;


fwMIB MODULE-IDENTITY
        LAST-UPDATED "9803040000Z"      --March 4, 1998
        ORGANIZATION "GTE Corporation & Trusted Information Systems Inc."
        CONTACT-INFO
                "
                Comments should be sent to fwmib@tis.com
                Subscribe: majordomo@tis.com
                           In message body: subscribe fwmib

                Herbert Lin
                Tel: +1-617-873-5920
                E-mail: hlin@bbn.com

                Cindy Grall
                Tel: +1-310-737-1744
                E-mail: grall@tis.com

                Ephraim Vider
                Tel: +972-3-753-4592 (Israel)
                E-mail: eff@checkpoint.com

                Mike Wittig
                Tel: +1-954-973-5059
                E-mail: mwittig@mail.cybg.com



Grall                                                         [Page 15]


Internet-Draft                Firewall MIB                 20 April 1998


                "
        DESCRIPTION
                "The MIB module for entities implementing
                firewalls."
- --@?@ What's the correct value here?  MIBs that are RFCs seem to
- --    be using OIDs out of other MIB trees, like RFC1759 (the printer
- --    MIB) uses { mib-2 43 }.  The Internet Drafts appear to use
- --    { experimental 9999 } here, I will go with bbn for now so
- --    the ASN.1 will compile.
        ::= { bbn 9999 }

- -- textual conventions

SnmpAdminString ::= TEXTUAL-CONVENTION
        DISPLAY-HINT "255a"
        STATUS       current
        DESCRIPTION "An octet string containing administrative
                    information, preferably in human-readable form.

                    To facilitate internationalization, this
                    information is represented using the ISO/IEC
                    IS 10646-1 character set, encoded as an octet
                    string using the UTF-8 transformation format
                    described in [RFC2044].

                    Since additional code points are added by
                    amendments to the 10646 standard from time
                    to time, implementations must be prepared to
                    encounter any code point from 0x00000000 to
                    0x7fffffff.

                    The use of control codes should be avoided.

                    When it is necessary to represent a newline,
                    the control code sequence CR LF should be used.

                    The use of leading or trailing white space should
                    be avoided.

                    For code points not directly supported by user
                    interface hardware or software, an alternative
                    means of entry and display, such as hexadecimal,
                    may be provided.

                    For information encoded in 7-bit US-ASCII,
                    the UTF-8 encoding is identical to the
                    US-ASCII encoding.




Grall                                                         [Page 16]


Internet-Draft                Firewall MIB                 20 April 1998


                    Note that when this TC is used for an object that
                    is used or envisioned to be used as an index, then
                    a SIZE restriction must be specified so that the
                    number of sub-identifiers for any object instance
                    does not exceed the limit of 128, as defined by
                    [RFC1905].
                   "
       SYNTAX       OCTET STRING (SIZE (0..255))


- -- The following list of event types is meant to enumerate the most common
- -- events that happen on a firewall.
- --
- -- The list is organized into sets of common events.  Each set has an
- -- initial entry to designate the set.  The next two events in a set are
- -- meant to represent generic "okay"/"good"/"up" conditions and generic
- -- "error"/"failed"/"down" conditions.  The rest of the events in a set
- -- represent more detailed events (either good or bad).  The sets will
- -- probably not represent all the possible events on every firewall, but
- -- they are meant to be a good representation of events.  If an event
- -- just does not fit any of the sets, then use the 'other' choices.
- --
EventTypeUnitTC ::= TEXTUAL-CONVENTION
        STATUS current
        DESCRIPTION
           "Enumeration of types of events on the firewall"
        SYNTAX INTEGER {

        -- Undefined Events
        other(0),       -- the event type is not in this list
        otherOkay(1),   -- a normal event occurred
        otherError(2),  -- an error event occurred
        unknown(3),     -- could not determine the event type

        -- Resource events, could be hardware problems, operating system
        -- problems, or services problems
        resource(100),
        resourceOkay(101),
        resourceError(102),
        resourceUp(103),
        resourceUse(104), --normal use of a resource
        resourceDown(105),
        resourceStarting(106),
        resourceRestarting(107), -- the resource is going down and
                                -- coming back up
        resourceHalting(108), -- eg., the firewall is going down
        resourceExiting(109),
        resourceOverTemperature(110),



Grall                                                         [Page 17]


Internet-Draft                Firewall MIB                 20 April 1998


        resourceHighUse(111),  -- eg., the CPU usage is high
        resourceTestFailed(112),
        resourceBusy(113),
        resourceNoMedia(114), -- a device doesn't have its needed media
        resourceBackup(116), -- processing has switched to the backup
        resourceNoBackup(117), -- there is no backup to switch to
        resourceNoMemory(118),
        resourceNoBuffers(119),
        resourceSyscallFailed(120),
        resourceHighLoad(121),

        -- Events about the basic health of the firewall or particular modules
        fwmodule(300),
        fwmoduleUp(301), -- the module is up
        fwmoduleError(302),
        fwmoduleDown(303), -- the module is down
        fwmoduleStarting(304), -- the module is coming up
        fwmoduleExiting(305),
        fwmoduleRestarting(306),
        fwmoduleLicenseExceeded(307),

        -- Management events, these are events related to overall management
        -- tasks on the firewall.  For example, the configuration is being
        -- changed or a patch has been applied. This is from the perspective
        -- of the firewall, it is not a remote mgmt tool reporting on the
        -- activities it is doing.
        mgmt(400),
        mgmtOkay(401), -- a normal management event
        mgmtError(402), -- an error while performing firewall
                        -- management functions
        mgmtNoResponse(403), -- the firewall expected and received no
                             -- response from a mgmt tool
        mgmtReadConfigLocal(404), -- configuration information has been
                                  -- read
        mgmtReadConfigRemote(405), -- configuration information has been
                                   -- uploaded to a remote mgmt tool
        mgmtLoadedConfigLocal(406), -- a local mgmt tool loaded/applied a
                                    -- new config
        mgmtLoadedConfigRemote(407), -- a remote mgmt tool loaded/applied a
                                     -- new config.
        mgmtPatch(408), -- This event is used by the patching mechanism to
                        -- record what it patched. The genericService OID
                        -- would be the patching tool and the mgmtObjManaged
                        -- in the mgmtEventLogEntry would be the service
                        -- OID patched.  This would not be used by the
                        -- service being patched.  This alleviates the
                        -- confusion when the patching mechanism is patched.




Grall                                                         [Page 18]


Internet-Draft                Firewall MIB                 20 April 1998


        -- Log file events
        logging(500),
        loggingUp(501), -- logging is functioning normally
        loggingError(502), -- the logging facility had an error
        loggingStarting(503), -- the log daemon was started
        loggingExiting(504), -- the log daemon is exiting
        loggingRestarting(505), -- the log daemon was restarted
        loggingDown(506), -- the log daemon is not running
        loggingRolloverStarted(507), -- logging is switching to another file
        loggingFileFull(508), -- the log file/partition is full
        loggingFileOverwrite(509), -- the log file is being overwritten
        loggingFileMessagesLost(510), -- messages have been lost
        loggingStopped(511), -- logging is stopped until other
                             -- problems are resolved (eg., space is
                             -- free'd)
        loggingRolloverCompleted(512),
        loggingRolloverFailed(513),

        -- Routing events
        routing(600),
        routingOkay(601),
        routingError(602),
        routingNoRouteToHost(603),
        routingICMPRedirect(604),

        -- Packet handling
        packet(700),
        packetAccepted(701), -- accepted the packet
        packetError(702), -- unknown error with packet
        packetDropped(703), -- dropped packets (eg., internal buffer is full),
                            --  didn't even look at them, they could be
                            -- good or bad...
        packetInvalid(704), -- these are "bad" packets, see section 4.0
        packetIgnored(705), -- the packet was not meant for the firewall
        packetRejected(706), -- rejected packets based on rule(s)
        packetForwarded(707), -- forwarded packets based on rule(s)
        packetEncrypted(708),
        packetFragmented(709),

        -- En(De)cryption events
        encryption(800), -- generic/successful event
        encryptionUp(801), --encryption is functioning
        encryptionError(802), -- there was an encryption error
        encryptionDown(803),
        encryptionEncryptFailed(804),
        encryptionDecryptFailed(805),
        encryptionEncryptSucceeded(806),
        encryptionDecryptSucceeded(807),



Grall                                                         [Page 19]


Internet-Draft                Firewall MIB                 20 April 1998


        -- Network events
        network(900),
        networkUp(901),
        networkError(902),
        networkDown(903),
        networkCollision(904),
        networkDuplicateAddress(905),
        networkMyAddressInUse(906),
        networkNetUnreachable(907),
        networkStarting(908),
        networkRestarting(909),
        networkHostUnreachable(910),
        networkNoResponse(911),

        -- protocol related events
        protocol(1000), -- an event related to a protocol supported
        protocolEnabled(1001),
        protocolError(1002),
        protocolDisabled(1003), -- the requested protocol is disabled
        protocolNoDaemon(1004), -- there is no daemon for this protocol

        -- Service connection/network connectivity events
        connection(1100), -- a generic connection event
        connectionAccepted(1101),
        connectionError(1102),
        connectionDropped(1103),
        connectionClosed(1104),
        connectionTimedout(1105),
        connectionRefused(1106),
        connectionReset(1107),
        connectionNoResponse(1108),

        -- Configuration events, represent errors or problems with the
        -- configuration for the system or a service.
        configuration(1300),
        configurationOkay(1301),
        configurationError(1302), -- an error in processing the configuration
        configurationBadConfig(1303), -- the config provided is corrupt,
                                      -- invalid, or incomplete
        configurationArgumentError(1304), -- wrong arguments were provided
        configurationPortInUse(1305),
        configurationNoData(1306), -- the required data was not provided

        -- Access
        access(1400),
        accessGranted(1401), -- a service allowed use based on all its checks
        accessError(1402),
        accessDenied(1403), -- a client was denied use of a service



Grall                                                         [Page 20]


Internet-Draft                Firewall MIB                 20 April 1998


        accessDeniedSource(1404), -- client denied based on its source IP
        accessDeniedPolicy(1405), -- client denied based on the sec. policy
        accessDeniedUser(1406),  -- client denied based on the userid
        accessDeniedDest(1407), -- client denied based on the destination IP
        accessDeniedDestPort(1408), -- client denied based on dest. port
        accessDeniedFileRead(1409), -- the policy denied read access to a file
        accessDeniedFileWrite(1410), -- the policy denied write access to
                                     -- a file
        accessDeniedNetworkInterface(1411), -- the policy denied access to a
                                            -- particular net. int.
        accessDeniedDevice(1412), -- the policy denied access to a device

        -- Authentication and login events
        authentication(1500),
        authenticationSucceeded(1501), -- a user had a successful auth
        authenticationError(1502), -- error while auth'ing
        authenticationFailed(1503), -- a user failed an auth
        authenticationSucceededPriv(1504), -- a user logged in with or
                                           -- gained privilege
        authenticationFailedPrivileged(1505), -- user failed to gain/login
                                              -- with privilege
        authenticationFailedMulti(1506), -- multiple failed auth attempts
                                         -- by a user

        -- Security attack events,  these represent events that could
        -- be or that indicate a security attack is taking place on the
        -- firewall
        attack(1600),
        attackNone(1601),
        attackDenialOfService(1602),
        attackPing(1603), -- a ping of death attack
        attackPacketForward(1604), --
        attackSYNFlood(1605), -- a TCP SYN flood attack
        attackIPSpoof(1606), -- an IP address is being spoofed
        attackPortScan(1607), -- a port scan is/has taken place
        attackNameSpoof(1608), -- a name service (eg., DNS) name is spoofed
        attackSmurf(1609), -- see:
        -- http://www.quadrunner.com/~chuegen/smurf.txt
        attackTeardrop(1610),

        -- Content inspection events, these events just report that
        -- something was found. The details entry in for the event can
        -- report on what was found (eg., virus, company private info.,
        -- etc), what it was found in (eg., html, win32 executable, e-mail),
        -- and what was done with it (eg., the quarantine location).
        contentInspection(1700),
        contentInspectionOkay(1701), -- the check of the content was okay,
                                     -- nothing "bad" found



Grall                                                         [Page 21]


Internet-Draft                Firewall MIB                 20 April 1998


        contentInspectionError(1702), -- there was an error while checking
                                      -- content
        contentInspectionFound(1703), -- found something
        contentInspectionFoundCleaned(1704), -- found something and cleaned
                                              -- the content of it
        contentInspectionFoundRejected(1705), -- found something and threw
                                               -- the content away
        contentInspectionFoundSaved(1706), -- found something and saved the
                                            -- content in quarantine
        contentInspectionFoundNotified(1707), -- found something and
                                              -- notified someone

        -- Debugging event
        debug(1800),
        debugOkay(1801),
        debugError(1802),
        debugOn(1803), -- debugging mode is on/was turned on
        debugOff(1804), -- debugging mode is off/was turned off

        -- Testing events
        test(1900),
        testPassed(1901), -- a test passed
        testFailed(1902), -- a test failed
        testNoResponse(1903) -- there was no response for running a test

        }

ProtocolUnitTC ::= TEXTUAL-CONVENTION
        STATUS current
        DESCRIPTION

        "Enumeration of network protocols commonly used on firewalls."

        SYNTAX INTEGER {
                tcp(1),
                udp(2),
                icmp(3),
                ip(4),
                ipsec(5),
                igmp(6),
                arp(7),
                ggp(8),
                egp(9),
                rip(10),
                other(11) }


- -- This fwmib is divided into four main groups.  The first, fwmib.service,



Grall                                                         [Page 22]


Internet-Draft                Firewall MIB                 20 April 1998


- -- Service identifiers, defines OIDs used by other areas of the MIB.  The
- -- second, fwmib.fwevent, Event variables and logs, is described briefly
- -- above in the trap examples text. Third main group is fwmib.fwquery,
- -- the set of  variables for queries.  For a firewall this set is read only.
- -- The fourth group, fwmib.fwtrap, defines the traps for notification of
- -- extraordinary events on the firewall.
- --
- -- There is also a group for specifying MIB conformance as described in
- -- RFC1444, "Conformance Statements for version 2 of the Simple Network
- -- Management Protocol (SNMPv2)".

- -- @?@ bbn OIDs will change when this becomes an RFC...
bbn                     OBJECT IDENTIFIER ::= { enterprises 14 }
products                OBJECT IDENTIFIER ::= { bbn 3 }
fwmib                    OBJECT IDENTIFIER ::= { products 9 }

- --
- -- service group
- --
- -- The service group defines OIDs that are used by other parts of the MIB.
- -- The OIDs are used by traps to designate the generic service type
- -- causing the trap.  Expect this list to change occasionally as new service
- -- types emerge in the network/firewall community.  Once a service type
- -- is in use by two or more firewall vendors it can be considered for
- -- inclusion in the services group.  This change is treated as any other
- -- update to the MIB and will be included during a revision cycle.

- -- This list does not differentiate between a local service (eg., local
- -- login into the firewall via telnet) and a proxied service (eg., use of
- -- a telnet application gateway).  This information can be provided in a
- -- string, since each use of these OIDs in a MIB variable (usually as
- -- part of a table entry) has a corresponding description or information
- -- variable.

- -- Use of these OIDs in the MIB variables:
- --
- -- If a new service emerges that is not in the MIB yet, but that has been
- -- assigned a port number or other identifying number, then it can be
- -- represented by choosing the appropriate service category and using the
- -- assigned number.  For example, a new service called Foo Protocol (fp)
- -- is the latest rage on the Internet.  It is a multi-media protocol and
- -- has been assigned port number XXX.  The OID used to represent the
- -- service would be fwmib.service.svcMultimedia.XXX.  The corresponding
- -- information variable can provide the protocol name.
- --
- -- If the firewall supports a service or protocol that is unique or
- -- specific to that firewall, then the OID used to represent the service
- -- will include that vendor's enterprise number.  For example, the Foo



Grall                                                         [Page 23]


Internet-Draft                Firewall MIB                 20 April 1998


- -- firewall has a Bar service.  The firewall company's enterprise number
- -- is ZZZ and they have chosen W to represent the Bar service.  The
- -- OID used would be fwmib.service.svcOther.ZZZ.W It is the vendor's
- -- responsibility to publish definitions of the numbers used.
- --
- -- In any of the cases above where a service listed below cannot be used,
- -- the service can be further described with the serviceInformation object.
- --
- -- The numbers assigned in the list correspond, when possible, to the
- -- assigned port number for a protocol or other assigned number as
- -- appropriate (eg., the protocol number for IP protocols).
- --
- -- Alternatively a vendor can define an OID in their enterprise tree and
- -- use that value for genericService.  It is the vendor's responsibility
- -- to publish these OIDs.
- --

service                 OBJECT IDENTIFIER ::= { fwmib 1 }

- -- represents the firewall as a whole, useful when statistics or events
- -- apply to the whole firewall
- --
svcFirewall OBJECT IDENTIFIER ::= { service 1 }

- --
svcOther OBJECT IDENTIFIER ::= { service 2 }

- --
svcFileTransfer OBJECT IDENTIFIER ::= { service 3 }
        ftp OBJECT IDENTIFIER ::= { svcFileTransfer 21 }
        tftp OBJECT IDENTIFIER ::= { svcFileTransfer 69 }
        ftps OBJECT IDENTIFIER ::= { svcFileTransfer 990 } -- ftp over ssl

- --
svcLogin OBJECT IDENTIFIER ::= { service 4 }
        login OBJECT IDENTIFIER ::= { svcLogin 1 } -- a login/su program
        telnet OBJECT IDENTIFIER ::= { svcLogin 23 }
        rlogin OBJECT IDENTIFIER ::= { svcLogin 513 }
        telnets OBJECT IDENTIFIER ::= { svcLogin 992 } -- telnet over ssl

- --
svcRemoteExecution OBJECT IDENTIFIER ::= { service 5 }
        sunRPC OBJECT IDENTIFIER ::= { svcRemoteExecution 111 }
        rsh OBJECT IDENTIFIER ::= { svcRemoteExecution 514 }
        xserver OBJECT IDENTIFIER ::= { svcRemoteExecution 6000 }

- --
svcWeb OBJECT IDENTIFIER ::= { service 6 }



Grall                                                         [Page 24]


Internet-Draft                Firewall MIB                 20 April 1998


        gopher OBJECT IDENTIFIER ::= { svcWeb 70 }
        http OBJECT IDENTIFIER ::= { svcWeb 80 }
        pointcast OBJECT IDENTIFIER ::= { svcWeb 90 }
        https OBJECT IDENTIFIER ::= { svcWeb 443 } -- also know as shttp

- --
svcMail OBJECT IDENTIFIER ::= { service 7 }
        sendmail OBJECT IDENTIFIER ::= { svcMail 1 }
        smtp OBJECT IDENTIFIER ::= { svcMail 25 }
        pop2 OBJECT IDENTIFIER ::= { svcMail 109 }
        pop3 OBJECT IDENTIFIER ::= { svcMail 110 }
        smtps OBJECT IDENTIFIER ::= { svcMail 465 } -- smtp over ssl
        pop3s OBJECT IDENTIFIER ::= { svcMail 995 } -- pop3 over ssl

- --
svcNews OBJECT IDENTIFIER ::= { service 8 }
        nntp OBJECT IDENTIFIER ::= { svcNews 119 }
        nntps OBJECT IDENTIFIER ::= { svcNews 563 } -- nntp over ssl

- --
svcMultimedia OBJECT IDENTIFIER ::= { service 9 }
        irc OBJECT IDENTIFIER ::= { svcMultimedia 194 }
        talk OBJECT IDENTIFIER ::= { svcMultimedia 517 }
        ircs OBJECT IDENTIFIER ::= { svcMultimedia 994 } -- irc over ssl
        streamworks OBJECT IDENTIFIER ::= { svcMultimedia 1558 }
        h323 OBJECT IDENTIFIER ::= { svcMultimedia 1718 }
        netShow OBJECT IDENTIFIER ::= { svcMultimedia 1755 }
        vDOLive   OBJECT IDENTIFIER ::= { svcMultimedia 7000 }
        realAV OBJECT IDENTIFIER ::= { svcMultimedia 7070 }

- --
svcDatabase OBJECT IDENTIFIER ::= { service 10 }
        dbSybas OBJECT IDENTIFIER ::= { svcDatabase 1 }
        dbInformix OBJECT IDENTIFIER ::= { svcDatabase 3 }
        -- for sql*net
        dbOracle OBJECT IDENTIFIER ::= { svcDatabase 66 }
        dbMSsql OBJECT IDENTIFIER ::= { svcDatabase 1433 }

- -- these are the current areas that are checked for today, eg., there
- -- are products or engines that scan in these areas
svcContentInspection OBJECT IDENTIFIER ::= { service 11 }
        virus OBJECT IDENTIFIER ::= { svcContentInspection 1 }
        certificate OBJECT IDENTIFIER ::= { svcContentInspection 2 }
        -- eg., Java, Active-X
        programLanguage OBJECT IDENTIFIER ::= { svcContentInspection 3 }
        url OBJECT IDENTIFIER ::= { svcContentInspection 4 }
        mailHeader OBJECT IDENTIFIER ::= { svcContentInspection 5 }
        -- eg., company private



Grall                                                         [Page 25]


Internet-Draft                Firewall MIB                 20 April 1998


        proprietaryData OBJECT IDENTIFIER ::= { svcContentInspection 6 }
        prohibitedLanguage OBJECT IDENTIFIER ::= { svcContentInspection 7 }

- --
svcDirectory OBJECT IDENTIFIER ::= { service 12 }
        nis OBJECT IDENTIFIER ::= { svcDirectory 1 }
        dns OBJECT IDENTIFIER ::= { svcDirectory 53 }
        netbiosns OBJECT IDENTIFIER ::= { svcDirectory 137 }
        netbiosdgm OBJECT IDENTIFIER ::= { svcDirectory 138 }
        netbiosssn OBJECT IDENTIFIER ::= { svcDirectory 139 }
        ldap OBJECT IDENTIFIER ::= { svcDirectory 389 }
        wins OBJECT IDENTIFIER ::= { svcDirectory 1512 }

- --
svcOperatingSystem OBJECT IDENTIFIER ::= { service 13 }
        inetd OBJECT IDENTIFIER ::= { svcOperatingSystem 1 }
        cron OBJECT IDENTIFIER ::= { svcOperatingSystem 2 }
        kernel OBJECT IDENTIFIER ::= { svcOperatingSystem 3 }
        fileSystem OBJECT IDENTIFIER ::= { svcOperatingSystem 4 }
        printer OBJECT IDENTIFIER ::= { svcOperatingSystem 515 }

- --
svcManagement OBJECT IDENTIFIER ::= { service 14 }
        mgmtTool OBJECT IDENTIFIER ::= { svcManagement 1 }
        patchTool OBJECT IDENTIFIER ::= { svcManagement 2 }
        snmp OBJECT IDENTIFIER ::= { svcManagement 161 }

- --
svcEncryption OBJECT IDENTIFIER ::= { service 15 }
        ipsec OBJECT IDENTIFIER ::= { svcEncryption 1 }
        vpn OBJECT IDENTIFIER ::= { svcEncryption 2 }
        kerberos        OBJECT IDENTIFIER ::= { svcEncryption 88 }
        isakmp OBJECT IDENTIFIER ::= { svcEncryption 500 }
- --
svcPacketFilter OBJECT IDENTIFIER ::= { service 16 }

- -- network address translation
svcNAT OBJECT IDENTIFIER ::= { service 17 }

- --
svcAuthentication OBJECT IDENTIFIER ::= { service 18 }
        password OBJECT IDENTIFIER ::= { svcAuthentication 1 }
        skey OBJECT IDENTIFIER ::= { svcAuthentication 2 }
         -- Digital Pathways
        snk OBJECT IDENTIFIER ::= { svcAuthentication 3 }
        -- Enigma Logics
        silvercard OBJECT IDENTIFIER ::= { svcAuthentication 4 }
        crytocard OBJECT IDENTIFIER ::= { svcAuthentication 5 }



Grall                                                         [Page 26]


Internet-Draft                Firewall MIB                 20 April 1998


        -- Digital Pathways server
        dss OBJECT IDENTIFIER ::= { svcAuthentication 6 }
         -- Enigma Logics
        safeword OBJECT IDENTIFIER ::= { svcAuthentication 7 }
        vasco OBJECT IDENTIFIER ::= { svcAuthentication 8 }
        apop OBJECT IDENTIFIER ::= { svcAuthentication 9 }
        digipass OBJECT IDENTIFIER ::= { svcAuthentication 10 }
        secureID OBJECT IDENTIFIER ::= { svcAuthentication 755 }
- --
svcLog OBJECT IDENTIFIER ::= { service 19 }
        syslog OBJECT IDENTIFIER ::= { svcLog 514 }

- --
svcTime OBJECT IDENTIFIER ::= { service 20 }
        time OBJECT IDENTIFIER ::= { svcTime 37 }
        ntp OBJECT IDENTIFIER ::= { svcTime 123 }
        timed OBJECT IDENTIFIER ::= { svcTime 525 }

- --
svcGroupware OBJECT IDENTIFIER ::= { service 21 }
        exchange OBJECT IDENTIFIER ::= { svcGroupware 1 } -- Microsoft
        lotusNotes OBJECT IDENTIFIER ::= { svcGroupware 1352 }

- --
svcHardware OBJECT IDENTIFIER ::= { service 22 }
        memory OBJECT IDENTIFIER ::= { svcHardware 1 }
        disk OBJECT IDENTIFIER ::= { svcHardware 2 }
        power OBJECT IDENTIFIER ::= { svcHardware 3 }
        netinterface OBJECT IDENTIFIER ::= { svcHardware 4 }
        tape OBJECT IDENTIFIER ::= { svcHardware 5 }
        controller OBJECT IDENTIFIER ::= { svcHardware 6 }

- --
svcQuery OBJECT IDENTIFIER ::= { service 23 }
        whois OBJECT IDENTIFIER ::= { svcQuery 43 }
        finger OBJECT IDENTIFIER ::= { svcQuery 79 }
        ident OBJECT IDENTIFIER ::= { svcQuery 113 }

- --
svcFileShare OBJECT IDENTIFIER ::= { service 24 }
        nfsStatus OBJECT IDENTIFIER ::= { svcFileShare 1110 }
        nfs OBJECT IDENTIFIER ::= { svcFileShare 2049 }

- -- mainly used in the module and statistics tables to designate that
- -- information applies to the protocol class chosen
svcProtocol OBJECT IDENTIFIER ::= { service 25 }
        icmp OBJECT IDENTIFIER ::= { svcProtocol 1 }
        igmp OBJECT IDENTIFIER ::= { svcProtocol 2 }



Grall                                                         [Page 27]


Internet-Draft                Firewall MIB                 20 April 1998


        tcp OBJECT IDENTIFIER ::= { svcProtocol 6 }
        udp OBJECT IDENTIFIER ::= { svcProtocol 17 }
        ip OBJECT IDENTIFIER ::= { svcProtocol 255 }

- --
- -- The firewall event group
- --

- -- The firewall event group defines a set of variables and tables used to
- -- log and track extraordinary firewall events.  The tables are filled in
- -- when an event occurs and then a trap is sent referencing the filled in
- -- row.

- -- For any particular event up to three tables will be referenced.  The
- -- general event information will go into one table and the details are
- -- placed in another.  A third vendor defined table can also be used.
- -- There is only one table defined for general information.

- -- The table chosen for event details depends on the event type and the
- -- set of detailed information available at the time the event took place.
- -- The general table has a value to point to the table and row containing
- -- the event's details.  A trap is sent once the relevant tables are
- -- filled in.  The trap contains pointers to the tables used.

- -- A management station can wait for a trap to get details on an event.
- -- Alternatively the management station can query the objects in this
- -- group at any time to retrieve event information.

fwevent                      OBJECT IDENTIFIER ::= { fwmib 2 }

- --
- -- BASIC EVENTS LOG
- --
- -- This group defines the basic table containing information that is
- -- logged for every event on the firewall.  The table is defined along
- -- with one variable to obtain the index value of the last valid row in
- -- the table.  To obtain the first valid index value, query the table
- -- (via GETNEXT) for the first entry in the table.
- --
- -- The index of the last valid row also indicates the total number of
- -- events logged in the table since reboot.
- --

basicEventsLog          OBJECT IDENTIFIER ::= { fwevent 1 }

basicEventsLogTableLastValidRow OBJECT-TYPE
        SYNTAX INTEGER(1..2147483647)
        MAX-ACCESS read-only



Grall                                                         [Page 28]


Internet-Draft                Firewall MIB                 20 April 1998


        STATUS current
        DESCRIPTION

        "The index value of the last valid row in the basicEventsLogTable."

        ::= { basicEventsLog 1 }

basicEventsLogTableTrapIndex OBJECT-TYPE
        SYNTAX INTEGER(1..2147483647)
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "The index value of the row provided in the traps."

        ::= { basicEventsLog 2 }

basicEventsLogTable OBJECT-TYPE
        SYNTAX SEQUENCE OF BasicEventsLogEntry
        MAX-ACCESS not-accessible
        STATUS current
        DESCRIPTION

        "Table of basic data for firewall events."

        ::= { basicEventsLog 3 }

basicEventsLogEntry OBJECT-TYPE
        SYNTAX BasicEventsLogEntry
        MAX-ACCESS not-accessible
        STATUS current
        DESCRIPTION

        "An entry in the table, containing general information
        about an event."

        INDEX { basicEventLogIndex }
        ::= { basicEventsLogTable 1 }

BasicEventsLogEntry ::= SEQUENCE {
        basicEventLogIndex      INTEGER(1..2147483647),
        basicEventTime          TimeStamp,
        basicEventSource        IpAddress,
        basicEventType          EventTypeUnitTC,
        basicEventDescription   SnmpAdminString,
        basicEventDetailsTableRow OBJECT IDENTIFIER,
        basicEventVendorDetailsTableRow OBJECT IDENTIFIER
        }



Grall                                                         [Page 29]


Internet-Draft                Firewall MIB                 20 April 1998


basicEventLogIndex OBJECT-TYPE
        SYNTAX  INTEGER(1..2147483647)
        MAX-ACCESS  not-accessible
        STATUS  current
        DESCRIPTION

        "An index that uniquely identifies an entry
        in the log table.  These indices are assigned
        beginning with 1 and increase by one with each
        new log entry.  The agent may choose to delete the
        instances of basicEventEntry as required
        because of lack of memory.  It is an implementation
        specific matter as to when this deletion may occur and
        as to which log entries are deleted."

        ::= { basicEventsLogEntry 1 }

basicEventTime OBJECT-TYPE
        SYNTAX TimeStamp
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "The time that the Event occurred."

        ::= { basicEventsLogEntry 2 }

basicEventSource OBJECT-TYPE
        SYNTAX IpAddress
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "The IP address of the firewall entity where the event
        occurred, the IP address of the entity.  If there are two
        or more IP addresses there is no guarantee which IP
        address will be used."

        ::= { basicEventsLogEntry 3 }

basicEventType OBJECT-TYPE
        SYNTAX EventTypeUnitTC
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "What type of event this is."




Grall                                                         [Page 30]


Internet-Draft                Firewall MIB                 20 April 1998


        ::= { basicEventsLogEntry 4 }

basicEventDescription OBJECT-TYPE
        SYNTAX  SnmpAdminString
        MAX-ACCESS read-only
        STATUS  current
        DESCRIPTION

        "An (optional) description of the event."

        ::= { basicEventsLogEntry 5 }

basicEventDetailsTableRow OBJECT-TYPE
        SYNTAX  OBJECT IDENTIFIER
        MAX-ACCESS read-only
        STATUS  current
        DESCRIPTION

        "A pointer to a row in the table containing details about this
        event. It will be one of the tables defined in this
        MIB.  One of type1NetEventsLogTable, type2NetEventsLogTable,
        type3NetEventsLogTable, healthEventsLogTable,
        managementEventsLogTable.  The last sub-identifier(s) of the OID
        represents the specific row index values for the row in the table
        that contains the data."

        ::= { basicEventsLogEntry 6 }

basicEventVendorDetailsTableRow OBJECT-TYPE
        SYNTAX  OBJECT IDENTIFIER
        MAX-ACCESS read-only
        STATUS  current
        DESCRIPTION

        "This value is vendor defined. Generally this will be a
        pointer to a table and row containing vendor specific details
        about this event.  It is up to firewall vendor to define how
        this value should be interpreted and to publish this information.
        If a vendor private table is not supported, then the NULL OID
        value (0.0) should be provided."

        ::= { basicEventsLogEntry 7 }


- -- NETWORK EVENTS LOG
- --
- -- A details table with information related to network events
- -- or events involving "users" of the firewall resources and services



Grall                                                         [Page 31]


Internet-Draft                Firewall MIB                 20 April 1998


- -- (eg., traffic flows through the firewall or a user authenticating
- -- to use a firewall service).

netEventsLog    OBJECT IDENTIFIER ::= { fwevent 4 }

netEventsLogTableLastValidRow OBJECT-TYPE
        SYNTAX INTEGER(1..2147483647)
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "The index value of the last valid row in the netEventsLogTable."

        ::= { netEventsLog 1 }

netEventsLogTable OBJECT-TYPE
        SYNTAX SEQUENCE OF NetEventsLogEntry
        MAX-ACCESS not-accessible
        STATUS current
        DESCRIPTION

        "Table of detailed data for transport events."

        ::= { netEventsLog 2}

netEventsLogEntry OBJECT-TYPE
        SYNTAX NetEventsLogEntry
        MAX-ACCESS not-accessible
        STATUS current
        DESCRIPTION

        "An entry in the table, containing detailed information
        about an event."

        INDEX { netEventLogIndex }
        ::= { netEventsLogTable 1 }

NetEventsLogEntry ::= SEQUENCE {
        netEventLogIndex        INTEGER(1..2147483647),
        netEventInterface       InterfaceIndex,
        netEventProtocol           ProtocolUnitTC,
        netEventICMPCommand     INTEGER,
        netEventSrcIpAddress    IpAddress,
        netEventMappedSrcIpAddress      IpAddress,
        netEventDstIpAddress       IpAddress,
        netEventMappedDstIpAddress IpAddress,
        netEventSrcIpPort               INTEGER(0..65535),
        netEventMappedSrcIpPort INTEGER(0..65535),



Grall                                                         [Page 32]


Internet-Draft                Firewall MIB                 20 April 1998


        netEventDstIpPort               INTEGER(0..65535),
        netEventMappedDstIpPort INTEGER(0..65535),
        netEventService         OBJECT IDENTIFIER,
        netEventServiceInformation      SnmpAdminString,
        netEventAuthdEntity     SnmpAdminString,
        netEventRuleID          INTEGER(0..65535),
        netEventActionReason    SnmpAdminString
        }

netEventLogIndex OBJECT-TYPE
        SYNTAX  INTEGER(1..2147483647)
        MAX-ACCESS  not-accessible
        STATUS  current
        DESCRIPTION

        "An index that uniquely identifies an entry
        in the log table.  These indices are assigned
        beginning with 1 and increase by one with each
        new log entry.  The agent may choose to delete the
        instances of basicEventEntry as required
        because of lack of memory.  It is an implementation
        specific matter as to when this deletion may occur and
        as to which log entries are deleted."

        ::= { netEventsLogEntry 1 }

netEventInterface OBJECT-TYPE
        SYNTAX InterfaceIndex
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "The interface number that any packets may have arrived on
        or that activity may have taken place on.  [Will be zero if
        no interface was involved.]"

        ::= { netEventsLogEntry 2 }

netEventProtocol OBJECT-TYPE
        SYNTAX ProtocolUnitTC
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "Enumeration of possible network protocols."

        ::= {  netEventsLogEntry 3 }




Grall                                                         [Page 33]


Internet-Draft                Firewall MIB                 20 April 1998


netEventICMPCommand OBJECT-TYPE
        SYNTAX INTEGER {
                echoreply(0),
                destunreach(3),
                sourcequench(4),
                redirect(5),
                echo(8),
                timeexceeded(11),
                paramprob(12),
                timestamp(13),
                timestampreply(14),
                mask(17),
                maskreply(18),
                traceroute(30),
                notICMP(41) }
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "Enumeration of the most common types of ICMP packets, the
        numbers used above represent the ICMP Type number currently
        assigned by IANA."

        ::= { netEventsLogEntry 4 }

netEventSrcIpAddress OBJECT-TYPE
        SYNTAX IpAddress
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "Source IP address as provided in an IP packet."

        ::= { netEventsLogEntry 5 }

netEventMappedSrcIpAddress OBJECT-TYPE
        SYNTAX IpAddress
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "Source IP address after network address translation
        has been applied."

        ::= { netEventsLogEntry 6 }

netEventDstIpAddress OBJECT-TYPE
        SYNTAX IpAddress



Grall                                                         [Page 34]


Internet-Draft                Firewall MIB                 20 April 1998


        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "Destination IP address as provided in an IP packet
        or by a service user."

        ::= { netEventsLogEntry 7 }

netEventMappedDstIpAddress OBJECT-TYPE
        SYNTAX IpAddress
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "Destination IP address after network address translation
        has been applied."

        ::= { netEventsLogEntry 8 }

netEventSrcIpPort OBJECT-TYPE
        SYNTAX INTEGER (0..65535)
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "Source UDP/TCP port as provided in an IP packet."

        ::= { netEventsLogEntry 9 }

netEventMappedSrcIpPort OBJECT-TYPE
        SYNTAX INTEGER (0..65535)
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "Source UDP/TCP port after any port translation or change
        has been applied."

        ::= { netEventsLogEntry 10 }

netEventDstIpPort OBJECT-TYPE
        SYNTAX INTEGER (0..65535)
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "Destination UDP/TCP port as provided in an IP packet



Grall                                                         [Page 35]


Internet-Draft                Firewall MIB                 20 April 1998


        or by a service user."

        ::= { netEventsLogEntry 11 }

netEventMappedDstIpPort OBJECT-TYPE
        SYNTAX INTEGER (0..65535)
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "Destination UDP/TCP port after any port translation or change
        has been applied."

        ::= { netEventsLogEntry 12 }

netEventService OBJECT-TYPE
        SYNTAX OBJECT IDENTIFIER
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "The identification of the type of service notifying about the
        event.  This value may be chosen from the fwmib.service
        or vendor specific trees.  The description in serviceInformation
        can be used to designate a particular service from within this
        service type."

        ::= { netEventsLogEntry 13 }

netEventServiceInformation OBJECT-TYPE
        SYNTAX SnmpAdminString
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "Specific service information.  This can be used to
        designate the particular service within a genericService
        type and/or it can designate whether the service is a local
        service or a gateway service.  For example, if the value
        for genericService is service.svcLogin.telnet, then the
        string provided might be local telnet."

        ::= { netEventsLogEntry 14 }

netEventAuthdEntity OBJECT-TYPE
        SYNTAX SnmpAdminString
        MAX-ACCESS read-only
        STATUS current



Grall                                                         [Page 36]


Internet-Draft                Firewall MIB                 20 April 1998


        DESCRIPTION

        "A userid, username, processid or other identifier for the entity
        using the service. If there is no such information then 'none'
        must be provided."

        ::= { netEventsLogEntry 15 }

netEventRuleID OBJECT-TYPE
        SYNTAX INTEGER (0..65535)
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "INTEGER representation of a rule identifier.  How
        to interpret the number provided is defined by the
        firewall vendor.  Eg., it may represent a configuration
        line number in a file, or a rule number in a table."

        ::= { netEventsLogEntry 16 }

netEventActionReason OBJECT-TYPE
        SYNTAX SnmpAdminString
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "A detailed description of the reason the ruleAction took
        place.  Could be a copy of the rule used."

        ::= { netEventsLogEntry 17 }

- -- HEALTH EVENTS LOG
- --
- -- This table is used for events related to the firewall's health and
- -- status.  The events can be for hardware or software resources.

healthEventsLog         OBJECT IDENTIFIER ::= { fwevent 5 }

healthEventsLogTableLastValidRow OBJECT-TYPE
        SYNTAX INTEGER(1..2147483647)
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "The index value of the last valid row in the healthEventsLogTable."

        ::= { healthEventsLog 1 }



Grall                                                         [Page 37]


Internet-Draft                Firewall MIB                 20 April 1998


healthEventsLogTable OBJECT-TYPE
        SYNTAX SEQUENCE OF HealthEventsLogEntry
        MAX-ACCESS not-accessible
        STATUS current
        DESCRIPTION

        "Table of detailed data for firewall health events."

        ::= { healthEventsLog 2 }

healthEventsLogEntry OBJECT-TYPE
        SYNTAX HealthEventsLogEntry
        MAX-ACCESS not-accessible
        STATUS current
        DESCRIPTION

        "An entry in the table, containing detailed information
        about a health event."

        INDEX { healthEventLogIndex }
        ::= { healthEventsLogTable 1 }

HealthEventsLogEntry ::= SEQUENCE {
        healthEventLogIndex             INTEGER(1..2147483647),
        healthEventResourceType         OBJECT IDENTIFIER,
        healthEventResourceDetails      SnmpAdminString,
        healthEventProblemDetail        SnmpAdminString
        }

healthEventLogIndex OBJECT-TYPE
        SYNTAX  INTEGER(1..2147483647)
        MAX-ACCESS  not-accessible
        STATUS  current
        DESCRIPTION

        "An index that uniquely identifies an entry
        in the log table.  These indices are assigned
        beginning with 1 and increase by one with each
        new log entry.  The agent may choose to delete the
        instances of basicEventEntry as required
        because of lack of memory.  It is an implementation
        specific matter as to when this deletion may occur and
        as to which log entries are deleted."

        ::= { healthEventsLogEntry 1 }

healthEventResourceType OBJECT-TYPE
        SYNTAX OBJECT IDENTIFIER



Grall                                                         [Page 38]


Internet-Draft                Firewall MIB                 20 April 1998


        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "The identification of the type of resource notifying about the
        problem.  This value may be chosen from the fwmib.service
        or vendor specific trees.  The description in
        healthEventResourceDetails can be used to provide more details
        about the resource."

        ::= { healthEventsLogEntry 2 }

healthEventResourceDetails OBJECT-TYPE
        SYNTAX SnmpAdminString
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "Specific resource information.  This can be used to
        designate details about the service OID chosen."

::= { healthEventsLogEntry 3 }

healthEventProblemDetail OBJECT-TYPE
        SYNTAX SnmpAdminString
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "Details on the problem being reported.  Used if more
        detail is needed to interpret the value used in
        basicEventType from the basicEventsTable entry."

        ::= { healthEventsLogEntry 4 }

- -- MANAGEMENT EVENTS LOG
- --
- -- This table is used for reporting events related to management of the
- -- firewall.

managementEventsLog             OBJECT IDENTIFIER ::= { fwevent 6 }

managementEventsLogTableLastValidRow OBJECT-TYPE
        SYNTAX INTEGER(1..2147483647)
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION




Grall                                                         [Page 39]


Internet-Draft                Firewall MIB                 20 April 1998


        "The index value of the last valid row in the
        managementEventsLogTable."

        ::= { managementEventsLog 1 }

managementEventsLogTable OBJECT-TYPE
        SYNTAX SEQUENCE OF ManagementEventsLogEntry
        MAX-ACCESS not-accessible
        STATUS current
        DESCRIPTION

        "Table of detailed data for firewall management events."

        ::= { managementEventsLog 2 }

managementEventsLogEntry OBJECT-TYPE
        SYNTAX ManagementEventsLogEntry
        MAX-ACCESS not-accessible
        STATUS current
        DESCRIPTION

        "An entry in the table, containing detailed information
        about a management event."

        INDEX { managementEventLogIndex }
        ::= { managementEventsLogTable 1 }

ManagementEventsLogEntry ::= SEQUENCE {
        managementEventLogIndex                 INTEGER(1..2147483647),
        managementEventSubjectName      SnmpAdminString,
        managementEventSubjectAction    EventTypeUnitTC,
        managementEventActionDetail     SnmpAdminString,
        managementEventObjectManaged         OBJECT IDENTIFIER
        }

managementEventLogIndex OBJECT-TYPE
        SYNTAX  INTEGER(1..2147483647)
        MAX-ACCESS  not-accessible
        STATUS  current
        DESCRIPTION

        "An index that uniquely identifies an entry
        in the log table.  These indices are assigned
        beginning with 1 and increase by one with each
        new log entry.  The agent may choose to delete the
        instances of basicEventEntry as required
        because of lack of memory.  It is an implementation
        specific matter as to when this deletion may occur and



Grall                                                         [Page 40]


Internet-Draft                Firewall MIB                 20 April 1998


        as to which log entries are deleted."

        ::= { managementEventsLogEntry 1 }

managementEventSubjectName OBJECT-TYPE
        SYNTAX SnmpAdminString
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "The userid, processid, or other unique information that
        designates which subject is causing the management event
        event."

        ::= { managementEventsLogEntry 2 }

managementEventSubjectAction OBJECT-TYPE
        SYNTAX EventTypeUnitTC
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "What a subject did on the firewall."

        ::= { managementEventsLogEntry 3 }

managementEventActionDetail OBJECT-TYPE
        SYNTAX SnmpAdminString
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "Details on the management event based on the
        subjectAction chosen."

        ::= { managementEventsLogEntry 4 }

managementEventObjectManaged OBJECT-TYPE
        SYNTAX OBJECT IDENTIFIER
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "The identification of the type of resource begin managed.
        This value may be chosen from the fwmib.service or vendor specific
        trees. "

        ::= { managementEventsLogEntry 5 }



Grall                                                         [Page 41]


Internet-Draft                Firewall MIB                 20 April 1998


- --
- -- fwquery group
- --
- -- The query group defines status and statistical data at the firewall.
- -- The data included here concentrate on variables not covered by
- -- other MIBs.

- -- All data are designated as read-only.  Changes to a firewall's
- -- configuration or any of the data here is assumed to take place via
- -- a different channel.

- -- We encourage the firewall to support MIB-II for resource information
- -- when possible.  To that extent, this query group does not include any
- -- objects that are covered by MIB-II.

fwquery                 OBJECT IDENTIFIER ::= { fwmib 3 }
fwinformation           OBJECT IDENTIFIER ::= { fwquery 1 }
fwstatus                OBJECT IDENTIFIER ::= { fwquery 2 }
fwstatistic             OBJECT IDENTIFIER ::= { fwquery 3 }

- -- The firewall product related queries

fwProductName OBJECT-TYPE
        SYNTAX  SnmpAdminString
        MAX-ACCESS read-only
        STATUS  current
        DESCRIPTION

        "The product name of the firewall."

        ::= { fwinformation 1 }

fwVersionMajor OBJECT-TYPE
        SYNTAX  SnmpAdminString
        MAX-ACCESS read-only
        STATUS  current
        DESCRIPTION

        "The major version of the firewall as a whole."

        ::= { fwinformation 2 }

fwVersionMinor OBJECT-TYPE
        SYNTAX  SnmpAdminString
        MAX-ACCESS read-only
        STATUS  current
        DESCRIPTION




Grall                                                         [Page 42]


Internet-Draft                Firewall MIB                 20 April 1998


        "The minor version of the firewall as a whole."

        ::= { fwinformation 3 }

fwOSName OBJECT-TYPE
        SYNTAX  SnmpAdminString
        MAX-ACCESS read-only
        STATUS  current
        DESCRIPTION

        "The specific vendor's name for the operating system the firewall
        is running on.  For Unix type operating systems this would usually be
        the output from 'uname -s'."

        ::= { fwinformation 4 }

fwOSVersion OBJECT-TYPE
        SYNTAX  SnmpAdminString
        MAX-ACCESS read-only
        STATUS  current
        DESCRIPTION

        "The specific vendor's version for the operating system the firewall
        is running on.  For Unix type operating systems this would usually be
        the output from 'uname -r'."

        ::= { fwinformation 5 }

- -- The firewall module table is used to provide additional version and
- -- status information for firewall modules.  The definition of a module
- -- is vendor specific.  At the least the firewall should provide one row
- -- for this table to represent the firewall system as a whole (ie, the
- -- value used for fwModuleType would be services.svcFirewall).  For values
- -- in this table that the firewall module does not support (eg., the
- -- module does not support serial numbers), the value used would be
- -- "NULL".

fwModuleInfoTable OBJECT-TYPE
        SYNTAX SEQUENCE OF FwModuleInfoEntry
        MAX-ACCESS not-accessible
        STATUS current
        DESCRIPTION

        "Table of firewall Module entries that provide
        version and status information."

        ::= { fwinformation 6 }




Grall                                                         [Page 43]


Internet-Draft                Firewall MIB                 20 April 1998


fwModuleInfoEntry OBJECT-TYPE
        SYNTAX FwModuleInfoEntry
        MAX-ACCESS not-accessible
        STATUS current
        DESCRIPTION

        "An entry in the table, containing information about a
         module."

        INDEX { fwModuleType }
        ::= { fwModuleInfoTable 1 }

FwModuleInfoEntry ::= SEQUENCE {
        fwModuleType            OBJECT IDENTIFIER,
        fwModuleInformation     SnmpAdminString,
        fwModuleVersion         SnmpAdminString,
        fwModulePatchLevel      SnmpAdminString,
        fwModuleLicenseKey      SnmpAdminString,
        fwModuleSerialNumber    SnmpAdminString,
        fwModuleCfgID           SnmpAdminString,
        fwModuleCfgDate         TimeStamp,
        fwModuleCfgState        INTEGER }

fwModuleType OBJECT-TYPE
        SYNTAX  OBJECT IDENTIFIER
        MAX-ACCESS not-accessible
        STATUS  current
        DESCRIPTION

        "Firewall module type.  This can be an OID from the services
        group, or the vendor can choose to define OIDs in their
        enterprise group."

        ::= { fwModuleInfoEntry 1 }

fwModuleInformation OBJECT-TYPE
        SYNTAX  SnmpAdminString
        MAX-ACCESS read-only
        STATUS  current
        DESCRIPTION

        "Detailed information to designate the specific firewall
        module or service based on the type chosen for fwModuleInfoType."

        ::= { fwModuleInfoEntry 2 }

fwModuleVersion OBJECT-TYPE
        SYNTAX  SnmpAdminString



Grall                                                         [Page 44]


Internet-Draft                Firewall MIB                 20 April 1998


        MAX-ACCESS read-only
        STATUS  current
        DESCRIPTION

        "Module Version."

        ::= { fwModuleInfoEntry 3 }

fwModulePatchLevel OBJECT-TYPE
        SYNTAX  SnmpAdminString
        MAX-ACCESS  read-only
        STATUS  current
        DESCRIPTION

        "Module Patch Level."

        ::= { fwModuleInfoEntry 4 }

fwModuleLicenseKey OBJECT-TYPE
        SYNTAX SnmpAdminString
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "Module license key"

        ::= { fwModuleInfoEntry 5 }

fwModuleSerialNumber OBJECT-TYPE
        SYNTAX  SnmpAdminString
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "Module serial number."

        ::= { fwModuleInfoEntry 6 }

fwModuleCfgID OBJECT-TYPE
        SYNTAX  SnmpAdminString
        MAX-ACCESS read-only
        STATUS  current
        DESCRIPTION

        "Module configuration ID."

        ::= { fwModuleInfoEntry 7 }




Grall                                                         [Page 45]


Internet-Draft                Firewall MIB                 20 April 1998


fwModuleCfgDate OBJECT-TYPE
        SYNTAX TimeStamp
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "Module configuration date."

        ::= { fwModuleInfoEntry 8 }

fwModuleCfgState OBJECT-TYPE
        SYNTAX INTEGER {
                inprogress(1),
                done(2),
                reconfigFailed(3)
        }
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "Enumeration of the state the module's
        configuration is in."

        ::= { fwModuleInfoEntry 9 }

- -- The resource information related queries, this table is for
- -- providing the status of the resources on the firewall.  Resources
- -- can include hardware or software modules on the firewall.

resourceStatusTable OBJECT-TYPE
        SYNTAX SEQUENCE OF ResourceStatusEntry
        MAX-ACCESS not-accessible
        STATUS current
        DESCRIPTION

        "Table of firewall resource entries"

        ::= { fwstatus 1 }

resourceStatusEntry OBJECT-TYPE
        SYNTAX ResourceStatusEntry
        MAX-ACCESS not-accessible
        STATUS current
        DESCRIPTION

        "An entry in the table, containing information about a
        resource."




Grall                                                         [Page 46]


Internet-Draft                Firewall MIB                 20 April 1998


        INDEX { resourceType }
        ::= { resourceStatusTable 1 }

ResourceStatusEntry ::= SEQUENCE {
        resourceType            OBJECT IDENTIFIER,
        resourceInformation     SnmpAdminString,
        resourceStatusDetail    EventTypeUnitTC,
        resourceStatusInfo      SnmpAdminString
        }

resourceType OBJECT-TYPE
        SYNTAX  OBJECT IDENTIFIER
        MAX-ACCESS not-accessible
        STATUS  current
        DESCRIPTION

        "Resource type. This can be an OID from the services
        group, or the vendor can choose to define OIDs in their
        enterprise group."

        ::= { resourceStatusEntry 1 }

resourceInformation OBJECT-TYPE
        SYNTAX  SnmpAdminString
        MAX-ACCESS read-only
        STATUS  current
        DESCRIPTION

        "Detailed information to further designate the specific firewall
        resource or service reporting status."

        ::= { resourceStatusEntry 2 }

resourceStatusDetail OBJECT-TYPE
        SYNTAX EventTypeUnitTC
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "Enumeration of firewall resource status/events.  This
        list applies to hardware and software resources provided
        and used by the firewall."

        ::= { resourceStatusEntry 3 }

resourceStatusInfo OBJECT-TYPE
        SYNTAX  SnmpAdminString
        MAX-ACCESS read-only



Grall                                                         [Page 47]


Internet-Draft                Firewall MIB                 20 April 1998


        STATUS  current
        DESCRIPTION

        "Detailed information to further describe the status of
        the resource if the value for resourceStatusDetails is not
        descriptive enough."

        ::= { resourceStatusEntry 4 }

- -- The statistic related queries

- -- This group contains several tables, each table can be used to provide
- -- the indicated statistics for any firewall resource or service.  The tables
- -- all contain rows for (and are indexed by) each service that the statistic
- -- applies to.
- --
- -- The tables in this group can be used to provide statistics on:
- --
- --      packet level data (packetStatTable)
- --      service level data (fwStatTable)
- --
- -- The packetStatTable includes variables to record the number of packets
- -- handled by the firewall in various ways.
- --
- -- In all the tables, for any Counter32 objects that are not supported,
- -- a value of "0" is returned.

packetStatTable OBJECT-TYPE
        SYNTAX SEQUENCE OF PacketStatEntry
        MAX-ACCESS not-accessible
        STATUS current
        DESCRIPTION

        "Table of firewall packet statistic entries."

        ::= { fwstatistic 1 }

packetStatEntry OBJECT-TYPE
        SYNTAX PacketStatEntry
        MAX-ACCESS not-accessible
        STATUS current
        DESCRIPTION

        "An entry in the table, containing information about a
        statistic."

        INDEX { packetStatServiceType, packetNetInterface }
        ::= { packetStatTable 1 }



Grall                                                         [Page 48]


Internet-Draft                Firewall MIB                 20 April 1998


PacketStatEntry ::= SEQUENCE {
        packetStatServiceType           OBJECT IDENTIFIER,
        packetNetInterface              InterfaceIndex,
        packetStatServiceDetail         SnmpAdminString,
        packetsAccepted                 Counter32,
        packetsDropped                  Counter32,
        packetsEncrypted                Counter32,
        packetsInvalid                  Counter32,
        packetsIgnore                   Counter32,
        packetsRejected                 Counter32,
        packetsForwarded                Counter32,
        packetsFragmented               Counter32
}

packetStatServiceType OBJECT-TYPE
        SYNTAX  OBJECT IDENTIFIER
        MAX-ACCESS not-accessible
        STATUS  current
        DESCRIPTION

        "The identification of the type of service notifying about the
        event.  This value may be chosen from the fwmib.service
        or vendor specific trees.  The description in packetStatServiceDetail
        can be used to designate a particular service from within this
        service type."

        ::= { packetStatEntry 1 }

packetNetInterface OBJECT-TYPE
        SYNTAX InterfaceIndex
        MAX-ACCESS not-accessible
        STATUS current
        DESCRIPTION

        "The interface number that the packet(s) arrived on."

        ::= { packetStatEntry 2 }

packetStatServiceDetail OBJECT-TYPE
        SYNTAX SnmpAdminString
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "Specific service information.  This can be used to
        further designate the particular service.  It can also be
        used to designate different types of packet statistics from
        the same service (e.g., the kernel counts rejected packets



Grall                                                         [Page 49]


Internet-Draft                Firewall MIB                 20 April 1998


        meant to be forwared and meant to be accepted as two seperate
        counts)."

        ::= { packetStatEntry 3 }

packetsAccepted OBJECT-TYPE
        SYNTAX Counter32
        MAX-ACCESS read-only
        STATUS  current
        DESCRIPTION

        "Number of packets accepted."

        ::= { packetStatEntry 4 }

packetsDropped OBJECT-TYPE
        SYNTAX  Counter32
        MAX-ACCESS read-only
        STATUS  current
        DESCRIPTION

        "Number of packets dropped."

        ::= { packetStatEntry 5 }

packetsEncrypted OBJECT-TYPE
        SYNTAX Counter32
        MAX-ACCESS read-only
        STATUS  current
        DESCRIPTION
                "Number of packets encrypted."
        ::= { packetStatEntry 6 }

packetsInvalid OBJECT-TYPE
        SYNTAX Counter32
        MAX-ACCESS read-only
        STATUS  current
        DESCRIPTION

        "Number of bad (see section 4.0) packets received."

        ::= { packetStatEntry 7 }

packetsIgnore OBJECT-TYPE
        SYNTAX Counter32
        MAX-ACCESS read-only
        STATUS  current
        DESCRIPTION



Grall                                                         [Page 50]


Internet-Draft                Firewall MIB                 20 April 1998


        "Number of bad (see section 4.0) packets ignored."

        ::= { packetStatEntry 8 }

packetsRejected OBJECT-TYPE
        SYNTAX  Counter32
        MAX-ACCESS read-only
        STATUS  current
        DESCRIPTION

        "Number of packets rejected."

        ::= { packetStatEntry 9 }

packetsForwarded OBJECT-TYPE
        SYNTAX  Counter32
        MAX-ACCESS read-only
        STATUS  current
        DESCRIPTION

        "Number of packets forwarded."

        ::= { packetStatEntry 10 }

packetsFragmented OBJECT-TYPE
        SYNTAX  Counter32
        MAX-ACCESS read-only
        STATUS  current
        DESCRIPTION

        "Number of packets fragmented."

        ::= { packetStatEntry 11 }

- -- The Firewall Statistics Table Definition
- --
- -- This table can be used to provide the statistics
- -- for any firewall resource or service.  This table contains rows for
- -- (and are indexed by) each service to which the statistic applies.
- --
- -- This table can be used to provide statistics on any of the events
- -- that are also reported via traps, as well as any other events included
- -- in EventTypeUnitTC.  For example to report on the number of users
- -- that where denied access to the ftp service you could use the following:
- --
- --  resource = OID (service.svcFileTransfer.ftp)
- --  resourceDetails = STRING ("the ftp proxy")
- --  statisticType = accessDenied(1403)



Grall                                                         [Page 51]


Internet-Draft                Firewall MIB                 20 April 1998


- --  statsDataType = count
- --  statsValue = INTEGER (35)
- --  statDescription = STRING ("The number of users of the ftp proxy that...")
- --  statStartTime = TimeStamp (####)
- --  statElapsedTime = ??
- --
- -- The table contains a column to provide details about the statistic
- -- being reported on.  So, for example, if the statistic is for a particular
- -- user, this can be provided in the statDescription.

resourceStatTable OBJECT-TYPE
        SYNTAX          SEQUENCE OF ResourceStatEntry
        MAX-ACCESS      not-accessible
        STATUS          current
        DESCRIPTION

        "Table of firewall statistic entries."

        ::= { fwstatistic 2 }

resourceStatEntry OBJECT-TYPE
        SYNTAX          ResourceStatEntry
        MAX-ACCESS      not-accessible
        STATUS          current
        DESCRIPTION

        "An entry in the table, containing information about a
        firewall statistic."

        INDEX { statResourceType, statType }
        ::= { resourceStatTable 1 }

ResourceStatEntry ::= SEQUENCE {
        statResourceType        OBJECT IDENTIFIER,
        statResourceDetails     SnmpAdminString,
        statType                EventTypeUnitTC,
        statDataType            INTEGER,
        statValue               OCTET STRING,
        statDescription         SnmpAdminString
        }

statResourceType OBJECT-TYPE
        SYNTAX          OBJECT IDENTIFIER
        MAX-ACCESS      not-accessible
        STATUS          current
        DESCRIPTION

        "The identification of the type of service providing statistics



Grall                                                         [Page 52]


Internet-Draft                Firewall MIB                 20 April 1998


        This value may be chosen from the fwmib.service
        or vendor specific trees.  The description in
        statResourceDetails can be used to designate a
        particular service from within this service type."

        ::= { resourceStatEntry 1 }

statResourceDetails OBJECT-TYPE
        SYNTAX SnmpAdminString
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "Specific service information.  This can be used to
        designate the particular service reporting the statistic."

        ::= { resourceStatEntry 2 }

statType OBJECT-TYPE
        SYNTAX EventTypeUnitTC
        MAX-ACCESS not-accessible
        STATUS current
        DESCRIPTION

        "The type of statistic this row is reporting on.  This along with
        statResourceType provides a unique index into the table."

        ::= { resourceStatEntry 3 }

statDataType OBJECT-TYPE
        SYNTAX INTEGER {
                counter(1),
                int(2),
                percent(3),
                gauge(4),
                timestmp(5) }
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "The data type of the statistic value in this row.  This value
        is used to interpret the data provided in statValue."

        ::= { resourceStatEntry 4 }

statValue OBJECT-TYPE
        SYNTAX OCTET STRING (SIZE(1..8))
        MAX-ACCESS read-only



Grall                                                         [Page 53]


Internet-Draft                Firewall MIB                 20 April 1998


        STATUS current
        DESCRIPTION

        "The value of the statistic, the type of this value is provided
        in statDataType.  Regardless of the type of the value, the
        bytes are interpreted in network byte order. @?@ any opinions @?@

        If the statDataType value is 'counter' then @?@ any restrictions?

        If the statDataType value is 'int' then this value shall be
        @?@X bytes long maximum. @?@ any opinions?

        If the statDataType value is 'percent' then this value shall
        be an integer value between 00 and 100 inclusive.

        If the statDataType value is 'gauge' then this value shall
        be @?@.

        If the statDataType value is 'timestmp' then this value shall
        be @?@."

        ::= { resourceStatEntry 5 }

statDescription OBJECT-TYPE
        SYNTAX SnmpAdminString
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION

        "A more detailed description of the statistic provided in
        case the statType does not give a good indication of what
        the data in statValue represents."

        ::= { resourceStatEntry 6 }


- --
- -- fwtrap group
- --
- -- The fwtrap group defines the trap types that a firewall may
- -- send.

fwtrap                  OBJECT IDENTIFIER ::= { fwmib 4 }

- -- Traps are defined using the conventions in SNMPv2-SMI
- --
- -- The networkEventTrap is used for events related to the network
- -- operation in the firewall.  This includes packet screening events and



Grall                                                         [Page 54]


Internet-Draft                Firewall MIB                 20 April 1998


- -- service events.  The trap contains the OID/row index of the
- -- netEventDetailsTable and the OID/row and index of the vendor private
- -- table. Then the management station can choose to access the event
- -- details without having to query the base table.

networkEventTrap NOTIFICATION-TYPE

        OBJECTS {
                basicEventsLogTableTrapIndex,
                basicEventTime,
                basicEventSource,
                basicEventType,
                basicEventDescription,
                basicEventDetailsTableRow,
                basicEventVendorDetailsTableRow
        }
        STATUS current
        DESCRIPTION

        "Network event notification from network components."

        ::= { fwtrap 1 }

        -- Example use: see introduction.

- -- The healthEventTrap is used for events related to configuration problems,
- -- resource problems, service problems, and system problems.  The
- -- basicEventDetailsTableIndex represents the index of the row in
- -- the healthEventDetailsTable related to this event.

healthEventTrap NOTIFICATION-TYPE
        OBJECTS {
                basicEventsLogTableTrapIndex,
                basicEventTime,
                basicEventSource,
                basicEventType,
                basicEventDescription,
                basicEventDetailsTableRow,
                basicEventVendorDetailsTableRow
        }
        STATUS current
        DESCRIPTION

        "Notification on events concerning the status and
        health of the firewall"

        ::= { fwtrap 2 }




Grall                                                         [Page 55]


Internet-Draft                Firewall MIB                 20 April 1998


        -- Example use: see introduction.

- -- The managementEventTrap is for events that relate to configuration
- -- changes, operating system changes, and patches to components on the
- -- firewall.  The basicEventDetailsTableIndex represents the index of
- -- the row in the mgmtEventDetailsTable related to this event.

managementEventTrap NOTIFICATION-TYPE
        OBJECTS {
                basicEventsLogTableTrapIndex,
                basicEventTime,
                basicEventSource,
                basicEventType,
                basicEventDescription,
                basicEventDetailsTableRow,
                basicEventVendorDetailsTableRow
        }

        STATUS current
        DESCRIPTION

        "Notification of a configuration related event."

        ::= { fwtrap 3 }

        -- Example use: see introduction.


- -- conformance information, see RFC1444

fwmibConformance OBJECT IDENTIFIER ::= { fwmib 5 }
fwmibCompliances OBJECT IDENTIFIER ::= { fwmibConformance 1 }
fwmibGroups  OBJECT IDENTIFIER ::= { fwmibConformance 2 }

- -- compliance statements

fwCompliance MODULE-COMPLIANCE
        STATUS  current
        DESCRIPTION

        "The compliance statement for SNMPv2 entities
        which implement the Firewall MIB."

        MODULE  -- this module

        GROUP basicEventsLogGroup
        DESCRIPTION
                "If the firewall will be sending traps, then the



Grall                                                         [Page 56]


Internet-Draft                Firewall MIB                 20 April 1998


                basicEventsLog group is mandatory."

        ::= { fwmibCompliances 1 }

- -- units of conformance

basicEventsLogGroup OBJECT-GROUP
        OBJECTS {
        basicEventsLogTableLastValidRow,
        basicEventsLogTableTrapIndex,
        basicEventTime, basicEventSource,
        basicEventType, basicEventDescription,
        basicEventDetailsTableRow,
        basicEventVendorDetailsTableRow
        }
        STATUS current
        DESCRIPTION

        "A collection of objects allowing the description of
        events occurring on a firewall."

        ::= { fwmibGroups 1 }

otherEventsLogGroup OBJECT-GROUP
        OBJECTS {
        netEventsLogTableLastValidRow,
        netEventInterface, netEventProtocol,
        netEventICMPCommand, netEventSrcIpAddress,
        netEventMappedSrcIpAddress, netEventDstIpAddress,
        netEventMappedDstIpAddress, netEventSrcIpPort,
        netEventMappedSrcIpPort, netEventDstIpPort,
        netEventMappedDstIpPort, netEventService,
        netEventServiceInformation, netEventAuthdEntity,
        netEventRuleID, netEventActionReason,
        healthEventsLogTableLastValidRow,
        healthEventResourceType, healthEventResourceDetails,
        healthEventProblemDetail, managementEventsLogTableLastValidRow,
        managementEventSubjectName,
        managementEventSubjectAction, managementEventActionDetail,
        managementEventObjectManaged
        }
        STATUS current
        DESCRIPTION

        "A collection of objects allowing the description of
        event details occurring on a firewall."

        ::= { fwmibGroups 2 }



Grall                                                         [Page 57]


Internet-Draft                Firewall MIB                 20 April 1998


fwqueryGroup1 OBJECT-GROUP
        OBJECTS {
        fwProductName, fwVersionMajor,
        fwVersionMinor, fwOSName, fwOSVersion
        }
        STATUS current
        DESCRIPTION

        "A collection of objects allowing the collection of generic
        information about the firewall."

        ::= { fwmibGroups 3 }

fwqueryGroup2 OBJECT-GROUP
        OBJECTS {
        fwModuleInformation, fwModuleVersion,
        fwModulePatchLevel, fwModuleLicenseKey,
        fwModuleSerialNumber,
        fwModuleCfgID, fwModuleCfgDate, fwModuleCfgState
        }
        STATUS current
        DESCRIPTION

        "A collection of objects allowing the collection of information
        about modules on the firewall."

        ::= { fwmibGroups 4 }

fwqueryGroup3 OBJECT-GROUP
        OBJECTS {
        resourceInformation,
        resourceStatusDetail, resourceStatusInfo
        }
        STATUS current
        DESCRIPTION

        "A collection of objects allowing the collection of information
        about service status on the firewall."

        ::= { fwmibGroups 5 }


fwqueryGroup4 OBJECT-GROUP
        OBJECTS {
        packetStatServiceDetail, packetsAccepted,
        packetsDropped, packetsEncrypted, packetsInvalid, packetsIgnore,
        packetsRejected, packetsForwarded, packetsFragmented
        }



Grall                                                         [Page 58]


Internet-Draft                Firewall MIB                 20 April 1998


        STATUS current
        DESCRIPTION

        "A collection of objects allowing the collection of packet statistics
        on the firewall."

        ::= { fwmibGroups 6 }

fwqueryGroup5 OBJECT-GROUP
        OBJECTS {
        statResourceDetails,
        statDataType, statValue,
        statDescription
        }
        STATUS current
        DESCRIPTION

        "A collection of objects allowing the collection of statistics
        about serivces/resources on the firewall."

        ::= { fwmibGroups 7 }

END






6.  Acknowledgments

The Firewall MIB has benefitted greatly from the comments and instrumen-
tation work of many people.  In addition to those already mentioned ear-
lier in this document, the following individuals have contributed to
this specification (with advance apologies to anyone who may have been
left out of this list):















Grall                                                         [Page 59]


Internet-Draft                Firewall MIB                 20 April 1998



                Lee Brown
                Dave Chouihard
                Mike Coram
                Holly Ding
                Dorit Dor
                Bill Funk
                Dale Lancaster
                Ken Laube
                Herbert Lin
                Ian McDonnell
                Thomas Oeser
                Ashok Nadkarni
                Poornima Rao
                Ephraim Vider
                Cliff Wang
                Michael Wittig



7.  Security Considerations

@?@ Portions still TBD...

@?@ Address known threats

@?@ Address methods to mitigate threads and any residual risks

Users of this MIB will have access to data which is potentially not
secure.  Users should take reasonable steps to protect the data for dis-
closure by using SNMPv3 or other encryption methods. It is not recom-
mended that objects in the MIB be supported or used in an "untrusted" or
unknown network environment unless privacy, authentication, and
integrity are provided (eg., use encryption).

There is the potential for unauthorized management stations to access
firewall MIB objects.  Users should use SNMPv3 to provide management
identification and authentication.

Write operations to MIB objects are not supported, i.e., SNMP SETs are
currently not supported by this MIB.  Many SNMP implementations and net-
work architectures do not support secure communications.  After SNMPv3
is established the MIB may be expanded to include objects that can be
written.

The MIB defines very few objects related to configuration data.  As
described in the section titled "Monitoring of Firewall Devices", there
is a risk of exposing a firewall's configuration, and possibly provide



Grall                                                         [Page 60]


Internet-Draft                Firewall MIB                 20 April 1998


an adversary information on a firewall's weaknesses.


8.  References

[1] Cerf, V., "IAB Recommendations for the Development of Internet Net-
     work Management Standards", RFC 1052, NRI, April 1988.

[2] Cerf, V., "Report of the Second Ad Hoc Network Management Review
     Group", RFC 1109, NRI, August 1989.

[3] Rose M., and K. McCloghrie, "Structure and Identification of Manage-
     ment Information for TCP/IP-based internets", STD 16, RFC 1155,
     Performance Systems International, Hughes LAN Systems, May 1990.

[4]  SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S.
     Waldbusser, "Structure of Management Information for Version 2 of
     the Simple Network Management Protocol (SNMPv2)", RFC 1902, January
     1996.

[5] McCloghrie K., and M. Rose, Editors, "Management Information Base
     for Network Management of TCP/IP-based internets", STD 17, RFC
     1213, Performance Systems International, March 1991.

[6] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network
     Management Protocol", STD 15, RFC 1157, SNMP Research, Performance
     Systems International, Performance Systems International, MIT
     Laboratory for Computer Science, May 1990.

[7]  SNMPv2 working Group, Case, J., McCloghrie, K., Rose, M., and S.
     Waldbusser, "Protocol Operations for Version 2 of the Simple Net-
     work Management Protocol (SNMPv2)", RFC 1905, January 1996.

[8] McCloghrie, K., and F. Kastenholz, "Evolution of the Interfaces
     Group of MIB-II", RFC 1573, Hughes LAN Systems, FTP Software, Janu-
     ary 1994.

[9] Information processing systems - Open Systems Interconnection -
     Specification of Abstract Syntax Notation One (ASN.1), Interna-
     tional Organization for Standardization.  International Standard
     8824, (December, 1987).

[10] Information processing systems - Open Systems Interconnection -
     Specification of Basic Encoding Rules for Abstract Notation One
     (ASN.1), International Organization for Standardization.  Interna-
     tional Standard 8825, (December, 1987).

[11] Rose, M., and K. McCloghrie, Editors, "Concise MIB Definitions",



Grall                                                         [Page 61]


Internet-Draft                Firewall MIB                 20 April 1998


     RFC 1212, Performance Systems International, Hughes LAN Systems,
     March 1991.

[12] Rose, M., Editor, "A Convention for Defining Traps for use with the
     SNMP", RFC 1215, Performance Systems International, March 1991.

[13] Harrington, D., Presuhn, R., Wijnen, B., "An Architecture for
     Describing SNMP Management Frameworks", RFC 2261, Cabletron Sys-
     tems, Inc., January 1998.




9.  Author's Address

        Cindy Grall
        Trusted Information Systems
        3415 S. Sepulvida Blvd., suite 700
        Los Angeles, CA 90034

        Phone: (310) 737-1744
        EMail: grall@tis.com



Appendix A: Sample Configurations and Scripts

This appendix will contain configuration and script samples for using
this MIB with some popular SNMP management products.


Appendix B: Changes

This section will be removed before final submittal as an RFC.

Since draft 00 (24 November 1997) of the Firewall MIB, the following
changes were made:














Grall                                                         [Page 62]


Internet-Draft                Firewall MIB                 20 April 1998



        * The textual convention SnmpAdminString was added and all objects
          using Utf8String where changed to use SnmpAdminString.
        * More words were added to address things this MIB is NOT meant
          to address.
        * The three network event log tables were combined into one table,
          references throughout the MIB to the old tables were removed/changed
          as needed.
        * Examples were moved into the RFC text and updated to reflect latest
          MIB definition.
        * The main OID name for the mib changed from 'spfw' to 'fwmib'.
        * Some tables now use the InterfaceIndex textual convention
          from RFC 2233.
        * Some values (hardware, system, service) in EventTypeUnitTC were
          combined into one resource set.
        * Several new entries in EventTypeUnitTC were added.
        * A resourceStatusInfo object was added to the resource status table.
        * The service statistics table was redone.
        * Each trap has a one-to-one correspondence to an event log table,
          so reference for the OID to the details table was removed from
          the trap's objects.
        * The conformance groups were split up so that more MIB objects
          can be optional.
        * All index objects were changed to be 'not-accessible' as a result
          basicEventLogIndex could not be used in the traps, so a new object
          called basicEventsLogTableTrapIndex was created for this purpose.


Note that this list does not reflect minor changes in wording or correc-
tion of typographical or grammatical errors.





















Grall                                                         [Page 63]