Internet Engineering Task Force C. Grall INTERNET-DRAFT Trusted Information Systems Expires 24 May 1998 24 November 1997 Firewall Management Information Base Status of this Memo This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." To view the entire list of current Internet-Drafts, please check the "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or ftp.isi.edu (US West Coast). Abstract This document defines a portion of the Management Information Base (MIB) for use with network management protocols in TCP/IP-based internets. In particular, it defines objects for monitoring firewall devices. Table of Contents 1. The Network Management Framework The Internet-standard Network Management Framework consists of three components. They are: RFC 1902 [4] which defines the SMI, the mechanisms used for describing and naming objects for the purpose of management. Grall [Page 1] Internet-Draft Firewall MIB 24 November 1997 STD 17, RFC 1213 [5] defines MIB-II, the core set of managed objects for the Internet suite of protocols. RFC 1157 [6] and RFC 1905 [7] which define two versions of the pro- tocol used for network access to managed objects. The Framework permits new objects to be defined for the purpose of experimentation and evaluation. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. Within a given MIB module, objects are defined using RFC 1902's OBJECT-TYPE macro. At a minimum, each object has a name, a syntax, an access-level, and an implementation- status. The name is an object identifier, an administratively assigned name, which specifies an object type. The object type together with an object instance serves to uniquely identify a specific instantiation of the object. For human convenience, we often use a textual string, termed the object descriptor, to also refer to the object type. The syntax of an object type defines the abstract data structure corresponding to that object type. The ASN.1[9] language is used for this purpose. However, RFC 1155[3] purposely restricts the ASN.1 con- structs which may be used. These restrictions are explicitly made for simplicity. 2. Overview This document specifies a working draft of a Management Information Base (MIB) definition intended for use in monitoring firewall systems with network management protocols in TCP/IP-based internets. All object identifiers defined herein are under the private enterprises MIB tree. This positioning would change if and when this MIB is adopted as stan- dard. This MIB is currently under review and revision by Internet security management service providers. There will be at least two independent reference implementations by the time this document reaches the Internet Standard status. Furthermore, the immediate use of this MIB is focused on the generation and interpretation of TRAP-signaled events and on querying specific MIB objects. Grall [Page 2] Internet-Draft Firewall MIB 24 November 1997 2.1. Textual Conventions Several new data types are introduced including Utf8String, EventTypeUn- itTC, and ProtocolUnitTC. 2.1.1. Utf8String The Utf8String textual convention is used for all string variables. 2.1.2. EventTypeUnitTC This textual convention enumerates many kinds of common events that may happen on a firewall. The list represents error conditions, unusual events, and normal activities. 2.1.3. ProtocolUnitTC This textual convention is an enumeration of the most common protocols used with TCP/IP-based network firewalls. 2.2. Structure of MIB The objects are arranged into the following groups: - service identifiers (service) - firewall event variables and logs (fwevent) - firewall status and statistics data (fwquery) - firewall traps (fwtrap) These groups are the basic units of conformance. If a firewall imple- ments a group, then it should implement all objects in that group. The fwevent, fwquery and fwtrap groups are optional. If the fwtrap group is implemented, the fwevent group must also be implemented. The services group must be implemented if any of the other groups are implemented. These groups are defined to provide a means of assigning object identif- iers, and to provide a method for managed agents to know which objects they must implement. Grall [Page 3] Internet-Draft Firewall MIB 24 November 1997 2.2.1. The Service Identifiers Group The service group defines object identifiers (OIDs) for classes of ser- vices and particular services handled by firewalls. These OIDs are used as values in variables in other groups of the MIB to designate a ser- vice. 2.2.2. The Firewall Event Variables and Logs Group The fwevent group defines tables for logging events that take place on the firewall. Management stations are notified of the events via traps from the fwtrap group. 2.2.3. The Status and Statistics Group The fwquery group contains status and statistic information. It includes version information for the firewall and its modules, status information for firewall services, and statistics measured by firewall modules. 2.2.4. The Firewall Traps Group The fwtrap group defines the traps that a firewall can send. 3. Monitoring of Firewall Devices The scope of the MIB defined here is to provide information for the pur- pose of monitoring firewall activity. The objects defined here provide information about urgent events, security, health and status, and per- formance of a firewall. This information is provided in two ways, via traps and through objects that must be queried. The traps also have associated information that can be queried. It is worth noting areas this MIB is not meant to address. It is not meant to replicate all firewall audit information or perform all of a firewall's logging. The information provided by the MIB objects is not necessarily all the information needed for a full audit capability. For example, suspicious monitoring entities would probably require audit information which should not be provided as part of this MIB. The MIB is also not meant to be used for configuring a firewall. There are many varieties of firewalls on the market and therefore many different ways to configure them. This MIB does not have any variables related to con- figuration items and currently does not have any variables with write permission. So, SETs are not supported. Grall [Page 4] Internet-Draft Firewall MIB 24 November 1997 This section provides details on the expected use of the objects defined in section "Definitions" below. It also presents some implementation issues. 3.1. Events Many of the objects in the MIB are related to events on the firewall. An event as far as this MIB is concerned is what a trap is created for, and what is stored in the event logs. An event can represent the activity of a single user on the firewall, the status of a program on the firewall, or a collection of firewall activities. It is up to the firewall vendor to decide what activities on the firewall are represented as events in the MIB. In order to provide a common set of events for MIB users and management status, the MIB includes an enumeration of event type, EventTypeUnitTC. The list includes the most common events that happen on a firewall. The comments included in the list describe the firewall activities each entry is meant to represent. It is understood that the list will prob- ably not represent all possible events any particular firewall may report on and there are generic entries that can be used for these cases. While the MIB's main purpose is to report about "unusual" events on a firewall, it was felt that the MIB should not disallow reporting related to "normal" events. Items are included in EventTypeUnitTC to represent "normal", "okay", "good", and "up" activities and conditions. A firewall vender can then choose to report any kind of activity through MIB events. For example, a firewall could equate a MIB event with an audited event and report on all firewall activity with the MIB. 3.1.1. Event Logs and Traps The fwevent group defines a set of log tables for storing information about events. The fwtrap group defines a set of traps for reporting about the events that have been recorded in the logs. These two groups are meant to work together. Although it is possible to implement the fwevent group without any trap support, this is not the purpose of the logs in the fwevent group. The event logs are represented by a set of tables. There is a basic table that holds information common to every event, and there are other tables that contain different sets of detailed information. Figure 1 provides a conceptual view of the tables. The basic table points to one of the MIB detail tables by table OID and row index. The basic table also (optionally) points to a firewall vendor defined details table. Grall [Page 5] Internet-Draft Firewall MIB 24 November 1997 details table basic table entries ------------------------ ---------------------------| | | |index | | | |time | | | |source | | | |type | /| | |description | / ------------------------ | | / |details table OID |--/ |details table index |-/ | | |vendor details table OID |-\ vendor details table |vendor details table index|--\ ------------------------ ---------------------------- \ | | \ | | \| | | | ------------------------ Figure 1: Conceptual view of event log tables. When an event (see section "Events") occurs on the firewall, the basic table information is collected and, based on the event, a details table is chosen and its information is collected as well. This information is stored on the firewall and a trap from the fwtrap group is sent. The trap contains the same information contained in the basic table. The management station then has the option to query the firewall and ask for the rows from the tables specified in the trap. Which trap is sent depends on the details table chosen. For the type1NetEventsLogTable, type2NetEventsLogTable, and type3NetEventsLogTable details tables use the networkEventTrap trap. For the healthEventsLogTable details table, use the healthEventTrap. For the managementEventsLogTable details table use the managemen- tEventTrap. Since the trap contains the EventTypeUnitTC and EventDescription values for the event, a user or management station can use these values to make decisions on whether the event details are useful or not. The retrieval of the details can be automated for many management stations. Appendix A contains some configuration and script examples for some of the more popular management tools. Grall [Page 6] Internet-Draft Firewall MIB 24 November 1997 3.1.2. Details Table Use The MIB defines five log tables to record details about an event. Each table includes a different set of information. Multiple tables were defined rather than have one large table to lower the likelihood that queries (and traps) would have many unneeded or undefined values. The MIB does not dictate which details table must be used for recording a particular event. In order to ease management station configuration this section lists the preferred details table for each of the sets of event in EventTypeUnitTC. The following lists each of the sets from the EventTypeUnitTC and the preferred details table used: EventTypeUnitTC set Details Table ------------------------------------------------ other [any] hardware healthEventsLogTable system healthEventsLogTable fwmodule healthEventsLogTable mgmt managementEventsLogTable logging healthEventsLogTable routing type1NetEventsLogTable packet type1NetEventsLogTable encryption type2NetEventsLogTable network type2NetEventsLogTable protocol healthEventsLogTable service healthEventsLogTable configuration healthEventsLogTable access type3NetEventsLogTable authentication type3NetEventsLogTable attack type3NetEventsLogTable contentInspection type3NetEventsLogTable debug healthEventsLogTable test healthEventsLogTable 3.1.3. Trap Flooding Under normal network conditions, one should not see many traps sent by a firewall to a management station. There is a potential for a large number of traps to be sent by a firewall implementing this MIB. This depends on how the firewall maps activities to events and how many of a particular event can occur in a short time. The MIB has no variables related to controlling which traps are sent or to limit the number of Grall [Page 7] Internet-Draft Firewall MIB 24 November 1997 traps sent [@?@ if this turns out to be a widespread problem after ini- tial reference implementation testing, it will be addressed in a later draft of this MIB]. To provide firewall and SNMP management user some control it is sug- gested that agent implementation provide some on/off configuration options for the events a firewall will report about. Whether and how to implement this and the granularity of the configuration control is beyond the scope of this document. 3.1.4. Thresholds It was stated earlier that a particular firewall vendor defines what a MIB event is on their firewall. It is expected that some MIB events will actually represent a set of activities on the firewall. For exam- ple, EventTypeUnitTC has an event called login attempts. What is not specified by the MIB is how many attempts happened before the event was handled by the SNMP agent. Individual thresholds for controlling which firewall activities are represented as events in the MIB or for controlling which events should generate traps are not specified in this MIB. Some activities are unin- teresting when they occur occasionally, but more interesting when they are more frequent. Firewall vendors decide which activities have thres- holds and what kind of thresholds are available. 3.1.5. Log Tables All of the log tables defined in the fwevent group are used and indexed in the same way. This section addresses some implementation issues to consider. The MIB does not dictate how the tables are implemented, just how the values of the variables in a table row are used. 3.1.5.1. Table Size and Index Value Table size is an implementation specific matter. Each table has an index variable to uniquely identify a row in the table. The index is assigned beginning with 1 when the table is created and increases by one with each new log entry. Table creation will generally happen at firewall system reboot, but may happen at any time (eg., when the firewall's SNMP agent is restarted). [@?@ comments received relate to preventing loss of the table informa- tion between reboots, is this desired?] Grall [Page 8] Internet-Draft Firewall MIB 24 November 1997 The agent may choose to delete the rows of a table as needed. This may be due to lack of space for the entries or due to other reasons (eg., the entries are too old). A query to the table cannot assume anything about the table's size of whether a particular index value in the table is valid or not. Deletion of rows in the table may be based on age (ie., the smallest valid index is deleted) or based on some other scheme (eg., the priority of the event is lower than other events in the log). The MIB does not place any requirements on which rows may or may not be deleted. Each log table has a corresponding '...LogTableLastValidRow' object. This variable can be used to obtain the index value of the last (or newest) valid row in the table Since the index value starts at 1 and monotonically increases with each new entry, one can see how many events have been recorded since the creation of the table by obtaining this variable. 3.1.5.2. Entry Order The MIB places no requirements on the order of entries in the log tables. The order of entries in a table will not necessarily be in the same order as the traps that arrive at the management station. The order of the entries in the basicEventsLogTable will not necessarily be in order by the basicEventTime value. 3.1.5.3. MIB Walks There is a concern that for implementations that choose to use a large log table size (eg., 300 entries), that a MIB walk into the log table will take a long time and will not necessarily be what the MIB walker had in mind. For the log tables defined in the fwevent group (not the tables in the fwquery group) the implementation may not return the first valid row of the table, but instead may choose to return another row. The row chosen may be, for instance, only 20 rows before the last valid row. The default behavior will be to return the first valid row. In particular, a GET NEXT on the '...LogTableLastValidRow' object will return the '...EventLogIndex' variable. The value of the index will be implementation defined. The value will be the index of a valid row in the table, but whether that is the first valid row of the tenth from the last is firewall specific. [@?@ to walk through the whole table, should we provide a '...LogTableFirstValidRow' object?] Grall [Page 9] Internet-Draft Firewall MIB 24 November 1997 4. Conventions The following conventions are used throughout the Firewall MIB. Good Packets Good packets are error-free packets that have a valid frame length. For example, on Ethernet, good packets are error-free packets that are between 64 octets long and 1518 octets long. They follow the form defined in IEEE 802.3 section 3.2.all. Bad Packets Bad packets are packets that have proper framing and are therefore recognized as packets, but contain errors within the packet or have an invalid length. For example, on Ethernet, bad packets have a valid preamble and SFD, but have a bad CRC, or are either shorter than 64 octets or longer than 1518 octets. 5. Definitions Grall [Page 10] Internet-Draft Firewall MIB 24 November 1997 -- This document specifies a working draft of a Management Information -- Base (MIB) definition intended for use in managing firewall systems -- with network management protocols in TCP/IP-based internets. -- The object identifiers defined are used to identify -- firewall entities such as the firewall services, packet filtering, -- operating system services, etc. -- In addition to traps, there are a number of variables which -- could be queried by the management station in this MIB related to -- the firewall resources, firewall statistics, etc. -- Firewall Event Scheme -- The event scheme used in the design of the trap messages is one based -- on the idea of providing notification that an exceptional event occurred -- and that the details can be queried from the firewall. -- Event Examples -- The following examples are included to illustrate the use of object -- identifiers and additional trap variables in a TRAP to describe a -- firewall event. -- eg 1: -- Event: a telnet proxy running on a firewall system 199.94.211.1, is -- configured to deny access to users not connecting from a network, say -- 199.94.200.0. When denying access to a user coming from 199.94.222.2, -- the proxy service might generate the following trap. -- The trap type is set to 6 (enterprise specific). A specific trap of -- type 1 (networkEventTrap) is chosen to best describe this event. The -- networkEventTrap includes variables to point to the basicEventsTable -- and the type3NetLogEventDetailsTable. -- -- For this specific event the details table describes the entity making -- the connection attempt and why the attempt failed. -- TRAP networkEventTrap: -- trap type = 6 (enterprise specific) -- enterprise specific type = 1 (networkEventTrap) -- -- @?@ fix.... -- trap and basicEventsLogTable: -- basicEventLogIndex = INTEGER (217) -- basicEventTime = TimeStamp Grall [Page 11] Internet-Draft Firewall MIB 24 November 1997 -- basicEventSource = IpAddress (199.94.211.1) -- basicEventType = -- basicEventDescription = String ("XXX") -- basicEventDetails = OID (type3NetEventDetailsTable) -- basicEventDetailsIndex = INTEGER (16) -- basicEventVendorPrivateDetails = OID (NULL) -- basicEventVendorPrivateIndex = 0 -- -- type3NetEventDetailsTable -- type3NetEventDetailIndex = INTEGER (16) -- type3NetEventProtocol = TCP (1) -- type3NetEventSrcIpAddress = IpAddress (199.94.222.2) -- type3NetEventMappedSrcIPAddress = IpAddress (NULL) -- type3NetEventDstIPAddress = IpAddress (NULL) -- type3NetEventMappedDstIPAddress = IpAddress (NULL) -- type3NetEventSrcIPPort = INTEGER (3333) -- type3NetEventMappedSrcIPPort = INTEGER (NULL) -- type3NetEventDstIPPort = INTEGER (23) -- type3NetEventMappedSrcIPort = INTEGER (NULL) -- type3NetEventGenericService = OBJECT IDENTIFIER (spfw.service.svcLogin) -- type3NetEventServiceInformation = String ("tn-gw") -- type3NetEventAuthdEntity = String ("unknown") -- type3NetEventRuleID = INTEGER (27, eg., the config. file line number) -- type3NetEventActionReason = String ("source IP address denied") -- -- eg 2: -- Event: A machine (say 199.123.23.17) sent an ICMP redirect packet to -- the firewall. -- The trap type is set to 6 (enterprise specific). A specific trap of -- type 1 (networkEventTrap) is chosen to best describe this login event. -- TRAP networkEventTrap -- trap type = 6 (enterprise specific) -- enterprise specific type = 1 (networkEventTrap) -- -- @?@ fix... -- -- trap and basicEventsTable: -- basicEventLogIndex = INTEGER (376) -- basicEventTime = TimeStamp -- basicEventSource = IpAddress (199.94.211.1) -- basicEventType = -- basicEventDescription = String ("XXX") -- basicEventDetails = OID (type1NetEventDetailsTable) -- basicEventDetailsIndex = INTEGER (76) Grall [Page 12] Internet-Draft Firewall MIB 24 November 1997 -- basicEventVendorPrivateDetails = OID (NULL) -- -- type1NetEventDetailsTable: -- type1NetEventDetailID = INTEGER (76) -- type1NetEventProtocol = icmp -- type1NetEventSrcIPAddress = IpAddress (201.213.64.65) -- type1NetEventMappedSrcIPAddress = IpAddress (NULL) -- type1NetEventDstIPAddress = IpAddress (199.94.211.1) -- type1NetEventMappedDstIPAddress = IpAddress (NULL) -- type1NetEventICMPCommand = redirect (5) -- eg 3: -- Event: a service on the firewall is misconfigured. The firewall has an -- http service and the system administrator configured it to run on port -- 8000. But there is already another service running on port 8000. The -- http gateway cannot bind to the port. -- The trap type is set to 6 (enterprise specific). A specific trap of -- type 2 (healthEventTrap) is chosen to best describe the reboot event. -- TRAP processTrap: -- trap type = 6 (enterprise specific) -- enterprise specific type = 2 (healthEventTrap) -- -- restTBD -- eg 4: -- Event: the firewall configuration is changed. -- The trap type is set to 6 (enterprise specific). A specific trap of -- type 3 (managementEventTrap) chosen to best describe the reboot event. -- TRAP processTrap: -- trap type = 6 (enterprise specific) -- enterprise specific type = 3 (managementEventTrap) -- -- rest TBD FireWallMIB DEFINITIONS ::= BEGIN -- SUBTREE: 1.3.6.1.4.1.14.3.9 -- iso.org.dod.internet.private.enterprises.bbn.products.spfw Grall [Page 13] Internet-Draft Firewall MIB 24 November 1997 IMPORTS OBJECT-GROUP, MODULE-COMPLIANCE FROM SNMPv2-CONF MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, IpAddress, enterprises, Counter32 FROM SNMPv2-SMI TEXTUAL-CONVENTION, TimeStamp FROM SNMPv2-TC; fwMIB MODULE-IDENTITY LAST-UPDATED "9711061800Z" ORGANIZATION "GTE Corporation & Trusted Information Systems Inc." CONTACT-INFO "Comments should be sent to @?@ fwmib@xxx.com.... @?@ Modify as needed... Herbert Lin Tel: +1-617-873-5920 E-mail: hlin@bbn.com Cindy Grall Tel: +1-310-737-1744 E-mail: grall@tis.com Dave Chouihard Tel: +1-503-264-7481 E-mail: dchouihard@ibeam.intel.com Dorit Dor Tel: 972-3-613-1833 (Israel) E-mail: dorit@checkpoint.com Mike Wittig Tel: +1-954-973-5059 E-mail: mwittig@mail.cybg.com Thomas Oeser Tel: +49-89-636-47537 E-mail: Thomas.Oeser@mch.sni.de " DESCRIPTION "The MIB module for entities implementing firewalls." Grall [Page 14] Internet-Draft Firewall MIB 24 November 1997 --@?@ what's the correct value here??? ::= { enterprises 600 } -- textual conventions Utf8String ::= TEXTUAL-CONVENTION DISPLAY-HINT "255a" STATUS current DESCRIPTION "To facilitate internationalization, this TC represents information taken from the ISO/IEC IS 10646-1 character set, encoded as an octet string using the UTF-8 character encoding scheme described in RFC 2044 [11]. For strings in 7-bit US-ASCII, there is no impact since the UTF-8 representation is identical to the US-ASCII encoding." SYNTAX OCTET STRING (SIZE (0..255)) -- -- The following list of event types is meant to enumerate the most common -- events that happen on a firewall. -- -- The list is organized into sets of common events. Each set has an -- initial entry to designate the set. The next two events in a set are -- meant to represent generic "okay"/"good"/"up" conditions and generic -- "error"/"failed"/"down" conditions. The rest of the events in a set -- represent more detailed events (either good or bad). The sets will -- probably not represent all the possible events on every firewall, but -- they are meant to be a good representation of events. If an event -- just does not fit any of the sets, then use the 'other' choices. -- EventTypeUnitTC ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Enumeration of types of events on the firewall" SYNTAX INTEGER { -- Undefined Events other(0), -- the event type is not in this list otherOkay(1), -- a normal event occurred otherError(2), -- an error event occurred unknown(3), -- could not determine the event type -- Hardware problems hardware(100), Grall [Page 15] Internet-Draft Firewall MIB 24 November 1997 hardwareOkay(101), hardwareError(102), hardwareOverTemperature(103), hardwareDiskUseHigh(104), hardwareTestFailed(105), hardwareBusy(106), hardwareNoMedia(107), -- a device doesn't have its needed media hardwareCpuUsageHigh(108), -- the CPU usage is high -- Operating system problems system(200), systemUp(201), systemError(202), systemDown(203), -- reported by an agent on another machine systemBooting(204), -- systemRebooting(205), -- the firewall is going down and coming back up systemHalting(206), -- the firewall is going down sustemBackup(207), -- processing has switched to the backup sustemNoBackup(208), -- there is no backup to switch to systemNoMemory(209), systemNoBuffers(210), systemSyscallFailed(211), systemHighLoad(212), systemSwapLarge(213), -- -- Events about the basic health of the firewall or particular modules fwmodule(300), fwmoduleUp(301), -- the module is up fwmoduleError(302), fwmoduleDown(303), -- the module is down fwmoduleStarting(304), -- the module is coming up fwmoduleExiting(305), fwmoduleRestarting(306), fwmoduleLicenseExceeded(307), -- Management events, these are events related to overall management -- tasks on the firewall. For example, the configuration is being -- changed or a patch has been applied. This is from the perspective -- of the firewall, it is not a remote mgmt tool reporting on the -- activities it is doing. mgmt(400), mgmtOkay(401), -- a normal management event mgmtError(402), -- an error while performing firewall -- management functions mgmtNoResponse(403), -- the firewall expected and received no -- response from a mgmt tool mgmtReadConfigLocal(404), -- configuration information has been -- read Grall [Page 16] Internet-Draft Firewall MIB 24 November 1997 mgmtReadConfigRemote(405), -- configuration information has been -- uploaded to a remote mgmt tool mgmtLoadedConfigLocal(406), -- a local mgmt tool loaded/applied a -- new config mgmtLoadedConfigRemote(407), -- a remote mgmt tool loaded/applied a -- new config. mgmtPatch(408), -- This event is used by the patching mechanism to -- record what it patched. The genericService OID -- would be the patching tool and the mgmtObjManaged -- in the mgmtEventLogEntry would be the service -- OID patched. This would not be used by the -- service being patched. This alleviates the -- confusion when the patching mechanism is patched. -- Log file events logging(500), loggingUp(501), -- logging is functioning normally loggingError(502), -- the logging facility had an error loggingStarting(503), -- the log daemon was started loggingExiting(504), -- the log daemon is exiting loggingRestarting(505), -- the log daemon was restarted loggingDown(506), -- the log daemon is not running loggingFileSwitched(507), -- logging switched to another file loggingFileFull(508), -- the log file/partition is full loggingFileOverwrite(509), -- the log file is being overwritten loggingFileMessagesLost(510), -- messages have been lost loggingStopped(511), -- logging is stopped until other -- problems are resolved (eg., space is -- free'd) -- Routing events routing(600), routingOkay(601), routingError(602), routingNoRouteToHost(603), routingICMPRedirect(604), -- Packet handling packet(700), packetAccepted(701), -- accepted the packet packetError(702), -- unknown error with packet packetDropped(703), -- dropped packets (eg., internal buffer is full), -- didn't even look at them, they could be -- good or bad... packetInvalid(704), -- these are "bad" packets, see section x.x packetIgnored(705), -- the packet was not meant for the firewall packetRejected(706), -- rejected packets based on rule(s) packetForwarded(707), -- forwarded packets based on rule(s) Grall [Page 17] Internet-Draft Firewall MIB 24 November 1997 packetEncrypted(708), -- En(De)cryption events encryption(800), -- generic/successful event encryptionUp(801), --encryption is functioning encryptionError(802), -- there was an encryption error encryptionDown(803), encryptionEncryptFailed(804), encryptionDecryptFailed(805), -- Network events network(900), networkUp(901), networkError(902), networkDown(903), networkCollision(904), networkDuplicateAddress(905), networkMyAddressInUse(906), networkNetUnreachable(907), networkStarting(908), networkRestarting(909), networkHostUnreachable(910), networkNoResponse(911), -- protocol related events protocol(1000), -- an event related to a protocol supported protocolEnabled(1001), protocolError(1002), protocolDisabled(1003), -- the requested protocol is disabled protocolNoDaemon(1004), -- there is no daemon for this protocol -- Service connection/network connectivity events connection(1100), -- a generic connection event connectionAccepted(1101), connectionError(1102), connectionDropped(1103), connectionClosed(1104), connectionTimedout(1105), connectionRefused(1106), connectionReset(1107), connectionNoResponse(1108), -- Service operation events, for daemons/proxies/etc. service(1200), serviceUp(1201), serviceError(1202), serviceDown(1203), serviceStarting(1204), Grall [Page 18] Internet-Draft Firewall MIB 24 November 1997 serviceExiting(1205), serviceRestarting(1206), -- Configuration events, represent errors or problems with the -- configuration for the system or a service. configuration(1300), configurationOkay(1301), configurationError(1302), -- an error in processing the configuration configurationBadConfig(1303), -- the config provided is corrupt, -- invalid, or incomplete configurationArgumentError(1304), -- wrong arguments were provided configurationPortInUse(1305), configurationNoData(1306), -- the required data was not provided -- Access access(1400), accessGranted(1401), -- a service allowed use based on all its checks accessError(1402), accessDenied(1403), -- a client was denied use of a service accessDeniedSource(1404), -- client denied based on its source IP accessDeniedPolicy(1405), -- client denied based on the sec. policy accessDeniedUser(1406), -- client denied based on the userid accessDeniedDest(1407), -- client denied based on the destination IP accessDeniedDestPort(1408), -- client denied based on dest. port accessDeniedFileRead(1409), -- the policy denied read access to a file accessDeniedFileWrite(1410), -- the policy denied write access to -- a file accessDeniedNetworkInterface(1411), -- the policy denied access to a -- particular net. int. accessDeniedDevice(1412), -- the policy denied access to a device -- Authentication and login events authentication(1500), authenticationSucceeded(1501), -- a user had a successful auth authenticationError(1502), -- error while auth'ing authenticationFailed(1503), -- a user failed an auth authenticationSucceededPriv(1504), -- a user logged in with or -- gained privilege authenticationFailedPrivileged(1505), -- user failed to gain/login -- with privilege authenticationFailedMulti(1506), -- multiple failed auth attempts -- by a user -- Security attack events, these represent events that could -- be or that indicate a security attack is taking place on the -- firewall attack(1600), attackNone(1601), Grall [Page 19] Internet-Draft Firewall MIB 24 November 1997 attackDenialOfService(1602), attackPing(1603), -- a ping of death attack attackPacketForward(1604), -- attackSYNFlood(1605), -- a TCP SYN flood attack attackIPSpoof(1606), -- an IP address is being spoofed attackPortScan(1607), -- a port scan is/has taken place attackNameSpoof(1608), -- a name service (eg., DNS) name is spoofed -- Content inspection events, these events just report that -- something was found. The details entry in for the event can -- report on what was found (eg., virus, company private info., -- etc), what it was found in (eg., html, win32 executable, e-mail), -- and what was done with it (eg., the quarantine location). contentInspection(1700), contentInspectionOkay(1701), -- the check of the content was okay, -- nothing "bad" found contentInspectionError(1702), -- there was an error while checking -- content contentInspectionFound(1703), -- found something contentInspectionFoundCleaned(1704), -- found something and cleaned -- the content of it contentInspectionFoundRejected(1705), -- found something and threw -- the content away contentInspectionFoundSaved(1706), -- found something and saved the -- content in quarantine -- Debugging event debug(1800), debugOkay(1801), debugError(1802), debugOn(1803), -- debugging mode is on/was turned on debugOff(1804), -- debugging mode is off/was turned off -- Testing events test(1900), testPassed(1901), -- a test passed testFailed(1902), -- a test failed testNoResponse(1903) -- there was no response for running a test } ProtocolUnitTC ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Enumeration of network protocols commonly used on firewalls." SYNTAX INTEGER { Grall [Page 20] Internet-Draft Firewall MIB 24 November 1997 tcp(1), udp(2), icmp(3), ip(4), ipsec(5), igmp(6), arp(7), ggp(8), egp(9), rip(10), other(11) } -- This fwmib is divided into four main groups. The first, spfw.service, -- Service identifiers, defines OIDs used by other areas of the MIB. The -- second, spfw.fwevent, Event variables and logs, is described briefly -- above in the trap examples text. Third main group is spfw.fwquery, -- the set of variables for queries. For a firewall this set is read only. -- The fourth group, spfw.fwtrap, defines the traps for notification of -- extraordinary events on the firewall. -- -- There is also a group for specifying MIB conformance as described in -- RFC1444, "Conformance Statements for version 2 of the Simple Network -- Management Protocol (SNMPv2)". bbn OBJECT IDENTIFIER ::= { enterprises 14 } products OBJECT IDENTIFIER ::= { bbn 3 } spfw OBJECT IDENTIFIER ::= { products 9 } -- -- service group -- -- The service group defines OIDs that are used by other parts of the MIB. -- The OIDs are used by traps to designate the generic service type -- causing the trap. Expect this list to change occasionally as new service -- types emerge in the network/firewall community. Once a service type -- is in use by two or more firewall vendors it can be considered for -- inclusion in the services group. This change is treated as any other -- update to the MIB and will be included during a revision cycle. -- This list does not differentiate between a local service (eg., local -- login into the firewall via telnet) and a proxied service (eg., use of -- a telnet application gateway). This information can be provided in a -- string, since each use of these OIDs in a MIB variable (usually as -- part of a table entry) has a corresponding description or information -- variable. -- Use of these OIDs in the MIB variables: Grall [Page 21] Internet-Draft Firewall MIB 24 November 1997 -- -- If a new service emerges that is not in the MIB yet, but that has been -- assigned a port number or other identifying number, then it can be -- represented by choosing the appropriate service category and using the -- assigned number. For example, a new service called Foo Protocol (fp) -- is the latest rage on the Internet. It is a multi-media protocol and -- has been assigned port number XXX. The OID used to represent the -- service would be spfw.service.svcMultimedia.XXX. The corresponding -- information variable can provide the protocol name. -- -- If the firewall supports a service or protocol that is very unique or -- specific to that firewall, then the OID used to represent the service -- will include that vendor's enterprise number. For example, the Foo -- firewall has a Bar service. The firewall company's enterprise number -- is ZZZ and they have chosen W to represent the Bar service. The -- OID used would be spfw.service.svcOther.ZZZ.W It is the vendor's -- responsibility to publish definitions of the numbers used. -- -- In any of the cases above where a service listed below cannot be used, -- the service can be further described with the serviceInformation object. -- -- The numbers assigned in the list correspond, when possible, to the -- assigned port number for a protocol or other assigned number as -- appropriate (eg., the protocol number for IP protocols). -- -- Alternatively a vendor can define an OID in their enterprise tree and -- use that value for genericService. It is the vendor's responsibility -- to publish these OIDs. -- service OBJECT IDENTIFIER ::= { spfw 1 } -- represents the firewall as a whole, useful when statistics or events -- apply to the whole firewall device -- svcFirewall OBJECT IDENTIFIER ::= { service 1 } -- svcOther OBJECT IDENTIFIER ::= { service 2 } -- svcFileTransfer OBJECT IDENTIFIER ::= { service 3 } ftp OBJECT IDENTIFIER ::= { svcFileTransfer 21 } tftp OBJECT IDENTIFIER ::= { svcFileTransfer 69 } ftps OBJECT IDENTIFIER ::= { svcFileTransfer 990 } -- ftp over ssl -- svcLogin OBJECT IDENTIFIER ::= { service 4 } Grall [Page 22] Internet-Draft Firewall MIB 24 November 1997 login OBJECT IDENTIFIER ::= { svcLogin 1 } -- a login/su program telnet OBJECT IDENTIFIER ::= { svcLogin 23 } rlogin OBJECT IDENTIFIER ::= { svcLogin 513 } telnets OBJECT IDENTIFIER ::= { svcLogin 992 } -- telnet over ssl -- svcRemoteExecution OBJECT IDENTIFIER ::= { service 5 } sunRPC OBJECT IDENTIFIER ::= { svcRemoteExecution 111 } rsh OBJECT IDENTIFIER ::= { svcRemoteExecution 514 } xserver OBJECT IDENTIFIER ::= { svcRemoteExecution 6000 } -- svcWeb OBJECT IDENTIFIER ::= { service 6 } gopher OBJECT IDENTIFIER ::= { svcWeb 70 } http OBJECT IDENTIFIER ::= { svcWeb 80 } pointcast OBJECT IDENTIFIER ::= { svcWeb 90 } https OBJECT IDENTIFIER ::= { svcWeb 443 } -- also know as shttp -- svcMail OBJECT IDENTIFIER ::= { service 7 } sendmail OBJECT IDENTIFIER ::= { svcMail 1 } smtp OBJECT IDENTIFIER ::= { svcMail 25 } pop2 OBJECT IDENTIFIER ::= { svcMail 109 } pop3 OBJECT IDENTIFIER ::= { svcMail 110 } smtps OBJECT IDENTIFIER ::= { svcMail 465 } -- smtp over ssl pop3s OBJECT IDENTIFIER ::= { svcMail 995 } -- pop3 over ssl -- svcNews OBJECT IDENTIFIER ::= { service 8 } nntp OBJECT IDENTIFIER ::= { svcNews 119 } nntps OBJECT IDENTIFIER ::= { svcNews 563 } -- nntp over ssl -- svcMultimedia OBJECT IDENTIFIER ::= { service 9 } irc OBJECT IDENTIFIER ::= { svcMultimedia 194 } talk OBJECT IDENTIFIER ::= { svcMultimedia 517 } ircs OBJECT IDENTIFIER ::= { svcMultimedia 994 } -- irc over ssl streamworks OBJECT IDENTIFIER ::= { svcMultimedia 1558 } h323 OBJECT IDENTIFIER ::= { svcMultimedia 1718 } netShow OBJECT IDENTIFIER ::= { svcMultimedia 1755 } vDOLive OBJECT IDENTIFIER ::= { svcMultimedia 7000 } realAV OBJECT IDENTIFIER ::= { svcMultimedia 7070 } -- svcDatabase OBJECT IDENTIFIER ::= { service 10 } dbSybas OBJECT IDENTIFIER ::= { svcDatabase 1 } dbInformix OBJECT IDENTIFIER ::= { svcDatabase 3 } dbOracle OBJECT IDENTIFIER ::= { svcDatabase 66 } -- or 150? Grall [Page 23] Internet-Draft Firewall MIB 24 November 1997 dbMSsql OBJECT IDENTIFIER ::= { svcDatabase 1433 } -- these are the current thing that are checked for nowadays, eg., there -- are products or engines that scan for what's below svcContentInspection OBJECT IDENTIFIER ::= { service 11 } virus OBJECT IDENTIFIER ::= { svcContentInspection 1 } certificate OBJECT IDENTIFIER ::= { svcContentInspection 2 } -- eg., Java, Active-X programLanguage OBJECT IDENTIFIER ::= { svcContentInspection 3 } -- eg., company private dirtyWord OBJECT IDENTIFIER ::= { svcContentInspection 4 } -- svcDirectory OBJECT IDENTIFIER ::= { service 12 } nis OBJECT IDENTIFIER ::= { svcDirectory 1 } dns OBJECT IDENTIFIER ::= { svcDirectory 53 } netbiosns OBJECT IDENTIFIER ::= { svcDirectory 137 } netbiosdgm OBJECT IDENTIFIER ::= { svcDirectory 138 } netbiosssn OBJECT IDENTIFIER ::= { svcDirectory 139 } ldap OBJECT IDENTIFIER ::= { svcDirectory 389 } wins OBJECT IDENTIFIER ::= { svcDirectory 1512 } -- svcOperatingSystem OBJECT IDENTIFIER ::= { service 13 } inetd OBJECT IDENTIFIER ::= { svcOperatingSystem 1 } cron OBJECT IDENTIFIER ::= { svcOperatingSystem 2 } kernel OBJECT IDENTIFIER ::= { svcOperatingSystem 3 } fileSystem OBJECT IDENTIFIER ::= { svcOperatingSystem 4 } printer OBJECT IDENTIFIER ::= { svcOperatingSystem 515 } -- svcManagement OBJECT IDENTIFIER ::= { service 14 } mgmtTool OBJECT IDENTIFIER ::= { svcManagement 1 } patchTool OBJECT IDENTIFIER ::= { svcManagement 2 } snmp OBJECT IDENTIFIER ::= { svcManagement 161 } -- svcEncryption OBJECT IDENTIFIER ::= { service 15 } ipsec OBJECT IDENTIFIER ::= { svcEncryption 1 } vpn OBJECT IDENTIFIER ::= { svcEncryption 2 } kerberos OBJECT IDENTIFIER ::= { svcEncryption 88 } isakmp OBJECT IDENTIFIER ::= { svcEncryption 500 } -- svcPacketFilter OBJECT IDENTIFIER ::= { service 16 } -- network address translation svcNAT OBJECT IDENTIFIER ::= { service 17 } Grall [Page 24] Internet-Draft Firewall MIB 24 November 1997 -- svcAuthentication OBJECT IDENTIFIER ::= { service 18 } password OBJECT IDENTIFIER ::= { svcAuthentication 1 } skey OBJECT IDENTIFIER ::= { svcAuthentication 2 } -- Digital Pathways snk OBJECT IDENTIFIER ::= { svcAuthentication 3 } -- Enigma Logics silvercard OBJECT IDENTIFIER ::= { svcAuthentication 4 } crytocard OBJECT IDENTIFIER ::= { svcAuthentication 5 } -- Digital Pathways server dss OBJECT IDENTIFIER ::= { svcAuthentication 6 } -- Enigma Logics safeword OBJECT IDENTIFIER ::= { svcAuthentication 7 } vasco OBJECT IDENTIFIER ::= { svcAuthentication 8 } apop OBJECT IDENTIFIER ::= { svcAuthentication 9 } secureID OBJECT IDENTIFIER ::= { svcAuthentication 755 } -- svcLog OBJECT IDENTIFIER ::= { service 19 } syslog OBJECT IDENTIFIER ::= { svcLog 514 } -- svcTime OBJECT IDENTIFIER ::= { service 20 } time OBJECT IDENTIFIER ::= { svcTime 37 } ntp OBJECT IDENTIFIER ::= { svcTime 123 } timed OBJECT IDENTIFIER ::= { svcTime 525 } -- svcGroupware OBJECT IDENTIFIER ::= { service 21 } exchange OBJECT IDENTIFIER ::= { svcGroupware 1 } -- Microsoft lotusNotes OBJECT IDENTIFIER ::= { svcGroupware 1352 } -- svcHardware OBJECT IDENTIFIER ::= { service 22 } memory OBJECT IDENTIFIER ::= { svcHardware 1 } disk OBJECT IDENTIFIER ::= { svcHardware 2 } power OBJECT IDENTIFIER ::= { svcHardware 3 } netinterface OBJECT IDENTIFIER ::= { svcHardware 4 } tape OBJECT IDENTIFIER ::= { svcHardware 5 } controller OBJECT IDENTIFIER ::= { svcHardware 6 } -- svcQuery OBJECT IDENTIFIER ::= { service 23 } whois OBJECT IDENTIFIER ::= { svcQuery 43 } finger OBJECT IDENTIFIER ::= { svcQuery 79 } ident OBJECT IDENTIFIER ::= { svcQuery 113 } -- svcFileShare OBJECT IDENTIFIER ::= { service 24 } Grall [Page 25] Internet-Draft Firewall MIB 24 November 1997 nfsStatus OBJECT IDENTIFIER ::= { svcFileShare 1110 } nfs OBJECT IDENTIFIER ::= { svcFileShare 2049 } -- mainly used in the module and statistics tables to designate that -- information applies to the protocol class chosen svcProtocol OBJECT IDENTIFIER ::= { service 25 } icmp OBJECT IDENTIFIER ::= { svcProtocol 1 } igmp OBJECT IDENTIFIER ::= { svcProtocol 2 } tcp OBJECT IDENTIFIER ::= { svcProtocol 6 } udp OBJECT IDENTIFIER ::= { svcProtocol 17 } ip OBJECT IDENTIFIER ::= { svcProtocol 255 } -- -- The firewall event group -- -- The firewall event group defines a set of variables and tables used to -- log and track extraordinary firewall events. The tables are filled in -- when an event occurs and then trap is sent referencing the filled in -- row. -- For any particular event up to three tables will be referenced. The -- general event information will go into one table and the details are -- placed in another. A third vendor defined table can also be used. -- There is only one table defined for general information. -- The table chosen for event details depends on the event type and the -- set of detailed information available at the time the event took place. -- The general table has a value to point to the table and row containing -- the event's details. A trap is sent once the relevant tables are -- filled in. The trap contains pointers to the tables used. -- A management station can wait for a trap to get details on an event. -- Alternatively the management station can query the objects in this -- group at any time to retrieve event information. fwevent OBJECT IDENTIFIER ::= { spfw 2 } -- @?@ define, if possible, the tables that should be used for the events -- from the EventTypeUnitTC... -- -- BASIC EVENTS LOG -- -- This group defines the basic table containing information that is -- logged for every event on the firewall. The table is defined along -- with one variable to obtain the index value of the last valid row in -- the table. To obtain the first valid index value, query the table -- (via GETNEXT) for the first entry in the table. Grall [Page 26] Internet-Draft Firewall MIB 24 November 1997 -- -- The index of the last valid row also indicates the total number of -- events logged in the table since reboot. -- basicEventsLog OBJECT IDENTIFIER ::= { fwevent 1 } basicEventsLogTableLastValidRow OBJECT-TYPE SYNTAX INTEGER(1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "The index value of the last valid row in the basicEventsLogTable." ::= { basicEventsLog 1 } basicEventsLogTable OBJECT-TYPE SYNTAX SEQUENCE OF BasicEventsLogEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table of basic data for firewall events." ::= { basicEventsLog 2 } basicEventsLogEntry OBJECT-TYPE SYNTAX BasicEventsLogEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the table, containing general information about an event." INDEX { basicEventLogIndex } ::= { basicEventsLogTable 1 } BasicEventsLogEntry ::= SEQUENCE { basicEventLogIndex INTEGER(1..2147483647), basicEventTime TimeStamp, basicEventSource IpAddress, basicEventType EventTypeUnitTC, basicEventDescription Utf8String, basicEventDetailsTable OBJECT IDENTIFIER, basicEventDetailsTableIndex INTEGER(1..2147483647), basicEventVendorPrivateDetailsTable OBJECT IDENTIFIER, Grall [Page 27] Internet-Draft Firewall MIB 24 November 1997 basicEventVendorPrivateDetailsTableIndex INTEGER(1..2147483647) } basicEventLogIndex OBJECT-TYPE SYNTAX INTEGER(1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "An index that uniquely identifies an entry in the log table. These indices are assigned beginning with 1 and increase by one with each new log entry. The agent may choose to delete the instances of basicEventEntry as required because of lack of memory. It is an implementation specific matter as to when this deletion may occur and as to which log entries are deleted." ::= { basicEventsLogEntry 1 } basicEventTime OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The time that the Events occurred." ::= { basicEventsLogEntry 2 } basicEventSource OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the firewall entity where the event occurred, the IP address of entity. If there are two or more IP addresses there is no guarantee which IP address will be used." ::= { basicEventsLogEntry 3 } basicEventType OBJECT-TYPE SYNTAX EventTypeUnitTC MAX-ACCESS read-only STATUS current DESCRIPTION Grall [Page 28] Internet-Draft Firewall MIB 24 November 1997 "What type of event this is." ::= { basicEventsLogEntry 4 } basicEventDescription OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "An (optional) description of the event." ::= { basicEventsLogEntry 5 } basicEventDetailsTable OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "A pointer to the table containing details about this event. It will be one of the tables defined in this MIB. One of type1NetEventsLogTable, type2NetEventsLogTable, type3NetEventsLogTable, healthEventsLogTable, managementEventsLogTable." ::= { basicEventsLogEntry 6 } basicEventDetailsTableIndex OBJECT-TYPE SYNTAX INTEGER(1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "Index of a row in the table referenced by basicEventsLogDetails." ::= { basicEventsLogEntry 7 } basicEventVendorPrivateDetailsTable OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "This value is vendor defined. Generally this will be a pointer to a table and row containing vendor specific details about this event. It is up to firewall vendor to define how Grall [Page 29] Internet-Draft Firewall MIB 24 November 1997 this value should be interpreted and to publish this information." ::= { basicEventsLogEntry 8 } basicEventVendorPrivateDetailsTableIndex OBJECT-TYPE SYNTAX INTEGER(1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "Index of a row in the table referenced by basicEventsLogVendorPrivateDetails." ::= { basicEventsLogEntry 9 } -- TYPE 1 NETWORK EVENTS LOG -- -- A details log table with minimal information, can be used to record events -- at the IP level. -- type1NetEventsLog OBJECT IDENTIFIER ::= { fwevent 2 } type1NetEventsLogTableLastValidRow OBJECT-TYPE SYNTAX INTEGER(1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "The index value of the last valid row in the type1NetEventsLogTable." ::= { type1NetEventsLog 1 } type1NetEventsLogTable OBJECT-TYPE SYNTAX SEQUENCE OF Type1NetEventsLogEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table of detailed data for IP type events." ::= { type1NetEventsLog 2 } type1NetEventsLogEntry OBJECT-TYPE SYNTAX Type1NetEventsLogEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION Grall [Page 30] Internet-Draft Firewall MIB 24 November 1997 "An entry in the table, containing detailed information about an event." INDEX { type1NetEventLogIndex } ::= { type1NetEventsLogTable 1 } Type1NetEventsLogEntry ::= SEQUENCE { type1NetEventLogIndex INTEGER(1..2147483647), type1NetEventProtocol ProtocolUnitTC, type1NetEventSrcIpAddress IpAddress, type1NetEventMappedSrcIpAddress IpAddress, type1NetEventDstIpAddress IpAddress, type1NetEventMappedDstIpAddress IpAddress, type1NetEventICMPCommand INTEGER, type1NetEventGenericService OBJECT IDENTIFIER, type1NetEventServiceInformation Utf8String, type1NetEventActionReason Utf8String } type1NetEventLogIndex OBJECT-TYPE SYNTAX INTEGER(1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "An index that uniquely identifies an entry in the log table. These indices are assigned beginning with 1 and increase by one with each new log entry. The agent may choose to delete the instances of basicEventEntry as required because of lack of memory. It is an implementation specific matter as to when this deletion may occur and as to which log entries are deleted." ::= { type1NetEventsLogEntry 1 } type1NetEventProtocol OBJECT-TYPE SYNTAX ProtocolUnitTC MAX-ACCESS read-only STATUS current DESCRIPTION "Enumeration of possible network protocols." ::= { type1NetEventsLogEntry 2 } type1NetEventSrcIpAddress OBJECT-TYPE Grall [Page 31] Internet-Draft Firewall MIB 24 November 1997 SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "Source IP address as provided in an IP packet." ::= { type1NetEventsLogEntry 3 } type1NetEventMappedSrcIpAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "Source IP address after network address translation has been applied." ::= { type1NetEventsLogEntry 4 } type1NetEventDstIpAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "Destination IP address as provided in an IP packet or by a service user." ::= { type1NetEventsLogEntry 5 } type1NetEventMappedDstIpAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "Destination IP address after network address translation has been applied." ::= { type1NetEventsLogEntry 6 } type1NetEventICMPCommand OBJECT-TYPE SYNTAX INTEGER { echoreply(0), destunreach(3), sourcequench(4), redirect(5), Grall [Page 32] Internet-Draft Firewall MIB 24 November 1997 echo(8), timeexceeded(11), paramprob(12), timestamp(13), timestampreply(14), mask(17), maskreply(18), traceroute(30), notICMP(41) } MAX-ACCESS read-only STATUS current DESCRIPTION "Enumeration of the most common types of ICMP packets, the numbers used above represent the ICMP Type number currently assigned by IANA." ::= { type1NetEventsLogEntry 7 } type1NetEventGenericService OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "The identification of the type of service notifying about the event. This value may be chosen from the spfw.service or vendor specific trees. The description in serviceInformation can be used to designate a particular service from within this service type." ::= { type1NetEventsLogEntry 8 } type1NetEventServiceInformation OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "Specific service information. This can be used to designate the particular service within a genericService type and/or it can designate whether the service is a local service or a gateway service. For example, if the value for genericService is service.svcLogin.telnet, then the string provided might be 'local telnet'." ::= { type1NetEventsLogEntry 9 } Grall [Page 33] Internet-Draft Firewall MIB 24 November 1997 type1NetEventActionReason OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "A detailed description of the reason the ruleAction took place. Could be a copy of the rule used." ::= { type1NetEventsLogEntry 10 } -- TYPE 2 NETWORK EVENTS LOG -- -- A details table with more than minimal information, it can be used to -- record events at the transport level or when the service is not known. type2NetEventsLog OBJECT IDENTIFIER ::= { fwevent 3 } type2NetEventsLogTableLastValidRow OBJECT-TYPE SYNTAX INTEGER(1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "The index value of the last valid row in the type2NetEventsLogTable." ::= { type2NetEventsLog 1 } type2NetEventsLogTable OBJECT-TYPE SYNTAX SEQUENCE OF Type2NetEventsLogEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table of detailed data for transport events." ::= { type2NetEventsLog 2 } type2NetEventsLogEntry OBJECT-TYPE SYNTAX Type2NetEventsLogEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the table, containing detailed information about an event." Grall [Page 34] Internet-Draft Firewall MIB 24 November 1997 INDEX { type2NetEventLogIndex } ::= { type2NetEventsLogTable 1 } Type2NetEventsLogEntry ::= SEQUENCE { type2NetEventLogIndex INTEGER(1..2147483647), type2NetEventProtocol ProtocolUnitTC, type2NetEventSrcIpAddress IpAddress, type2NetEventMappedSrcIpAddress IpAddress, type2NetEventDstIpAddress IpAddress, type2NetEventMappedDstIpAddress IpAddress, type2NetEventSrcIpPort INTEGER(0..65535), type2NetEventMappedSrcIpPort INTEGER(0..65535), type2NetEventDstIpPort INTEGER(0..65535), type2NetEventMappedDstIpPort INTEGER(0..65535), type2NetEventGenericService OBJECT IDENTIFIER, type2NetEventServiceInformation Utf8String, type2NetEventRuleID INTEGER(0..65535), type2NetEventActionReason Utf8String } type2NetEventLogIndex OBJECT-TYPE SYNTAX INTEGER(1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "An index that uniquely identifies an entry in the log table. These indices are assigned beginning with 1 and increase by one with each new log entry. The agent may choose to delete the instances of basicEventEntry as required because of lack of memory. It is an implementation specific matter as to when this deletion may occur and as to which log entries are deleted." ::= { type2NetEventsLogEntry 1 } type2NetEventProtocol OBJECT-TYPE SYNTAX ProtocolUnitTC MAX-ACCESS read-only STATUS current DESCRIPTION "Enumeration of possible network protocols." ::= { type2NetEventsLogEntry 2 } type2NetEventSrcIpAddress OBJECT-TYPE Grall [Page 35] Internet-Draft Firewall MIB 24 November 1997 SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "Source IP address as provided in an IP packet." ::= { type2NetEventsLogEntry 3 } type2NetEventMappedSrcIpAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "Source IP address after network address translation has been applied." ::= { type2NetEventsLogEntry 4 } type2NetEventDstIpAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "Destination IP address as provided in an IP packet or by a service user." ::= { type2NetEventsLogEntry 5 } type2NetEventMappedDstIpAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "Destination IP address after network address translation has been applied." ::= { type2NetEventsLogEntry 6 } type2NetEventSrcIpPort OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION Grall [Page 36] Internet-Draft Firewall MIB 24 November 1997 "Source UDP/TCP port as provided in an IP packet." ::= { type2NetEventsLogEntry 7 } type2NetEventMappedSrcIpPort OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "Source UDP/TCP port after any port translation or change has been applied." ::= { type2NetEventsLogEntry 8 } type2NetEventDstIpPort OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "Destination UDP/TCP port as provided in an IP packet or by a service user." ::= { type2NetEventsLogEntry 9 } type2NetEventMappedDstIpPort OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "Destination UDP/TCP port after any port translation or change has been applied." ::= { type2NetEventsLogEntry 10 } type2NetEventGenericService OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "The identification of the type of service notifying about the event. This value may be chosen from the spfw.service or vendor specific trees. The description in serviceInformation can be used to designate a particular service from within this service type." Grall [Page 37] Internet-Draft Firewall MIB 24 November 1997 ::= { type2NetEventsLogEntry 11 } type2NetEventServiceInformation OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "Specific service information. This can be used to designate the particular service within a genericService type and/or it can designate whether the service is a local service or a gateway service. For example, if the value for genericService is service.svcLogin.telnet, then the string provided might be 'local telnet'." ::= { type2NetEventsLogEntry 12 } type2NetEventRuleID OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "Integer representation of rule identifier. How to interpret the number provided is defined by the firewall vendor." ::= { type2NetEventsLogEntry 13 } type2NetEventActionReason OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "A detailed description of the reason the ruleAction took place. Could be a copy of the rule used." ::= { type2NetEventsLogEntry 14 } -- TYPE 3 NETWORK EVENTS LOG -- -- A details table with a large amount of information. It can be used to -- record details for events at the application level. type3NetEventsLog OBJECT IDENTIFIER ::= { fwevent 4 } Grall [Page 38] Internet-Draft Firewall MIB 24 November 1997 type3NetEventsLogTableLastValidRow OBJECT-TYPE SYNTAX INTEGER(1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "The index value of the last valid row in the type3NetEventsLogTable." ::= { type3NetEventsLog 1 } type3NetEventsLogTable OBJECT-TYPE SYNTAX SEQUENCE OF Type3NetEventsLogEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table of detailed data for transport events." ::= { type3NetEventsLog 2} type3NetEventsLogEntry OBJECT-TYPE SYNTAX Type3NetEventsLogEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the table, containing detailed information about an event." INDEX { type3NetEventLogIndex } ::= { type3NetEventsLogTable 1 } Type3NetEventsLogEntry ::= SEQUENCE { type3NetEventLogIndex INTEGER(1..2147483647), type3NetEventProtocol ProtocolUnitTC, type3NetEventSrcIpAddress IpAddress, type3NetEventMappedSrcIpAddress IpAddress, type3NetEventDstIpAddress IpAddress, type3NetEventMappedDstIpAddress IpAddress, type3NetEventSrcIpPort INTEGER(0..65535), type3NetEventMappedSrcIpPort INTEGER(0..65535), type3NetEventDstIpPort INTEGER(0..65535), type3NetEventMappedDstIpPort INTEGER(0..65535), type3NetEventGenericService OBJECT IDENTIFIER, type3NetEventServiceInformation Utf8String, type3NetEventAuthdEntity Utf8String, type3NetEventRuleID INTEGER(0..65535), type3NetEventActionReason Utf8String Grall [Page 39] Internet-Draft Firewall MIB 24 November 1997 } type3NetEventLogIndex OBJECT-TYPE SYNTAX INTEGER(1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "An index that uniquely identifies an entry in the log table. These indices are assigned beginning with 1 and increase by one with each new log entry. The agent may choose to delete the instances of basicEventEntry as required because of lack of memory. It is an implementation specific matter as to when this deletion may occur and as to which log entries are deleted." ::= { type3NetEventsLogEntry 1 } type3NetEventProtocol OBJECT-TYPE SYNTAX ProtocolUnitTC MAX-ACCESS read-only STATUS current DESCRIPTION "Enumeration of possible network protocols." ::= { type3NetEventsLogEntry 2 } type3NetEventSrcIpAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "Source IP address as provided in an IP packet." ::= { type3NetEventsLogEntry 3 } type3NetEventMappedSrcIpAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "Source IP address after network address translation has been applied." Grall [Page 40] Internet-Draft Firewall MIB 24 November 1997 ::= { type3NetEventsLogEntry 4 } type3NetEventDstIpAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "Destination IP address as provided in an IP packet or by a service user." ::= { type3NetEventsLogEntry 5 } type3NetEventMappedDstIpAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "Destination IP address after network address translation has been applied." ::= { type3NetEventsLogEntry 6 } type3NetEventSrcIpPort OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "Source UDP/TCP port as provided in an IP packet." ::= { type3NetEventsLogEntry 7 } type3NetEventMappedSrcIpPort OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "Source UDP/TCP port after any port translation or change has been applied." ::= { type3NetEventsLogEntry 8 } type3NetEventDstIpPort OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only Grall [Page 41] Internet-Draft Firewall MIB 24 November 1997 STATUS current DESCRIPTION "Destination UDP/TCP port as provided in an IP packet or by a service user." ::= { type3NetEventsLogEntry 9 } type3NetEventMappedDstIpPort OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "Destination UDP/TCP port after any port translation or change has been applied." ::= { type3NetEventsLogEntry 10 } type3NetEventGenericService OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "The identification of the type of service notifying about the event. This value may be chosen from the spfw.service or vendor specific trees. The description in serviceInformation can be used to designate a particular service from within this service type." ::= { type3NetEventsLogEntry 11 } type3NetEventServiceInformation OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "Specific service information. This can be used to designate the particular service within a genericService type and/or it can designate whether the service is a local service or a gateway service. For example, if the value for genericService is service.svcLogin.telnet, then the string provided might be 'local telnet'." ::= { type3NetEventsLogEntry 12 } Grall [Page 42] Internet-Draft Firewall MIB 24 November 1997 type3NetEventAuthdEntity OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "A userid, username, processid or other identifier for the entity using the service. If there is no such information then 'none' may be provided." ::= { type3NetEventsLogEntry 13 } type3NetEventRuleID OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "INTEGER representation of a rule identifier. How to interpret the number provided is defined by the firewall vendor. Eg., it may represent a configuration line number in a file, or a rule number in a table." ::= { type3NetEventsLogEntry 14 } type3NetEventActionReason OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "A detailed description of the reason the ruleAction took place. Could be a copy of the rule used." ::= { type3NetEventsLogEntry 15 } -- HEALTH EVENTS LOG -- -- This table is used for events related to the firewall's health and -- status. The events can be for hardware or software resources. healthEventsLog OBJECT IDENTIFIER ::= { fwevent 5 } healthEventsLogTableLastValidRow OBJECT-TYPE SYNTAX INTEGER(1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION Grall [Page 43] Internet-Draft Firewall MIB 24 November 1997 "The index value of the last valid row in the healthEventsLogTable." ::= { healthEventsLog 1 } healthEventsLogTable OBJECT-TYPE SYNTAX SEQUENCE OF HealthEventsLogEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table of detailed data for firewall health events." ::= { healthEventsLog 2 } healthEventsLogEntry OBJECT-TYPE SYNTAX HealthEventsLogEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the table, containing detailed information about a health event." INDEX { healthEventLogIndex } ::= { healthEventsLogTable 1 } HealthEventsLogEntry ::= SEQUENCE { healthEventLogIndex INTEGER(1..2147483647), healthEventResourceType OBJECT IDENTIFIER, healthEventResourceDetails Utf8String, healthEventProblemDetail Utf8String } healthEventLogIndex OBJECT-TYPE SYNTAX INTEGER(1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "An index that uniquely identifies an entry in the log table. These indices are assigned beginning with 1 and increase by one with each new log entry. The agent may choose to delete the instances of basicEventEntry as required because of lack of memory. It is an implementation specific matter as to when this deletion may occur and as to which log entries are deleted." Grall [Page 44] Internet-Draft Firewall MIB 24 November 1997 ::= { healthEventsLogEntry 1 } healthEventResourceType OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "The identification of the type of resource notifying about the problem. This value may be chosen from the spfw.service or vendor specific trees. The description in ResourceDetails can be used to designate a particular service from within this service type." ::= { healthEventsLogEntry 2 } healthEventResourceDetails OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "Specific resource information. This can be used to designate the particular service within a resourceType OID." ::= { healthEventsLogEntry 3 } healthEventProblemDetail OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "Details on the problem being reported. Used if more detail is needed to interpret resourceStatus." ::= { healthEventsLogEntry 5 } -- MANAGEMENT EVENTS LOG -- -- This table is used for reporting events related to management of the -- firewall. managementEventsLog OBJECT IDENTIFIER ::= { fwevent 6 } managementEventsLogTableLastValidRow OBJECT-TYPE SYNTAX INTEGER(1..2147483647) Grall [Page 45] Internet-Draft Firewall MIB 24 November 1997 MAX-ACCESS read-only STATUS current DESCRIPTION "The index value of the last valid row in the managementEventsLogTable." ::= { managementEventsLog 1 } managementEventsLogTable OBJECT-TYPE SYNTAX SEQUENCE OF ManagementEventsLogEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table of detailed data for firewall management events." ::= { managementEventsLog 2 } managementEventsLogEntry OBJECT-TYPE SYNTAX ManagementEventsLogEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the table, containing detailed information about a management event." INDEX { managementEventLogIndex } ::= { managementEventsLogTable 1 } ManagementEventsLogEntry ::= SEQUENCE { managementEventLogIndex INTEGER(1..2147483647), managementEventSubjectName Utf8String, managementEventSubjectAction EventTypeUnitTC, managementEventActionDetail Utf8String, managementEventObjectManaged OBJECT IDENTIFIER } managementEventLogIndex OBJECT-TYPE SYNTAX INTEGER(1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "An index that uniquely identifies an entry in the log table. These indices are assigned beginning with 1 and increase by one with each Grall [Page 46] Internet-Draft Firewall MIB 24 November 1997 new log entry. The agent may choose to delete the instances of basicEventEntry as required because of lack of memory. It is an implementation specific matter as to when this deletion may occur and as to which log entries are deleted." ::= { managementEventsLogEntry 1 } managementEventSubjectName OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "The userid, processid, or other unique information that designates which subject is causing the management event event." ::= { managementEventsLogEntry 2 } managementEventSubjectAction OBJECT-TYPE SYNTAX EventTypeUnitTC MAX-ACCESS read-only STATUS current DESCRIPTION "What a subject did on the firewall." ::= { managementEventsLogEntry 3 } managementEventActionDetail OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "Details on the management event based on the subjectAction chosen." ::= { managementEventsLogEntry 4 } managementEventObjectManaged OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "The identification of the type of resource begin managed. Grall [Page 47] Internet-Draft Firewall MIB 24 November 1997 This value may be chosen from the spfw.service or vendor specific trees. The description in managementEventSubjectActionDetail can be used to designate a particular service from within this service type." ::= { managementEventsLogEntry 5 } -- -- fwquery group -- -- The query group defines status and statistical data at the firewall. -- The data included here concentrates on variables not covered by -- other MIBs. -- All data is designated as read-only. Changes to a firewall's -- configuration or any of the data here is assumed to take place via -- a different channel. -- We encourage the firewall to support MIB-II for resource information -- when possible. To that extent, this query group does not include any -- objects that are covered by MIB-II. fwquery OBJECT IDENTIFIER ::= { spfw 3 } firewall OBJECT IDENTIFIER ::= { fwquery 1 } resource OBJECT IDENTIFIER ::= { fwquery 2 } statistic OBJECT IDENTIFIER ::= { fwquery 3 } -- The firewall product related queries fwProductName OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "The product name of the firewall." ::= { firewall 1 } fwVersionMajor OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "The major version of the firewall as a whole." ::= { firewall 2 } Grall [Page 48] Internet-Draft Firewall MIB 24 November 1997 fwVersionMinor OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "The minor version of the firewall as a whole." ::= { firewall 3 } fwOSName OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "The specific vendor's name for the operating system the firewall is running on. For Unix type operating systems this would usually be the output from 'uname -s'. For other operating systems...@?@???" ::= { firewall 4 } fwOSVersion OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "The specific vendor's version for the operating system the firewall is running on. For Unix type operating systems this would usually be the output from 'uname -r'. For other operating systems...@?@???" ::= { firewall 5 } -- The firewall module table is used to provide additional version and -- status information for firewall modules. The definition of a module -- is vendor specific. At the least the firewall should provide one row -- for this table to represent the firewall as a whole (ie, the -- value used for fwModuleType would be services.svcFirewall). For values -- in this table that the firewall module does not support (eg., the -- module does not support serial numbers), the value used would be -- "NULL". fwModuleTable OBJECT-TYPE SYNTAX SEQUENCE OF FwModuleEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION Grall [Page 49] Internet-Draft Firewall MIB 24 November 1997 "Table of firewall Module entries that provide version and status information." ::= { firewall 6 } fwModuleEntry OBJECT-TYPE SYNTAX FwModuleEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the table, containing information about a module." INDEX { fwModuleType } ::= { fwModuleTable 1 } FwModuleEntry ::= SEQUENCE { fwModuleType OBJECT IDENTIFIER, fwModuleInformation Utf8String, fwModuleVersion Utf8String, fwModulePatchLevel Utf8String, fwModuleLicenseKey Utf8String, fwModuleSerialNumber Utf8String, fwModuleCfgID Utf8String, fwModuleCfgDate TimeStamp, fwModuleCfgState INTEGER } fwModuleType OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "Firewall module type. This can be an OID from the services group, or the vendor can choose to define OIDs in their enterprise group." ::= { fwModuleEntry 1 } fwModuleInformation OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "Detailed information to designate the specific firewall module or service based on the type chosen for fwModuleType." Grall [Page 50] Internet-Draft Firewall MIB 24 November 1997 ::= { fwModuleEntry 2 } fwModuleVersion OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "Module Version." ::= { fwModuleEntry 3 } fwModulePatchLevel OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "Module Patch Level." ::= { fwModuleEntry 4 } fwModuleLicenseKey OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "Module license key" ::= { fwModuleEntry 5 } fwModuleSerialNumber OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "Module serial number." ::= { fwModuleEntry 6 } fwModuleCfgID OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION Grall [Page 51] Internet-Draft Firewall MIB 24 November 1997 "Module configuration ID." ::= { fwModuleEntry 7 } fwModuleCfgDate OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "Module configuration date." ::= { fwModuleEntry 8 } fwModuleCfgState OBJECT-TYPE SYNTAX INTEGER { inprogress(1), done(2) } MAX-ACCESS read-only STATUS current DESCRIPTION "Enumeration of the state the module's configuration is in." ::= { fwModuleEntry 9 } -- The resource information related queries, this table is for -- providing the status of the resources on the firewall. Resources -- can include hardware or software modules on the firewall. resourceTable OBJECT-TYPE SYNTAX SEQUENCE OF ResourceEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table of firewall resource entries" ::= { resource 1 } resourceEntry OBJECT-TYPE SYNTAX ResourceEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION Grall [Page 52] Internet-Draft Firewall MIB 24 November 1997 "An entry in the table, containing information about a resource." INDEX { resourceType } ::= { resourceTable 1 } ResourceEntry ::= SEQUENCE { resourceType OBJECT IDENTIFIER, resourceInformation Utf8String, resourceStatus EventTypeUnitTC } resourceType OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "Resource type. This can be an OID from the services group, or the vendor can choose to define OIDs in their enterprise group." ::= { resourceEntry 1 } resourceInformation OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "Detailed information to designate the specific firewall resource or service based on the type chosen for resourceType. See appendix XX for suggested values in this field." ::= { resourceEntry 2 } resourceStatus OBJECT-TYPE SYNTAX EventTypeUnitTC MAX-ACCESS read-only STATUS current DESCRIPTION "Enumeration of firewall resource status/events. This list applies to hardware and software resources provided and used by the firewall." ::= { resourceEntry 3 } Grall [Page 53] Internet-Draft Firewall MIB 24 November 1997 -- The statistic related queries -- This group contains several tables, each table can be used to provide -- the indicated statistics for any firewall resource or service. The tables -- all contain rows for (and are indexed by) each service that the statistic -- applies to. -- -- The tables in this group can be used to provide statistics on: -- -- packet level data (packetStatTable) -- service level data (fwStatTable) -- -- The packetStatTable includes variables to record the number of packets -- handled by the firewall in various ways. -- @?@ complete... -- -- In all the tables, for any Counter32 objects that are not supported, -- a value of "0" is returned. packetStatTable OBJECT-TYPE SYNTAX SEQUENCE OF PacketStatEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table of firewall packet statistic entries." ::= { statistic 1 } packetStatEntry OBJECT-TYPE SYNTAX PacketStatEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the table, containing information about a statistic." INDEX { packetStatServiceType } ::= { packetStatTable 1 } PacketStatEntry ::= SEQUENCE { packetStatServiceType OBJECT IDENTIFIER, packetStatServiceDetail Utf8String, packetsAccepted Counter32, packetsDropped Counter32, packetsEncrypted Counter32, packetsInvalid Counter32, Grall [Page 54] Internet-Draft Firewall MIB 24 November 1997 packetsIgnore Counter32, packetsRejected Counter32, packetsForwarded Counter32 } packetStatServiceType OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "The identification of the type of service notifying about the event. This value may be chosen from the spfw.service or vendor specific trees. The description in packetStatServiceDetail can be used to designate a particular service from within this service type." ::= { packetStatEntry 1 } packetStatServiceDetail OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "Specific service information. This can be used to further designate the particular service." ::= { packetStatEntry 2 } packetsAccepted OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Number of packets accepted." ::= { packetStatEntry 3 } packetsDropped OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Number of packets dropped." Grall [Page 55] Internet-Draft Firewall MIB 24 November 1997 ::= { packetStatEntry 4 } packetsEncrypted OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Number of packets encrypted." ::= { packetStatEntry 5 } packetsInvalid OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Number of bad (see section 4.0) packets received." ::= { packetStatEntry 6 } packetsIgnore OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Number of bad (see section 4.0) packets received." ::= { packetStatEntry 7 } packetsRejected OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Number of packets rejected." ::= { packetStatEntry 8 } packetsForwarded OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Number of packets forwarded." Grall [Page 56] Internet-Draft Firewall MIB 24 November 1997 ::= { packetStatEntry 9 } -- The Firewall Statistics Table Definition -- -- This table can be used to provide the statistics -- for any firewall resource or service. This table contains rows for -- (and are indexed by) each service that the statistic applies to -- and by the type of statistic. -- -- This table can be used to provide statistics on any of the events -- that are also reported via traps, as well as any other events included -- in EventTypeUnitTC. For example to report on: -- -- - procotol or connection type data -- @?@ ex. here... -- - application type data -- @?@ ex. here... -- -- The table contains a column to provide details about the statistic -- being reported on. So for example if the statistic is for a particular -- user, this can be provided in the fwStatisticDescription. fwStatTable OBJECT-TYPE SYNTAX SEQUENCE OF FwStatEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table of firewall statistic entries." ::= { statistic 2 } fwStatEntry OBJECT-TYPE SYNTAX FwStatEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the table, containing information about a firewall statistic." INDEX { fwStatServiceType, fwStatType } ::= { fwStatTable 1 } FwStatEntry ::= SEQUENCE { fwStatServiceType OBJECT IDENTIFIER, fwStatServiceInformation Utf8String, Grall [Page 57] Internet-Draft Firewall MIB 24 November 1997 fwStatType EventTypeUnitTC, fwStatValue Counter32, fwStatDescription Utf8String, fwStatStartTime TimeStamp, fwStatElapsedTime Counter32 } fwStatServiceType OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "The identification of the type of service notifying about the event. This value may be chosen from the spfw.service or vendor specific trees. The description in fwStatServiceInformation can be used to designate a particular service from within this service type." ::= { fwStatEntry 1 } fwStatServiceInformation OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "Specific service information. This can be used to designate the particular service." ::= { fwStatEntry 2 } fwStatType OBJECT-TYPE SYNTAX EventTypeUnitTC MAX-ACCESS read-only STATUS current DESCRIPTION "The type of statistic this row is reporting on. This along with fwStatServiceType provides a unique index into the table." ::= { fwStatEntry 3 } fwStatValue OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION Grall [Page 58] Internet-Draft Firewall MIB 24 November 1997 "A count of fwStatType events." ::= { fwStatEntry 4 } fwStatDescription OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "A more detailed description of the statistic provided in case the fwStatType does not give a good indication of what the count in fwStatValue represents." ::= { fwStatEntry 5 } fwStatStartTime OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The time the statistic gathering for this particular statistic was started." ::= { fwStatEntry 6 } fwStatElapsedTime OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The elapsed time in seconds since fwStatStartTime that this particular statistic was collected." ::= { fwStatEntry 7 } -- -- fwtrap group -- -- The fwtrap group defines the trap types that a firewall may -- send. fwtrap OBJECT IDENTIFIER ::= { spfw 4 } Grall [Page 59] Internet-Draft Firewall MIB 24 November 1997 -- Traps are defined using the conventions in SNMPv2-SMI -- -- The networkEventTrap is used for events related to the network -- operation in the firewall. This includes packet screening events and -- serviceevents. Thetrap contains OID and row indexes of both the -- details table and the vendor private table. Then the management -- station can choose to access the event details without having to query -- the base table. networkEventTrap NOTIFICATION-TYPE OBJECTS { basicEventLogIndex, basicEventTime, basicEventSource, basicEventType, basicEventDescription, basicEventDetailsTable, basicEventDetailsTableIndex, basicEventVendorPrivateDetailsTable, basicEventVendorPrivateDetailsTableIndex } STATUS current DESCRIPTION "Network event notification from network components" ::= { fwtrap 1 } -- Example use: see introduction. -- The healthEventTrap is used for events related to configuration problems, -- resource problems, service problems, and system problems. healthEventTrap NOTIFICATION-TYPE OBJECTS { basicEventLogIndex, basicEventTime, basicEventSource, basicEventType, basicEventDescription, basicEventDetailsTable, basicEventDetailsTableIndex, basicEventVendorPrivateDetailsTable, basicEventVendorPrivateDetailsTableIndex } STATUS current DESCRIPTION Grall [Page 60] Internet-Draft Firewall MIB 24 November 1997 "Notification on events concerning the status and health of the firewall" ::= { fwtrap 2 } -- Example use: see introduction. -- The managementEventTrap is for events that relate to configuration -- changes, operating system changes, and patches to components on the -- firewall. managementEventTrap NOTIFICATION-TYPE OBJECTS { basicEventLogIndex, basicEventTime, basicEventSource, basicEventType, basicEventDescription, basicEventDetailsTable, basicEventDetailsTableIndex, basicEventVendorPrivateDetailsTable, basicEventVendorPrivateDetailsTableIndex } STATUS current DESCRIPTION "Notification of a configuration related event." ::= { fwtrap 3 } -- Example use: see introduction. -- conformance information, see RFC1444 spfwConformance OBJECT IDENTIFIER ::= { spfw 5 } fwCompliances OBJECT IDENTIFIER ::= { spfwConformance 1 } fwGroups OBJECT IDENTIFIER ::= { spfwConformance 2 } -- compliance statements fwCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMPv2 entities which implement the Firewall MIB." Grall [Page 61] Internet-Draft Firewall MIB 24 November 1997 MODULE -- this module GROUP basicEventsLogGroup DESCRIPTION "If the firewall will be sending traps, then the basicEventsLog group is mandatory." ::= { fwCompliances 1 } -- units of conformance basicEventsLogGroup OBJECT-GROUP OBJECTS { basicEventsLogTableLastValidRow, basicEventLogIndex, basicEventTime, basicEventSource, basicEventType, basicEventDescription, basicEventDetailsTable, basicEventDetailsTableIndex, basicEventVendorPrivateDetailsTable, basicEventVendorPrivateDetailsTableIndex } STATUS current DESCRIPTION "A collection of objects allowing the description of events occurring on a firewall." ::= { fwGroups 1 } otherEventsLogGroup OBJECT-GROUP OBJECTS { type1NetEventsLogTableLastValidRow, type1NetEventLogIndex, type1NetEventProtocol, type1NetEventSrcIpAddress, type1NetEventMappedSrcIpAddress, type1NetEventDstIpAddress, type1NetEventMappedDstIpAddress, type1NetEventICMPCommand, type1NetEventGenericService, type1NetEventServiceInformation, type1NetEventActionReason, type2NetEventsLogTableLastValidRow, type2NetEventLogIndex, type2NetEventProtocol, type2NetEventSrcIpAddress, type2NetEventMappedSrcIpAddress, type2NetEventDstIpAddress, type2NetEventMappedDstIpAddress, type2NetEventSrcIpPort, type2NetEventMappedSrcIpPort, type2NetEventDstIpPort, type2NetEventMappedDstIpPort, type2NetEventRuleID, type2NetEventActionReason, type2NetEventGenericService, type2NetEventServiceInformation, type3NetEventsLogTableLastValidRow, type3NetEventLogIndex, type3NetEventProtocol, type3NetEventSrcIpAddress, type3NetEventMappedSrcIpAddress, type3NetEventDstIpAddress, type3NetEventMappedDstIpAddress, type3NetEventSrcIpPort, type3NetEventMappedSrcIpPort, type3NetEventDstIpPort, Grall [Page 62] Internet-Draft Firewall MIB 24 November 1997 type3NetEventMappedDstIpPort, type3NetEventGenericService, type3NetEventServiceInformation, type3NetEventAuthdEntity, type3NetEventRuleID, type3NetEventActionReason, healthEventsLogTableLastValidRow, healthEventLogIndex, healthEventResourceType, healthEventResourceDetails, healthEventProblemDetail, managementEventsLogTableLastValidRow, managementEventLogIndex, managementEventSubjectName, managementEventSubjectAction, managementEventActionDetail, managementEventObjectManaged } STATUS current DESCRIPTION "A collection of objects allowing the description of event details occurring on a firewall." ::= { fwGroups 2 } fwqueryGroup OBJECT-GROUP OBJECTS { fwProductName, fwVersionMajor, fwVersionMinor, fwOSName, fwOSVersion, fwModuleType, fwModuleInformation, fwModuleVersion, fwModulePatchLevel, fwModuleLicenseKey, fwModuleSerialNumber, fwModuleCfgID, fwModuleCfgDate, fwModuleCfgState, resourceType, resourceInformation, resourceStatus, packetStatServiceType, packetStatServiceDetail, packetsAccepted, packetsDropped, packetsEncrypted, packetsInvalid, packetsIgnore, packetsRejected, packetsForwarded, fwStatServiceType, fwStatServiceInformation, fwStatType, fwStatValue, fwStatDescription, fwStatStartTime, fwStatElapsedTime } STATUS current DESCRIPTION "A collection of objects allowing the collection of information about the firewall." ::= { fwGroups 3 } END Contributing authors: Grall [Page 63] Internet-Draft Firewall MIB 24 November 1997 Lee Brown Holly Ding Dorit Dor Dale Lancaster Ken Laube Herbert Lin Ian McDonnell Thomas Oeser Ashok Nadkarni Poornima Rao Ephraim Vider Michael Wittig 6. References [1] Cerf, V., "IAB Recommendations for the Development of Internet Net- work Management Standards", RFC 1052, NRI, April 1988. [2] Cerf, V., "Report of the Second Ad Hoc Network Management Review Group", RFC 1109, NRI, August 1989. [3] Rose M., and K. McCloghrie, "Structure and Identification of Manage- ment Information for TCP/IP-based internets", STD 16, RFC 1155, Performance Systems International, Hughes LAN Systems, May 1990. [4] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Structure of Management Information for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1902, January 1996. [5] McCloghrie K., and M. Rose, Editors, "Management Information Base for Network Management of TCP/IP-based internets", STD 17, RFC 1213, Performance Systems International, March 1991. [6] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network Management Protocol", STD 15, RFC 1157, SNMP Research, Performance Systems International, Performance Systems International, MIT Laboratory for Computer Science, May 1990. [7] SNMPv2 working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol Operations for Version 2 of the Simple Net- work Management Protocol (SNMPv2)", RFC 1905, January 1996. [8] McCloghrie, K., and F. Kastenholz, "Evolution of the Interfaces Grall [Page 64] Internet-Draft Firewall MIB 24 November 1997 Group of MIB-II", RFC 1573, Hughes LAN Systems, FTP Software, Janu- ary 1994. [9] Information processing systems - Open Systems Interconnection - Specification of Abstract Syntax Notation One (ASN.1), Interna- tional Organization for Standardization. International Standard 8824, (December, 1987). [10] Information processing systems - Open Systems Interconnection - Specification of Basic Encoding Rules for Abstract Notation One (ASN.1), International Organization for Standardization. Interna- tional Standard 8825, (December, 1987). [11] Rose, M., and K. McCloghrie, Editors, "Concise MIB Definitions", RFC 1212, Performance Systems International, Hughes LAN Systems, March 1991. [12] Rose, M., Editor, "A Convention for Defining Traps for use with the SNMP", RFC 1215, Performance Systems International, March 1991. [13] F. Yergeau, "UTF-8, a transformation format of Unicode and ISO 10646", RFC 2044, October 1996. 7. Security Considerations Security issues are not discussed in this memo. 8. Author's Address Cindy Grall Trusted Information Systems 3415 S. Sepulvida Blvd., suite 700 Los Angeles, CA 90034 Phone: (310) 737-1744 EMail: grall@tis.com Appendix A: Sample Configurations and Scripts This appendix will contain configuration and script samples for using this MIB with some popular SNMP management products. Security Considerations ........................................... 65 Grall [Page 65] Internet-Draft Firewall MIB 24 November 1997 Author's Address .................................................. 65 Appendix A: Sample Configurations and Scripts ..................... 65 Grall [Page 66]