Internet Engineering Task Force C. Grall INTERNET-DRAFT Trusted Information Systems Expires 25 October 1998 20 April 1998 Firewall Management Information Base Status of this Memo This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." To view the entire list of current Internet-Drafts, please check the "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe), munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). Abstract This document defines a portion of the Management Information Base (MIB) for use with network management protocols in TCP/IP-based internets. In particular, it defines objects for monitoring firewall devices. Table of Contents Abstract Table of Contents The Network Management Framework Overview Textual Conventions SnmpAdminString EventTypeUnitTC ProtocolUnitTC Grall [Page 1] Internet-Draft Firewall MIB 20 April 1998 Structure of MIB The Service Identifiers Group The Firewall Event Variables and Logs Group The Status and Statistics Group The Firewall Traps Group Monitoring of Firewall Devices Events Event Logs and Traps Details Table Use Trap Flooding Thresholds Log Tables Conventions Definitions Acknowledgments Security Considerations References Author's Address Appendix A: Sample Configurations and Scripts 1. The Network Management Framework The Internet-standard Network Management Framework consists of three components. They are: RFC 1902 [4] which defines the SMI, the mechanisms used for describing and naming objects for the purpose of management. STD 17, RFC 1213 [5] defines MIB-II, the core set of managed objects for the Internet suite of protocols. RFC 1157 [6], RFC 1905 [7], and RFC 2261 [13] which define three versions of the protocol used for network access to managed objects. The Framework permits new objects to be defined for the purpose of experimentation and evaluation. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. Within a given MIB module, objects are defined using RFC 1902's OBJECT-TYPE macro. At a minimum, each object has a name, a syntax, an access-level, and Grall [Page 2] Internet-Draft Firewall MIB 20 April 1998 an implementation-status. The name is an object identifier, an administratively assigned name, which specifies an object type. The object type together with an object instance serves to uniquely identify a specific instantiation of the object. For human convenience, we often use a textual string, termed the object descriptor, to also refer to the object type. The syntax of an object type defines the abstract data structure corresponding to that object type. The ASN.1[9] language is used for this purpose. However, RFC 1155[3] purposely restricts the ASN.1 constructs which may be used. These restrictions are expli- citly made for simplicity. 2. Overview This document specifies a working draft of a Management Information Base (MIB) definition intended for use in monitoring firewall systems with network management protocols in TCP/IP-based internets. All object identifiers defined herein are under the private enterprises MIB tree. This positioning would change if and when this MIB is adopted as stan- dard. 2.1. Textual Conventions Several new data types are introduced including EventTypeUnitTC, and ProtocolUnitTC. The SnmpAdminString as proposed in the SNMPV3 documents is also used. 2.1.1. SnmpAdminString The SnmpAdminString textual convention is used for all string variables. The definition from the current RFC [13] is included in this MIB (rather than referenced) until the RFC becomes a standard. 2.1.2. EventTypeUnitTC This textual convention enumerates many kinds of common events that may happen on a firewall. The list represents error conditions, unusual events, and normal activities. Grall [Page 3] Internet-Draft Firewall MIB 20 April 1998 2.1.3. ProtocolUnitTC This textual convention is an enumeration of the most common protocols used with TCP/IP-based network firewalls. 2.2. Structure of MIB The objects are arranged into the following groups: - service identifiers (service) - firewall event variables and logs (fwevent) - firewall status and statistics data (fwquery) - firewall traps (fwtrap) These groups are the basic units of conformance. If a firewall imple- ments a group, then it should implement all objects in that group. The fwevent, fwquery and fwtrap groups are optional. If the fwtrap group is implemented, the fwevent group must also be implemented. The services group must be supported if any of the other groups are implemented. These groups are defined to provide a means of assigning object identif- iers, and to provide a method for managed agents to know which objects they must implement. 2.2.1. The Service Identifiers Group The service group defines object identifiers (OIDs) for resource, classes of services, and particular services handled by firewalls. These OIDs are used as values in variables in other groups of the MIB to designate a service. In this document and the MIB definition, "resource" is defined as any service, application, proxy, hardware unit, utility, operating system, product, engine, etc. on the firewall. Resource can also refer to the firewall as a whole. Also, the term "service" is used interchangeably with "resource" throughout the document and MIB. 2.2.2. The Firewall Event Variables and Logs Group The fwevent group defines tables for logging events that take place on the firewall. Management stations are notified of the events via traps from the fwtrap group. Grall [Page 4] Internet-Draft Firewall MIB 20 April 1998 2.2.3. The Status and Statistics Group The fwquery group contains status and statistic information. It includes version information for the firewall and its resouces and ser- vices. It includes version information, staus details, and statistics measured by firewall resources and services. 2.2.4. The Firewall Traps Group The fwtrap group defines the traps that a firewall can send. 3. Monitoring of Firewall Devices The scope of the MIB defined here is to provide information for the pur- pose of monitoring firewall activity. The objects defined here provide information about urgent events, security, health and status, and per- formance of a firewall. This information is provided in two ways, via traps and through objects that must be queried. The traps also have associated information that can be queried. It is worth noting areas this MIB is not meant to address. It is not meant to replicate all firewall audit information or perform all of a firewall's logging. The information provided by the MIB objects is not necessarily all the information needed for a full audit capability. For example, suspicious monitoring entities would probably require audit information which would not be provided as part of this MIB. The MIB is also not meant to be used for reporting about the configura- tion of a firewall. Currently, most firewall's use unique and/or proprietary protocols and representations for dealing with the confi- guration and 'policy'. It was decided it would be too difficult to try to create a generic set of MIB objects that could represent most firewall configurations. This MIB does not have many variables related to configuration items. Write operations to MIB objects are not supported, i.e., SNMP SETs are currently not supported by this MIB. One motivation for this is that many SNMP implementations and network architectures do not support secure communications. Once SNMPv3 is established this can be revisted and the MIB can be expanded to include objects that can be written. Another motivation for not addressing SETs is that values typically "SET" on a firewall would deal with the firewall's configuration and 'policy'. Without a secure connection, the firewall's configuration could be exposed. This section provides details on the expected use of the objects defined Grall [Page 5] Internet-Draft Firewall MIB 20 April 1998 in section "Definitions" below. It also presents some implementation issues. 3.1. Events Many of the objects in the MIB are related to events on the firewall. An event as far as this MIB is concerned is what a trap is created for, and what is stored in the event logs. An event can represent the activity of a single user on the firewall, the status of a program on the firewall, or a collection of firewall activities. It is up to the firewall vendor to decide what activities on the firewall are represented as events in the MIB. In order to provide a common set of events for MIB users and management status, the MIB includes an enumeration of event types, EventTypeUnitTC. The list includes the most common events that happen on a firewall. The comments included in the list describe the firewall activities each entry is meant to represent. It is understood that the list will prob- ably not represent all possible events any particular firewall may report on and there are generic entries that can be used for these cases. While the MIB's main purpose is to report about "unusual" events on a firewall, it was felt that the MIB should not disallow reporting related to "normal" events. Items are included in EventTypeUnitTC to represent "normal", "okay", "good", and "up" activities and conditions. A firewall vender can then choose to report any kind of activity through MIB events. For example, a firewall could equate a MIB event with an audited event and report on all firewall activity with the MIB. 3.1.1. Event Logs and Traps The fwevent group defines a set of log tables for storing information about events. The fwtrap group defines a set of traps for reporting about the events that have been recorded in the logs. These two groups are meant to work together. Although it is possible to implement the fwevent group without any trap support, this is not the purpose of the logs in the fwevent group. The event logs are represented by a set of tables. There is a basic table that holds information common to every event, and there are other tables that contain different sets of detailed information. Figure 1 provides a conceptual view of the tables. The basic table points to one of the MIB detail tables by table OID and row index. The basic table also (optionally) points to a firewall vendor defined details table. Grall [Page 6] Internet-Draft Firewall MIB 20 April 1998 details table basic table entries ------------------------ ---------------------------| | | |index | | | |time | | | |source | | | |type | /| | |description | / ------------------------ | | / |details table row |--/ | | |vendor details table row |-\ vendor details table | | \ ------------------------ ---------------------------- \ | | \ | | \| | | | ------------------------ Figure 1: Conceptual view of event log tables. When an event (see section "Events") occurs on the firewall, the basic table information is collected and, based on the event, a details table is chosen and its information is collected as well. This information is stored on the firewall and a trap from the fwtrap group is sent. The trap contains the same information contained in the basic table. The management station then has the option to query the firewall and ask for the rows from the tables specified in the trap. Which trap is sent depends on the details table chosen. For the netEventsLogTable details table use the networkEventTrap trap. For the healthEventsLogTable details table use the healthEventTrap. For the managementEventsLogTable details table use the managementEventTrap. There is a one-to-one mapping between a detail table and a trap. Which details table to query is chosen based on the trap that was sent. Since the trap contains the EventTypeUnitTC and EventDescription values for the event, a user or management station can use these values to make decisions on whether the event details are useful or not. The retrieval of the details can be automated for many management stations. Appendix A contains some configuration and script examples for some of the more popular management tools. 3.1.2. Details Table Use The MIB defines three log tables to record details about an event. Each Grall [Page 7] Internet-Draft Firewall MIB 20 April 1998 table includes a different set of information. Multiple tables were defined rather than have one large table to lower the likelihood that queries (and traps) would have many unneeded or undefined values. The MIB does not dictate which details table must be used for recording a particular event. In order to ease management station configuration this section lists the preferred details table for each of the sets of event in EventTypeUnitTC. The following lists each of the sets from the EventTypeUnitTC and the preferred details table used: EventTypeUnitTC set Details Table ------------------------------------------------ other [any] hardware healthEventsLogTable system healthEventsLogTable fwmodule healthEventsLogTable mgmt managementEventsLogTable logging healthEventsLogTable routing netEventsLogTable packet netEventsLogTable encryption netEventsLogTable network netEventsLogTable protocol healthEventsLogTable service healthEventsLogTable configuration healthEventsLogTable access netEventsLogTable authentication netEventsLogTable attack netEventsLogTable contentInspection netEventsLogTable debug healthEventsLogTable test healthEventsLogTable 3.1.3. Trap Flooding Under normal network conditions, one should not see many traps sent by a firewall to a management station. There is a potential for a large number of traps to be sent by a firewall implementing this MIB. This depends on how the firewall maps activities to events and how many of a particular event can occur in a short time. The MIB has no variables related to controlling which traps are sent or to limit the number of traps sent. If this turns out to be a widespread problem after initial reference implementation testing, it will be addressed in a later draft of this MIB. Grall [Page 8] Internet-Draft Firewall MIB 20 April 1998 To provide firewall and SNMP management users some control it is sug- gested that an agent implementation provide some on/off configuration options for the events a firewall will report about. Whether and how to implement this and the granularity of the configuration control is beyond the scope of this document. 3.1.4. Thresholds It was stated earlier that a particular firewall vendor defines what a MIB event is on their firewall. It is expected that some MIB events will actually represent a set of activities on the firewall. For exam- ple, EventTypeUnitTC has an event called login attempts. What is not specified by the MIB is how many attempts happened before the event was handled by the SNMP agent. Individual thresholds for controlling which firewall activities are represented as events in the MIB or for controlling which events should generate traps are not specified in this MIB. Some activities are unin- teresting when they occur occasionally, but more interesting when they are more frequent. Firewall vendors decide which activities have thres- holds and what kind of thresholds are available. 3.1.5. Log Tables All of the log tables defined in the fwevent group are used and indexed in the same way. This section addresses some implementation issues to consider. The MIB does not dictate how the tables are implemented, just how the values of the variables in a table row are used. 3.1.5.1. Table Size and Index Value Table size is an implementation specific matter. Each table has an index variable to uniquely identify a row in the table. The index is assigned beginning with 1 when the table is created and increases by one with each new log entry. Table creation will generally happen at firewall system reboot, but may happen at any time (eg., when the firewall's SNMP agent is restarted). An agent implementation may even preserve data in the tables between periods of down time (e.g., between firewall reboots). Note that this MIB does not require preservation of table information. An example of a reason for maintaining the data is for management stations that would like to try and find out (quickly) why a machine rebooted. Note thought that this MIB is not trying to recreate a reliable logging function. Grall [Page 9] Internet-Draft Firewall MIB 20 April 1998 The agent may choose to delete the rows of a table as needed. This may be due to lack of space for the entries or due to other reasons (eg., the entries are too old). A query to the table cannot assume anything about the table's size or whether a particular index value in the table is valid or not. Deletion of rows in the table may be based on age (ie., the smallest valid index is deleted) or based on some other scheme (eg., the priority of the event is lower than other events in the log). The MIB does not place any requirements on which rows may or may not be deleted. Each log table has a corresponding '...LogTableLastValidRow' object. This variable can be used to obtain the index value of the last (or newest) valid row in the table. Since the index value starts at 1 and monotonically increases with each new entry, one can see how many events have been recorded since the creation of the table by obtaining this variable. 3.1.5.2. Entry Order The MIB places no requirements on the order of entries in the log tables. The order of entries in a table might not necessarily be in the same order as the traps that arrive at the management station. The order of the entries in the basicEventsLogTable will not necessarily be in order by the basicEventTime value. 3.1.5.3. MIB Walks There is a concern that for implementations that choose to use a large log table size (eg., thousands of entries), that a MIB walk into the log table will take a long time and will not necessarily be what the MIB walker had in mind. One way to address this concern is to allow the administrator to be able to choose the maximum size of the log tables. 3.1.5.4. Table Status Section left in for now for historical reference, will be deleted. [@?@ Earlier discussions addressed issues related to the status of the various tables. For example, a value for the time when old rows in a table were deleted, a value for how many events are in the table, a value for how "full" the table is, and a trap for when the table gets X% full. The majority opinion at that time was that overall these values would not be useful, would unnecessarily complicate the MIB and instru- mentation at the firewall, and could potentially cause too many traps Grall [Page 10] Internet-Draft Firewall MIB 20 April 1998 (since these kinds of values would probably end up as traps). So most of the table management information was left out of the MIB objects until we get a better feel for how the MIB will be used. Of course a vendor can implement values like these in their private table. Keep in mind that event information should not be lost since these tables are not meant to replace a robust logging mechanism.] 3.1.5.5. Examples The following examples are included to illustrate the use of object identifiers and additional trap variables in a TRAP to describe a firewall event. 3.1.5.5.1. Network Event Example Event: a telnet proxy running on a firewall system 199.94.211.1, is con- figured to deny access to users not connecting from a network, say 199.94.200.0. When denying access to a connection coming from 199.94.222.2, the proxy service might generate the following trap. The trap type is set to 6 (enterprise specific). A specific trap of type 1 (networkEventTrap) is chosen to best describe this event. The networkEventTrap includes variables to point to the basicEventLogTable and the netEventDetailsTable. For this specific event the details table describes the entity making the connection attempt and why the attempt failed. TRAP networkEventTrap: trap type = 6 (enterprise specific) enterprise specific type = 1 (networkEventTrap) Values set in the basicEventLogTable, the networkEventTrap contains the same values except that it does not include basicEventDetailsTableOID: basicEventLogIndex = INTEGER (217) basicEventTime = TimeStamp basicEventSource = IpAddress (199.94.211.1) basicEventType = accessDeniedSource(1404) basicEventDescription = String ("XXX") basicEventDetailsTableRow = OID (netEventsLogTable.16) basicEventVendorDetailsTableRow = OID (0.0) Grall [Page 11] Internet-Draft Firewall MIB 20 April 1998 The netEventsLogTable would have a row containing the following: netEventLogIndex = INTEGER (16) netEventInterface = INTEGER (1) netEventProtocol = TCP (1) netEventICMPCommand = netEventSrcIpAddress = IpAddress (199.94.222.2) netEventMappedSrcIPAddress = IpAddress (NULL) netEventDstIPAddress = IpAddress (NULL) netEventMappedDstIPAddress = IpAddress (NULL) netEventSrcIPPort = INTEGER (3333) netEventMappedSrcIPPort = INTEGER (NULL) netEventDstIPPort = INTEGER (23) netEventMappedSrcIPort = INTEGER (NULL) netEventGenericService = OID (fwmib.service.svcLogin.telnet) netEventServiceInformation = String ("tn-gw") netEventAuthdEntity = String ("unknown") netEventRuleID = INTEGER (27, eg., the config. file line number) netEventActionReason = String ("source IP address denied") 3.1.5.5.2. Health Event Example A service on the firewall is misconfigured. The firewall has an http service and the system administrator configured it to run on port 8000. But there is already another service running on port 8000. The http service cannot bind to the port. The trap type is set to 6 (enterprise specific). A specific trap of type 2 (healthEventTrap) is chosen to best describe the event. Values set in the basicEventLogTable, the healthEventTrap contains the same values except that it does not include basicEventDetailsTableOID: basicEventLogIndex = INTEGER (12) basicEventTime = TimeStamp basicEventSource = IpAddress (201.217.12.1) basicEventType = configurationPortInUse(1305) basicEventDescription = String ("XXX") basicEventDetailsTableRow = OID (healthEventsLogTable.70) basicEventVendorDetailsTableRow = OID (0.0) The healthEventsLogTable would have a row containing the following: Grall [Page 12] Internet-Draft Firewall MIB 20 April 1998 healthEventLogIndex = INTEGER (70) healthEventResourceType = OID (fwmib.service.svcWeb.http) healthEventResourceDetails = String ("http proxy") healthEventProblemDetail = String ("cannot bind to port 8000") 3.1.5.5.3. Management Event Example A new configuration effecting the whole firewall was loaded by a remote configuration utility. The trap type is set to 6 (enterprise specific). A specific trap of type 3 (managementEventTrap) is chosen to best describe the event. Values set in the basicEventLogTable, the managementEventTrap contains the same values except that it does not include basicEventDetailsTa- bleOID: basicEventLogIndex = INTEGER (743) basicEventTime = TimeStamp basicEventSource = IpAddress (198.198.198.198) basicEventType = mgmtLoadedConfigRemote(407) basicEventDescription = String ("XXX") basicEventDetailsTableRow = OID (managementEventsLogTable.66) basicEventVendorDetailsTableRow = OID (0.0) The managementEventsLogTable would have a row containing the following: managementEventLogIndex = INTEGER(66) managementEventSubjectName = String ("root") managementEventSubjectAction = mgmtLoadedConfigRemote(407) managementEventActionDetail = String ("new config. loaded") managementEventObjectManaged = OID (fwmib.service.svcFirewall) 4. Conventions The following conventions are used throughout the Firewall MIB. Good Packets Good packets are error-free packets that have a valid frame length. For example, on Ethernet, good packets are error-free packets that are between 64 octets long and 1518 octets long. They follow the form defined in IEEE 802.3 section 3.2.all. Grall [Page 13] Internet-Draft Firewall MIB 20 April 1998 Bad Packets Bad packets are packets that have proper framing and are therefore recognized as packets, but contain errors within the packet or have an invalid length. For example, on Ethernet, bad packets have a valid preamble and SFD, but have a bad CRC, or are either shorter than 64 octets or longer than 1518 octets. 5. Definitions Grall [Page 14] Internet-Draft Firewall MIB 20 April 1998 FireWallMIB DEFINITIONS ::= BEGIN - -- SUBTREE: 1.3.6.1.4.1.14.3.9 - -- iso.org.dod.internet.private.enterprises.bbn.products.fwmib IMPORTS -- RFC 1904 OBJECT-GROUP, MODULE-COMPLIANCE FROM SNMPv2-CONF -- RFC 1902 MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, IpAddress, enterprises, TimeTicks, Counter32 FROM SNMPv2-SMI -- RFC 1903 TEXTUAL-CONVENTION, TimeStamp FROM SNMPv2-TC -- RFC 2233 InterfaceIndex FROM IF-MIB; fwMIB MODULE-IDENTITY LAST-UPDATED "9803040000Z" --March 4, 1998 ORGANIZATION "GTE Corporation & Trusted Information Systems Inc." CONTACT-INFO " Comments should be sent to fwmib@tis.com Subscribe: majordomo@tis.com In message body: subscribe fwmib Herbert Lin Tel: +1-617-873-5920 E-mail: hlin@bbn.com Cindy Grall Tel: +1-310-737-1744 E-mail: grall@tis.com Ephraim Vider Tel: +972-3-753-4592 (Israel) E-mail: eff@checkpoint.com Mike Wittig Tel: +1-954-973-5059 E-mail: mwittig@mail.cybg.com Grall [Page 15] Internet-Draft Firewall MIB 20 April 1998 " DESCRIPTION "The MIB module for entities implementing firewalls." - --@?@ What's the correct value here? MIBs that are RFCs seem to - -- be using OIDs out of other MIB trees, like RFC1759 (the printer - -- MIB) uses { mib-2 43 }. The Internet Drafts appear to use - -- { experimental 9999 } here, I will go with bbn for now so - -- the ASN.1 will compile. ::= { bbn 9999 } - -- textual conventions SnmpAdminString ::= TEXTUAL-CONVENTION DISPLAY-HINT "255a" STATUS current DESCRIPTION "An octet string containing administrative information, preferably in human-readable form. To facilitate internationalization, this information is represented using the ISO/IEC IS 10646-1 character set, encoded as an octet string using the UTF-8 transformation format described in [RFC2044]. Since additional code points are added by amendments to the 10646 standard from time to time, implementations must be prepared to encounter any code point from 0x00000000 to 0x7fffffff. The use of control codes should be avoided. When it is necessary to represent a newline, the control code sequence CR LF should be used. The use of leading or trailing white space should be avoided. For code points not directly supported by user interface hardware or software, an alternative means of entry and display, such as hexadecimal, may be provided. For information encoded in 7-bit US-ASCII, the UTF-8 encoding is identical to the US-ASCII encoding. Grall [Page 16] Internet-Draft Firewall MIB 20 April 1998 Note that when this TC is used for an object that is used or envisioned to be used as an index, then a SIZE restriction must be specified so that the number of sub-identifiers for any object instance does not exceed the limit of 128, as defined by [RFC1905]. " SYNTAX OCTET STRING (SIZE (0..255)) - -- The following list of event types is meant to enumerate the most common - -- events that happen on a firewall. - -- - -- The list is organized into sets of common events. Each set has an - -- initial entry to designate the set. The next two events in a set are - -- meant to represent generic "okay"/"good"/"up" conditions and generic - -- "error"/"failed"/"down" conditions. The rest of the events in a set - -- represent more detailed events (either good or bad). The sets will - -- probably not represent all the possible events on every firewall, but - -- they are meant to be a good representation of events. If an event - -- just does not fit any of the sets, then use the 'other' choices. - -- EventTypeUnitTC ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Enumeration of types of events on the firewall" SYNTAX INTEGER { -- Undefined Events other(0), -- the event type is not in this list otherOkay(1), -- a normal event occurred otherError(2), -- an error event occurred unknown(3), -- could not determine the event type -- Resource events, could be hardware problems, operating system -- problems, or services problems resource(100), resourceOkay(101), resourceError(102), resourceUp(103), resourceUse(104), --normal use of a resource resourceDown(105), resourceStarting(106), resourceRestarting(107), -- the resource is going down and -- coming back up resourceHalting(108), -- eg., the firewall is going down resourceExiting(109), resourceOverTemperature(110), Grall [Page 17] Internet-Draft Firewall MIB 20 April 1998 resourceHighUse(111), -- eg., the CPU usage is high resourceTestFailed(112), resourceBusy(113), resourceNoMedia(114), -- a device doesn't have its needed media resourceBackup(116), -- processing has switched to the backup resourceNoBackup(117), -- there is no backup to switch to resourceNoMemory(118), resourceNoBuffers(119), resourceSyscallFailed(120), resourceHighLoad(121), -- Events about the basic health of the firewall or particular modules fwmodule(300), fwmoduleUp(301), -- the module is up fwmoduleError(302), fwmoduleDown(303), -- the module is down fwmoduleStarting(304), -- the module is coming up fwmoduleExiting(305), fwmoduleRestarting(306), fwmoduleLicenseExceeded(307), -- Management events, these are events related to overall management -- tasks on the firewall. For example, the configuration is being -- changed or a patch has been applied. This is from the perspective -- of the firewall, it is not a remote mgmt tool reporting on the -- activities it is doing. mgmt(400), mgmtOkay(401), -- a normal management event mgmtError(402), -- an error while performing firewall -- management functions mgmtNoResponse(403), -- the firewall expected and received no -- response from a mgmt tool mgmtReadConfigLocal(404), -- configuration information has been -- read mgmtReadConfigRemote(405), -- configuration information has been -- uploaded to a remote mgmt tool mgmtLoadedConfigLocal(406), -- a local mgmt tool loaded/applied a -- new config mgmtLoadedConfigRemote(407), -- a remote mgmt tool loaded/applied a -- new config. mgmtPatch(408), -- This event is used by the patching mechanism to -- record what it patched. The genericService OID -- would be the patching tool and the mgmtObjManaged -- in the mgmtEventLogEntry would be the service -- OID patched. This would not be used by the -- service being patched. This alleviates the -- confusion when the patching mechanism is patched. Grall [Page 18] Internet-Draft Firewall MIB 20 April 1998 -- Log file events logging(500), loggingUp(501), -- logging is functioning normally loggingError(502), -- the logging facility had an error loggingStarting(503), -- the log daemon was started loggingExiting(504), -- the log daemon is exiting loggingRestarting(505), -- the log daemon was restarted loggingDown(506), -- the log daemon is not running loggingRolloverStarted(507), -- logging is switching to another file loggingFileFull(508), -- the log file/partition is full loggingFileOverwrite(509), -- the log file is being overwritten loggingFileMessagesLost(510), -- messages have been lost loggingStopped(511), -- logging is stopped until other -- problems are resolved (eg., space is -- free'd) loggingRolloverCompleted(512), loggingRolloverFailed(513), -- Routing events routing(600), routingOkay(601), routingError(602), routingNoRouteToHost(603), routingICMPRedirect(604), -- Packet handling packet(700), packetAccepted(701), -- accepted the packet packetError(702), -- unknown error with packet packetDropped(703), -- dropped packets (eg., internal buffer is full), -- didn't even look at them, they could be -- good or bad... packetInvalid(704), -- these are "bad" packets, see section 4.0 packetIgnored(705), -- the packet was not meant for the firewall packetRejected(706), -- rejected packets based on rule(s) packetForwarded(707), -- forwarded packets based on rule(s) packetEncrypted(708), packetFragmented(709), -- En(De)cryption events encryption(800), -- generic/successful event encryptionUp(801), --encryption is functioning encryptionError(802), -- there was an encryption error encryptionDown(803), encryptionEncryptFailed(804), encryptionDecryptFailed(805), encryptionEncryptSucceeded(806), encryptionDecryptSucceeded(807), Grall [Page 19] Internet-Draft Firewall MIB 20 April 1998 -- Network events network(900), networkUp(901), networkError(902), networkDown(903), networkCollision(904), networkDuplicateAddress(905), networkMyAddressInUse(906), networkNetUnreachable(907), networkStarting(908), networkRestarting(909), networkHostUnreachable(910), networkNoResponse(911), -- protocol related events protocol(1000), -- an event related to a protocol supported protocolEnabled(1001), protocolError(1002), protocolDisabled(1003), -- the requested protocol is disabled protocolNoDaemon(1004), -- there is no daemon for this protocol -- Service connection/network connectivity events connection(1100), -- a generic connection event connectionAccepted(1101), connectionError(1102), connectionDropped(1103), connectionClosed(1104), connectionTimedout(1105), connectionRefused(1106), connectionReset(1107), connectionNoResponse(1108), -- Configuration events, represent errors or problems with the -- configuration for the system or a service. configuration(1300), configurationOkay(1301), configurationError(1302), -- an error in processing the configuration configurationBadConfig(1303), -- the config provided is corrupt, -- invalid, or incomplete configurationArgumentError(1304), -- wrong arguments were provided configurationPortInUse(1305), configurationNoData(1306), -- the required data was not provided -- Access access(1400), accessGranted(1401), -- a service allowed use based on all its checks accessError(1402), accessDenied(1403), -- a client was denied use of a service Grall [Page 20] Internet-Draft Firewall MIB 20 April 1998 accessDeniedSource(1404), -- client denied based on its source IP accessDeniedPolicy(1405), -- client denied based on the sec. policy accessDeniedUser(1406), -- client denied based on the userid accessDeniedDest(1407), -- client denied based on the destination IP accessDeniedDestPort(1408), -- client denied based on dest. port accessDeniedFileRead(1409), -- the policy denied read access to a file accessDeniedFileWrite(1410), -- the policy denied write access to -- a file accessDeniedNetworkInterface(1411), -- the policy denied access to a -- particular net. int. accessDeniedDevice(1412), -- the policy denied access to a device -- Authentication and login events authentication(1500), authenticationSucceeded(1501), -- a user had a successful auth authenticationError(1502), -- error while auth'ing authenticationFailed(1503), -- a user failed an auth authenticationSucceededPriv(1504), -- a user logged in with or -- gained privilege authenticationFailedPrivileged(1505), -- user failed to gain/login -- with privilege authenticationFailedMulti(1506), -- multiple failed auth attempts -- by a user -- Security attack events, these represent events that could -- be or that indicate a security attack is taking place on the -- firewall attack(1600), attackNone(1601), attackDenialOfService(1602), attackPing(1603), -- a ping of death attack attackPacketForward(1604), -- attackSYNFlood(1605), -- a TCP SYN flood attack attackIPSpoof(1606), -- an IP address is being spoofed attackPortScan(1607), -- a port scan is/has taken place attackNameSpoof(1608), -- a name service (eg., DNS) name is spoofed attackSmurf(1609), -- see: -- http://www.quadrunner.com/~chuegen/smurf.txt attackTeardrop(1610), -- Content inspection events, these events just report that -- something was found. The details entry in for the event can -- report on what was found (eg., virus, company private info., -- etc), what it was found in (eg., html, win32 executable, e-mail), -- and what was done with it (eg., the quarantine location). contentInspection(1700), contentInspectionOkay(1701), -- the check of the content was okay, -- nothing "bad" found Grall [Page 21] Internet-Draft Firewall MIB 20 April 1998 contentInspectionError(1702), -- there was an error while checking -- content contentInspectionFound(1703), -- found something contentInspectionFoundCleaned(1704), -- found something and cleaned -- the content of it contentInspectionFoundRejected(1705), -- found something and threw -- the content away contentInspectionFoundSaved(1706), -- found something and saved the -- content in quarantine contentInspectionFoundNotified(1707), -- found something and -- notified someone -- Debugging event debug(1800), debugOkay(1801), debugError(1802), debugOn(1803), -- debugging mode is on/was turned on debugOff(1804), -- debugging mode is off/was turned off -- Testing events test(1900), testPassed(1901), -- a test passed testFailed(1902), -- a test failed testNoResponse(1903) -- there was no response for running a test } ProtocolUnitTC ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Enumeration of network protocols commonly used on firewalls." SYNTAX INTEGER { tcp(1), udp(2), icmp(3), ip(4), ipsec(5), igmp(6), arp(7), ggp(8), egp(9), rip(10), other(11) } - -- This fwmib is divided into four main groups. The first, fwmib.service, Grall [Page 22] Internet-Draft Firewall MIB 20 April 1998 - -- Service identifiers, defines OIDs used by other areas of the MIB. The - -- second, fwmib.fwevent, Event variables and logs, is described briefly - -- above in the trap examples text. Third main group is fwmib.fwquery, - -- the set of variables for queries. For a firewall this set is read only. - -- The fourth group, fwmib.fwtrap, defines the traps for notification of - -- extraordinary events on the firewall. - -- - -- There is also a group for specifying MIB conformance as described in - -- RFC1444, "Conformance Statements for version 2 of the Simple Network - -- Management Protocol (SNMPv2)". - -- @?@ bbn OIDs will change when this becomes an RFC... bbn OBJECT IDENTIFIER ::= { enterprises 14 } products OBJECT IDENTIFIER ::= { bbn 3 } fwmib OBJECT IDENTIFIER ::= { products 9 } - -- - -- service group - -- - -- The service group defines OIDs that are used by other parts of the MIB. - -- The OIDs are used by traps to designate the generic service type - -- causing the trap. Expect this list to change occasionally as new service - -- types emerge in the network/firewall community. Once a service type - -- is in use by two or more firewall vendors it can be considered for - -- inclusion in the services group. This change is treated as any other - -- update to the MIB and will be included during a revision cycle. - -- This list does not differentiate between a local service (eg., local - -- login into the firewall via telnet) and a proxied service (eg., use of - -- a telnet application gateway). This information can be provided in a - -- string, since each use of these OIDs in a MIB variable (usually as - -- part of a table entry) has a corresponding description or information - -- variable. - -- Use of these OIDs in the MIB variables: - -- - -- If a new service emerges that is not in the MIB yet, but that has been - -- assigned a port number or other identifying number, then it can be - -- represented by choosing the appropriate service category and using the - -- assigned number. For example, a new service called Foo Protocol (fp) - -- is the latest rage on the Internet. It is a multi-media protocol and - -- has been assigned port number XXX. The OID used to represent the - -- service would be fwmib.service.svcMultimedia.XXX. The corresponding - -- information variable can provide the protocol name. - -- - -- If the firewall supports a service or protocol that is unique or - -- specific to that firewall, then the OID used to represent the service - -- will include that vendor's enterprise number. For example, the Foo Grall [Page 23] Internet-Draft Firewall MIB 20 April 1998 - -- firewall has a Bar service. The firewall company's enterprise number - -- is ZZZ and they have chosen W to represent the Bar service. The - -- OID used would be fwmib.service.svcOther.ZZZ.W It is the vendor's - -- responsibility to publish definitions of the numbers used. - -- - -- In any of the cases above where a service listed below cannot be used, - -- the service can be further described with the serviceInformation object. - -- - -- The numbers assigned in the list correspond, when possible, to the - -- assigned port number for a protocol or other assigned number as - -- appropriate (eg., the protocol number for IP protocols). - -- - -- Alternatively a vendor can define an OID in their enterprise tree and - -- use that value for genericService. It is the vendor's responsibility - -- to publish these OIDs. - -- service OBJECT IDENTIFIER ::= { fwmib 1 } - -- represents the firewall as a whole, useful when statistics or events - -- apply to the whole firewall - -- svcFirewall OBJECT IDENTIFIER ::= { service 1 } - -- svcOther OBJECT IDENTIFIER ::= { service 2 } - -- svcFileTransfer OBJECT IDENTIFIER ::= { service 3 } ftp OBJECT IDENTIFIER ::= { svcFileTransfer 21 } tftp OBJECT IDENTIFIER ::= { svcFileTransfer 69 } ftps OBJECT IDENTIFIER ::= { svcFileTransfer 990 } -- ftp over ssl - -- svcLogin OBJECT IDENTIFIER ::= { service 4 } login OBJECT IDENTIFIER ::= { svcLogin 1 } -- a login/su program telnet OBJECT IDENTIFIER ::= { svcLogin 23 } rlogin OBJECT IDENTIFIER ::= { svcLogin 513 } telnets OBJECT IDENTIFIER ::= { svcLogin 992 } -- telnet over ssl - -- svcRemoteExecution OBJECT IDENTIFIER ::= { service 5 } sunRPC OBJECT IDENTIFIER ::= { svcRemoteExecution 111 } rsh OBJECT IDENTIFIER ::= { svcRemoteExecution 514 } xserver OBJECT IDENTIFIER ::= { svcRemoteExecution 6000 } - -- svcWeb OBJECT IDENTIFIER ::= { service 6 } Grall [Page 24] Internet-Draft Firewall MIB 20 April 1998 gopher OBJECT IDENTIFIER ::= { svcWeb 70 } http OBJECT IDENTIFIER ::= { svcWeb 80 } pointcast OBJECT IDENTIFIER ::= { svcWeb 90 } https OBJECT IDENTIFIER ::= { svcWeb 443 } -- also know as shttp - -- svcMail OBJECT IDENTIFIER ::= { service 7 } sendmail OBJECT IDENTIFIER ::= { svcMail 1 } smtp OBJECT IDENTIFIER ::= { svcMail 25 } pop2 OBJECT IDENTIFIER ::= { svcMail 109 } pop3 OBJECT IDENTIFIER ::= { svcMail 110 } smtps OBJECT IDENTIFIER ::= { svcMail 465 } -- smtp over ssl pop3s OBJECT IDENTIFIER ::= { svcMail 995 } -- pop3 over ssl - -- svcNews OBJECT IDENTIFIER ::= { service 8 } nntp OBJECT IDENTIFIER ::= { svcNews 119 } nntps OBJECT IDENTIFIER ::= { svcNews 563 } -- nntp over ssl - -- svcMultimedia OBJECT IDENTIFIER ::= { service 9 } irc OBJECT IDENTIFIER ::= { svcMultimedia 194 } talk OBJECT IDENTIFIER ::= { svcMultimedia 517 } ircs OBJECT IDENTIFIER ::= { svcMultimedia 994 } -- irc over ssl streamworks OBJECT IDENTIFIER ::= { svcMultimedia 1558 } h323 OBJECT IDENTIFIER ::= { svcMultimedia 1718 } netShow OBJECT IDENTIFIER ::= { svcMultimedia 1755 } vDOLive OBJECT IDENTIFIER ::= { svcMultimedia 7000 } realAV OBJECT IDENTIFIER ::= { svcMultimedia 7070 } - -- svcDatabase OBJECT IDENTIFIER ::= { service 10 } dbSybas OBJECT IDENTIFIER ::= { svcDatabase 1 } dbInformix OBJECT IDENTIFIER ::= { svcDatabase 3 } -- for sql*net dbOracle OBJECT IDENTIFIER ::= { svcDatabase 66 } dbMSsql OBJECT IDENTIFIER ::= { svcDatabase 1433 } - -- these are the current areas that are checked for today, eg., there - -- are products or engines that scan in these areas svcContentInspection OBJECT IDENTIFIER ::= { service 11 } virus OBJECT IDENTIFIER ::= { svcContentInspection 1 } certificate OBJECT IDENTIFIER ::= { svcContentInspection 2 } -- eg., Java, Active-X programLanguage OBJECT IDENTIFIER ::= { svcContentInspection 3 } url OBJECT IDENTIFIER ::= { svcContentInspection 4 } mailHeader OBJECT IDENTIFIER ::= { svcContentInspection 5 } -- eg., company private Grall [Page 25] Internet-Draft Firewall MIB 20 April 1998 proprietaryData OBJECT IDENTIFIER ::= { svcContentInspection 6 } prohibitedLanguage OBJECT IDENTIFIER ::= { svcContentInspection 7 } - -- svcDirectory OBJECT IDENTIFIER ::= { service 12 } nis OBJECT IDENTIFIER ::= { svcDirectory 1 } dns OBJECT IDENTIFIER ::= { svcDirectory 53 } netbiosns OBJECT IDENTIFIER ::= { svcDirectory 137 } netbiosdgm OBJECT IDENTIFIER ::= { svcDirectory 138 } netbiosssn OBJECT IDENTIFIER ::= { svcDirectory 139 } ldap OBJECT IDENTIFIER ::= { svcDirectory 389 } wins OBJECT IDENTIFIER ::= { svcDirectory 1512 } - -- svcOperatingSystem OBJECT IDENTIFIER ::= { service 13 } inetd OBJECT IDENTIFIER ::= { svcOperatingSystem 1 } cron OBJECT IDENTIFIER ::= { svcOperatingSystem 2 } kernel OBJECT IDENTIFIER ::= { svcOperatingSystem 3 } fileSystem OBJECT IDENTIFIER ::= { svcOperatingSystem 4 } printer OBJECT IDENTIFIER ::= { svcOperatingSystem 515 } - -- svcManagement OBJECT IDENTIFIER ::= { service 14 } mgmtTool OBJECT IDENTIFIER ::= { svcManagement 1 } patchTool OBJECT IDENTIFIER ::= { svcManagement 2 } snmp OBJECT IDENTIFIER ::= { svcManagement 161 } - -- svcEncryption OBJECT IDENTIFIER ::= { service 15 } ipsec OBJECT IDENTIFIER ::= { svcEncryption 1 } vpn OBJECT IDENTIFIER ::= { svcEncryption 2 } kerberos OBJECT IDENTIFIER ::= { svcEncryption 88 } isakmp OBJECT IDENTIFIER ::= { svcEncryption 500 } - -- svcPacketFilter OBJECT IDENTIFIER ::= { service 16 } - -- network address translation svcNAT OBJECT IDENTIFIER ::= { service 17 } - -- svcAuthentication OBJECT IDENTIFIER ::= { service 18 } password OBJECT IDENTIFIER ::= { svcAuthentication 1 } skey OBJECT IDENTIFIER ::= { svcAuthentication 2 } -- Digital Pathways snk OBJECT IDENTIFIER ::= { svcAuthentication 3 } -- Enigma Logics silvercard OBJECT IDENTIFIER ::= { svcAuthentication 4 } crytocard OBJECT IDENTIFIER ::= { svcAuthentication 5 } Grall [Page 26] Internet-Draft Firewall MIB 20 April 1998 -- Digital Pathways server dss OBJECT IDENTIFIER ::= { svcAuthentication 6 } -- Enigma Logics safeword OBJECT IDENTIFIER ::= { svcAuthentication 7 } vasco OBJECT IDENTIFIER ::= { svcAuthentication 8 } apop OBJECT IDENTIFIER ::= { svcAuthentication 9 } digipass OBJECT IDENTIFIER ::= { svcAuthentication 10 } secureID OBJECT IDENTIFIER ::= { svcAuthentication 755 } - -- svcLog OBJECT IDENTIFIER ::= { service 19 } syslog OBJECT IDENTIFIER ::= { svcLog 514 } - -- svcTime OBJECT IDENTIFIER ::= { service 20 } time OBJECT IDENTIFIER ::= { svcTime 37 } ntp OBJECT IDENTIFIER ::= { svcTime 123 } timed OBJECT IDENTIFIER ::= { svcTime 525 } - -- svcGroupware OBJECT IDENTIFIER ::= { service 21 } exchange OBJECT IDENTIFIER ::= { svcGroupware 1 } -- Microsoft lotusNotes OBJECT IDENTIFIER ::= { svcGroupware 1352 } - -- svcHardware OBJECT IDENTIFIER ::= { service 22 } memory OBJECT IDENTIFIER ::= { svcHardware 1 } disk OBJECT IDENTIFIER ::= { svcHardware 2 } power OBJECT IDENTIFIER ::= { svcHardware 3 } netinterface OBJECT IDENTIFIER ::= { svcHardware 4 } tape OBJECT IDENTIFIER ::= { svcHardware 5 } controller OBJECT IDENTIFIER ::= { svcHardware 6 } - -- svcQuery OBJECT IDENTIFIER ::= { service 23 } whois OBJECT IDENTIFIER ::= { svcQuery 43 } finger OBJECT IDENTIFIER ::= { svcQuery 79 } ident OBJECT IDENTIFIER ::= { svcQuery 113 } - -- svcFileShare OBJECT IDENTIFIER ::= { service 24 } nfsStatus OBJECT IDENTIFIER ::= { svcFileShare 1110 } nfs OBJECT IDENTIFIER ::= { svcFileShare 2049 } - -- mainly used in the module and statistics tables to designate that - -- information applies to the protocol class chosen svcProtocol OBJECT IDENTIFIER ::= { service 25 } icmp OBJECT IDENTIFIER ::= { svcProtocol 1 } igmp OBJECT IDENTIFIER ::= { svcProtocol 2 } Grall [Page 27] Internet-Draft Firewall MIB 20 April 1998 tcp OBJECT IDENTIFIER ::= { svcProtocol 6 } udp OBJECT IDENTIFIER ::= { svcProtocol 17 } ip OBJECT IDENTIFIER ::= { svcProtocol 255 } - -- - -- The firewall event group - -- - -- The firewall event group defines a set of variables and tables used to - -- log and track extraordinary firewall events. The tables are filled in - -- when an event occurs and then a trap is sent referencing the filled in - -- row. - -- For any particular event up to three tables will be referenced. The - -- general event information will go into one table and the details are - -- placed in another. A third vendor defined table can also be used. - -- There is only one table defined for general information. - -- The table chosen for event details depends on the event type and the - -- set of detailed information available at the time the event took place. - -- The general table has a value to point to the table and row containing - -- the event's details. A trap is sent once the relevant tables are - -- filled in. The trap contains pointers to the tables used. - -- A management station can wait for a trap to get details on an event. - -- Alternatively the management station can query the objects in this - -- group at any time to retrieve event information. fwevent OBJECT IDENTIFIER ::= { fwmib 2 } - -- - -- BASIC EVENTS LOG - -- - -- This group defines the basic table containing information that is - -- logged for every event on the firewall. The table is defined along - -- with one variable to obtain the index value of the last valid row in - -- the table. To obtain the first valid index value, query the table - -- (via GETNEXT) for the first entry in the table. - -- - -- The index of the last valid row also indicates the total number of - -- events logged in the table since reboot. - -- basicEventsLog OBJECT IDENTIFIER ::= { fwevent 1 } basicEventsLogTableLastValidRow OBJECT-TYPE SYNTAX INTEGER(1..2147483647) MAX-ACCESS read-only Grall [Page 28] Internet-Draft Firewall MIB 20 April 1998 STATUS current DESCRIPTION "The index value of the last valid row in the basicEventsLogTable." ::= { basicEventsLog 1 } basicEventsLogTableTrapIndex OBJECT-TYPE SYNTAX INTEGER(1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "The index value of the row provided in the traps." ::= { basicEventsLog 2 } basicEventsLogTable OBJECT-TYPE SYNTAX SEQUENCE OF BasicEventsLogEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table of basic data for firewall events." ::= { basicEventsLog 3 } basicEventsLogEntry OBJECT-TYPE SYNTAX BasicEventsLogEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the table, containing general information about an event." INDEX { basicEventLogIndex } ::= { basicEventsLogTable 1 } BasicEventsLogEntry ::= SEQUENCE { basicEventLogIndex INTEGER(1..2147483647), basicEventTime TimeStamp, basicEventSource IpAddress, basicEventType EventTypeUnitTC, basicEventDescription SnmpAdminString, basicEventDetailsTableRow OBJECT IDENTIFIER, basicEventVendorDetailsTableRow OBJECT IDENTIFIER } Grall [Page 29] Internet-Draft Firewall MIB 20 April 1998 basicEventLogIndex OBJECT-TYPE SYNTAX INTEGER(1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "An index that uniquely identifies an entry in the log table. These indices are assigned beginning with 1 and increase by one with each new log entry. The agent may choose to delete the instances of basicEventEntry as required because of lack of memory. It is an implementation specific matter as to when this deletion may occur and as to which log entries are deleted." ::= { basicEventsLogEntry 1 } basicEventTime OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The time that the Event occurred." ::= { basicEventsLogEntry 2 } basicEventSource OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the firewall entity where the event occurred, the IP address of the entity. If there are two or more IP addresses there is no guarantee which IP address will be used." ::= { basicEventsLogEntry 3 } basicEventType OBJECT-TYPE SYNTAX EventTypeUnitTC MAX-ACCESS read-only STATUS current DESCRIPTION "What type of event this is." Grall [Page 30] Internet-Draft Firewall MIB 20 April 1998 ::= { basicEventsLogEntry 4 } basicEventDescription OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "An (optional) description of the event." ::= { basicEventsLogEntry 5 } basicEventDetailsTableRow OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "A pointer to a row in the table containing details about this event. It will be one of the tables defined in this MIB. One of type1NetEventsLogTable, type2NetEventsLogTable, type3NetEventsLogTable, healthEventsLogTable, managementEventsLogTable. The last sub-identifier(s) of the OID represents the specific row index values for the row in the table that contains the data." ::= { basicEventsLogEntry 6 } basicEventVendorDetailsTableRow OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "This value is vendor defined. Generally this will be a pointer to a table and row containing vendor specific details about this event. It is up to firewall vendor to define how this value should be interpreted and to publish this information. If a vendor private table is not supported, then the NULL OID value (0.0) should be provided." ::= { basicEventsLogEntry 7 } - -- NETWORK EVENTS LOG - -- - -- A details table with information related to network events - -- or events involving "users" of the firewall resources and services Grall [Page 31] Internet-Draft Firewall MIB 20 April 1998 - -- (eg., traffic flows through the firewall or a user authenticating - -- to use a firewall service). netEventsLog OBJECT IDENTIFIER ::= { fwevent 4 } netEventsLogTableLastValidRow OBJECT-TYPE SYNTAX INTEGER(1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "The index value of the last valid row in the netEventsLogTable." ::= { netEventsLog 1 } netEventsLogTable OBJECT-TYPE SYNTAX SEQUENCE OF NetEventsLogEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table of detailed data for transport events." ::= { netEventsLog 2} netEventsLogEntry OBJECT-TYPE SYNTAX NetEventsLogEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the table, containing detailed information about an event." INDEX { netEventLogIndex } ::= { netEventsLogTable 1 } NetEventsLogEntry ::= SEQUENCE { netEventLogIndex INTEGER(1..2147483647), netEventInterface InterfaceIndex, netEventProtocol ProtocolUnitTC, netEventICMPCommand INTEGER, netEventSrcIpAddress IpAddress, netEventMappedSrcIpAddress IpAddress, netEventDstIpAddress IpAddress, netEventMappedDstIpAddress IpAddress, netEventSrcIpPort INTEGER(0..65535), netEventMappedSrcIpPort INTEGER(0..65535), Grall [Page 32] Internet-Draft Firewall MIB 20 April 1998 netEventDstIpPort INTEGER(0..65535), netEventMappedDstIpPort INTEGER(0..65535), netEventService OBJECT IDENTIFIER, netEventServiceInformation SnmpAdminString, netEventAuthdEntity SnmpAdminString, netEventRuleID INTEGER(0..65535), netEventActionReason SnmpAdminString } netEventLogIndex OBJECT-TYPE SYNTAX INTEGER(1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "An index that uniquely identifies an entry in the log table. These indices are assigned beginning with 1 and increase by one with each new log entry. The agent may choose to delete the instances of basicEventEntry as required because of lack of memory. It is an implementation specific matter as to when this deletion may occur and as to which log entries are deleted." ::= { netEventsLogEntry 1 } netEventInterface OBJECT-TYPE SYNTAX InterfaceIndex MAX-ACCESS read-only STATUS current DESCRIPTION "The interface number that any packets may have arrived on or that activity may have taken place on. [Will be zero if no interface was involved.]" ::= { netEventsLogEntry 2 } netEventProtocol OBJECT-TYPE SYNTAX ProtocolUnitTC MAX-ACCESS read-only STATUS current DESCRIPTION "Enumeration of possible network protocols." ::= { netEventsLogEntry 3 } Grall [Page 33] Internet-Draft Firewall MIB 20 April 1998 netEventICMPCommand OBJECT-TYPE SYNTAX INTEGER { echoreply(0), destunreach(3), sourcequench(4), redirect(5), echo(8), timeexceeded(11), paramprob(12), timestamp(13), timestampreply(14), mask(17), maskreply(18), traceroute(30), notICMP(41) } MAX-ACCESS read-only STATUS current DESCRIPTION "Enumeration of the most common types of ICMP packets, the numbers used above represent the ICMP Type number currently assigned by IANA." ::= { netEventsLogEntry 4 } netEventSrcIpAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "Source IP address as provided in an IP packet." ::= { netEventsLogEntry 5 } netEventMappedSrcIpAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "Source IP address after network address translation has been applied." ::= { netEventsLogEntry 6 } netEventDstIpAddress OBJECT-TYPE SYNTAX IpAddress Grall [Page 34] Internet-Draft Firewall MIB 20 April 1998 MAX-ACCESS read-only STATUS current DESCRIPTION "Destination IP address as provided in an IP packet or by a service user." ::= { netEventsLogEntry 7 } netEventMappedDstIpAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "Destination IP address after network address translation has been applied." ::= { netEventsLogEntry 8 } netEventSrcIpPort OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "Source UDP/TCP port as provided in an IP packet." ::= { netEventsLogEntry 9 } netEventMappedSrcIpPort OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "Source UDP/TCP port after any port translation or change has been applied." ::= { netEventsLogEntry 10 } netEventDstIpPort OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "Destination UDP/TCP port as provided in an IP packet Grall [Page 35] Internet-Draft Firewall MIB 20 April 1998 or by a service user." ::= { netEventsLogEntry 11 } netEventMappedDstIpPort OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "Destination UDP/TCP port after any port translation or change has been applied." ::= { netEventsLogEntry 12 } netEventService OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "The identification of the type of service notifying about the event. This value may be chosen from the fwmib.service or vendor specific trees. The description in serviceInformation can be used to designate a particular service from within this service type." ::= { netEventsLogEntry 13 } netEventServiceInformation OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "Specific service information. This can be used to designate the particular service within a genericService type and/or it can designate whether the service is a local service or a gateway service. For example, if the value for genericService is service.svcLogin.telnet, then the string provided might be local telnet." ::= { netEventsLogEntry 14 } netEventAuthdEntity OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current Grall [Page 36] Internet-Draft Firewall MIB 20 April 1998 DESCRIPTION "A userid, username, processid or other identifier for the entity using the service. If there is no such information then 'none' must be provided." ::= { netEventsLogEntry 15 } netEventRuleID OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "INTEGER representation of a rule identifier. How to interpret the number provided is defined by the firewall vendor. Eg., it may represent a configuration line number in a file, or a rule number in a table." ::= { netEventsLogEntry 16 } netEventActionReason OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "A detailed description of the reason the ruleAction took place. Could be a copy of the rule used." ::= { netEventsLogEntry 17 } - -- HEALTH EVENTS LOG - -- - -- This table is used for events related to the firewall's health and - -- status. The events can be for hardware or software resources. healthEventsLog OBJECT IDENTIFIER ::= { fwevent 5 } healthEventsLogTableLastValidRow OBJECT-TYPE SYNTAX INTEGER(1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "The index value of the last valid row in the healthEventsLogTable." ::= { healthEventsLog 1 } Grall [Page 37] Internet-Draft Firewall MIB 20 April 1998 healthEventsLogTable OBJECT-TYPE SYNTAX SEQUENCE OF HealthEventsLogEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table of detailed data for firewall health events." ::= { healthEventsLog 2 } healthEventsLogEntry OBJECT-TYPE SYNTAX HealthEventsLogEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the table, containing detailed information about a health event." INDEX { healthEventLogIndex } ::= { healthEventsLogTable 1 } HealthEventsLogEntry ::= SEQUENCE { healthEventLogIndex INTEGER(1..2147483647), healthEventResourceType OBJECT IDENTIFIER, healthEventResourceDetails SnmpAdminString, healthEventProblemDetail SnmpAdminString } healthEventLogIndex OBJECT-TYPE SYNTAX INTEGER(1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "An index that uniquely identifies an entry in the log table. These indices are assigned beginning with 1 and increase by one with each new log entry. The agent may choose to delete the instances of basicEventEntry as required because of lack of memory. It is an implementation specific matter as to when this deletion may occur and as to which log entries are deleted." ::= { healthEventsLogEntry 1 } healthEventResourceType OBJECT-TYPE SYNTAX OBJECT IDENTIFIER Grall [Page 38] Internet-Draft Firewall MIB 20 April 1998 MAX-ACCESS read-only STATUS current DESCRIPTION "The identification of the type of resource notifying about the problem. This value may be chosen from the fwmib.service or vendor specific trees. The description in healthEventResourceDetails can be used to provide more details about the resource." ::= { healthEventsLogEntry 2 } healthEventResourceDetails OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "Specific resource information. This can be used to designate details about the service OID chosen." ::= { healthEventsLogEntry 3 } healthEventProblemDetail OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "Details on the problem being reported. Used if more detail is needed to interpret the value used in basicEventType from the basicEventsTable entry." ::= { healthEventsLogEntry 4 } - -- MANAGEMENT EVENTS LOG - -- - -- This table is used for reporting events related to management of the - -- firewall. managementEventsLog OBJECT IDENTIFIER ::= { fwevent 6 } managementEventsLogTableLastValidRow OBJECT-TYPE SYNTAX INTEGER(1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION Grall [Page 39] Internet-Draft Firewall MIB 20 April 1998 "The index value of the last valid row in the managementEventsLogTable." ::= { managementEventsLog 1 } managementEventsLogTable OBJECT-TYPE SYNTAX SEQUENCE OF ManagementEventsLogEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table of detailed data for firewall management events." ::= { managementEventsLog 2 } managementEventsLogEntry OBJECT-TYPE SYNTAX ManagementEventsLogEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the table, containing detailed information about a management event." INDEX { managementEventLogIndex } ::= { managementEventsLogTable 1 } ManagementEventsLogEntry ::= SEQUENCE { managementEventLogIndex INTEGER(1..2147483647), managementEventSubjectName SnmpAdminString, managementEventSubjectAction EventTypeUnitTC, managementEventActionDetail SnmpAdminString, managementEventObjectManaged OBJECT IDENTIFIER } managementEventLogIndex OBJECT-TYPE SYNTAX INTEGER(1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "An index that uniquely identifies an entry in the log table. These indices are assigned beginning with 1 and increase by one with each new log entry. The agent may choose to delete the instances of basicEventEntry as required because of lack of memory. It is an implementation specific matter as to when this deletion may occur and Grall [Page 40] Internet-Draft Firewall MIB 20 April 1998 as to which log entries are deleted." ::= { managementEventsLogEntry 1 } managementEventSubjectName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "The userid, processid, or other unique information that designates which subject is causing the management event event." ::= { managementEventsLogEntry 2 } managementEventSubjectAction OBJECT-TYPE SYNTAX EventTypeUnitTC MAX-ACCESS read-only STATUS current DESCRIPTION "What a subject did on the firewall." ::= { managementEventsLogEntry 3 } managementEventActionDetail OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "Details on the management event based on the subjectAction chosen." ::= { managementEventsLogEntry 4 } managementEventObjectManaged OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "The identification of the type of resource begin managed. This value may be chosen from the fwmib.service or vendor specific trees. " ::= { managementEventsLogEntry 5 } Grall [Page 41] Internet-Draft Firewall MIB 20 April 1998 - -- - -- fwquery group - -- - -- The query group defines status and statistical data at the firewall. - -- The data included here concentrate on variables not covered by - -- other MIBs. - -- All data are designated as read-only. Changes to a firewall's - -- configuration or any of the data here is assumed to take place via - -- a different channel. - -- We encourage the firewall to support MIB-II for resource information - -- when possible. To that extent, this query group does not include any - -- objects that are covered by MIB-II. fwquery OBJECT IDENTIFIER ::= { fwmib 3 } fwinformation OBJECT IDENTIFIER ::= { fwquery 1 } fwstatus OBJECT IDENTIFIER ::= { fwquery 2 } fwstatistic OBJECT IDENTIFIER ::= { fwquery 3 } - -- The firewall product related queries fwProductName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "The product name of the firewall." ::= { fwinformation 1 } fwVersionMajor OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "The major version of the firewall as a whole." ::= { fwinformation 2 } fwVersionMinor OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION Grall [Page 42] Internet-Draft Firewall MIB 20 April 1998 "The minor version of the firewall as a whole." ::= { fwinformation 3 } fwOSName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "The specific vendor's name for the operating system the firewall is running on. For Unix type operating systems this would usually be the output from 'uname -s'." ::= { fwinformation 4 } fwOSVersion OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "The specific vendor's version for the operating system the firewall is running on. For Unix type operating systems this would usually be the output from 'uname -r'." ::= { fwinformation 5 } - -- The firewall module table is used to provide additional version and - -- status information for firewall modules. The definition of a module - -- is vendor specific. At the least the firewall should provide one row - -- for this table to represent the firewall system as a whole (ie, the - -- value used for fwModuleType would be services.svcFirewall). For values - -- in this table that the firewall module does not support (eg., the - -- module does not support serial numbers), the value used would be - -- "NULL". fwModuleInfoTable OBJECT-TYPE SYNTAX SEQUENCE OF FwModuleInfoEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table of firewall Module entries that provide version and status information." ::= { fwinformation 6 } Grall [Page 43] Internet-Draft Firewall MIB 20 April 1998 fwModuleInfoEntry OBJECT-TYPE SYNTAX FwModuleInfoEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the table, containing information about a module." INDEX { fwModuleType } ::= { fwModuleInfoTable 1 } FwModuleInfoEntry ::= SEQUENCE { fwModuleType OBJECT IDENTIFIER, fwModuleInformation SnmpAdminString, fwModuleVersion SnmpAdminString, fwModulePatchLevel SnmpAdminString, fwModuleLicenseKey SnmpAdminString, fwModuleSerialNumber SnmpAdminString, fwModuleCfgID SnmpAdminString, fwModuleCfgDate TimeStamp, fwModuleCfgState INTEGER } fwModuleType OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS not-accessible STATUS current DESCRIPTION "Firewall module type. This can be an OID from the services group, or the vendor can choose to define OIDs in their enterprise group." ::= { fwModuleInfoEntry 1 } fwModuleInformation OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "Detailed information to designate the specific firewall module or service based on the type chosen for fwModuleInfoType." ::= { fwModuleInfoEntry 2 } fwModuleVersion OBJECT-TYPE SYNTAX SnmpAdminString Grall [Page 44] Internet-Draft Firewall MIB 20 April 1998 MAX-ACCESS read-only STATUS current DESCRIPTION "Module Version." ::= { fwModuleInfoEntry 3 } fwModulePatchLevel OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "Module Patch Level." ::= { fwModuleInfoEntry 4 } fwModuleLicenseKey OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "Module license key" ::= { fwModuleInfoEntry 5 } fwModuleSerialNumber OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "Module serial number." ::= { fwModuleInfoEntry 6 } fwModuleCfgID OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "Module configuration ID." ::= { fwModuleInfoEntry 7 } Grall [Page 45] Internet-Draft Firewall MIB 20 April 1998 fwModuleCfgDate OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "Module configuration date." ::= { fwModuleInfoEntry 8 } fwModuleCfgState OBJECT-TYPE SYNTAX INTEGER { inprogress(1), done(2), reconfigFailed(3) } MAX-ACCESS read-only STATUS current DESCRIPTION "Enumeration of the state the module's configuration is in." ::= { fwModuleInfoEntry 9 } - -- The resource information related queries, this table is for - -- providing the status of the resources on the firewall. Resources - -- can include hardware or software modules on the firewall. resourceStatusTable OBJECT-TYPE SYNTAX SEQUENCE OF ResourceStatusEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table of firewall resource entries" ::= { fwstatus 1 } resourceStatusEntry OBJECT-TYPE SYNTAX ResourceStatusEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the table, containing information about a resource." Grall [Page 46] Internet-Draft Firewall MIB 20 April 1998 INDEX { resourceType } ::= { resourceStatusTable 1 } ResourceStatusEntry ::= SEQUENCE { resourceType OBJECT IDENTIFIER, resourceInformation SnmpAdminString, resourceStatusDetail EventTypeUnitTC, resourceStatusInfo SnmpAdminString } resourceType OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS not-accessible STATUS current DESCRIPTION "Resource type. This can be an OID from the services group, or the vendor can choose to define OIDs in their enterprise group." ::= { resourceStatusEntry 1 } resourceInformation OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "Detailed information to further designate the specific firewall resource or service reporting status." ::= { resourceStatusEntry 2 } resourceStatusDetail OBJECT-TYPE SYNTAX EventTypeUnitTC MAX-ACCESS read-only STATUS current DESCRIPTION "Enumeration of firewall resource status/events. This list applies to hardware and software resources provided and used by the firewall." ::= { resourceStatusEntry 3 } resourceStatusInfo OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only Grall [Page 47] Internet-Draft Firewall MIB 20 April 1998 STATUS current DESCRIPTION "Detailed information to further describe the status of the resource if the value for resourceStatusDetails is not descriptive enough." ::= { resourceStatusEntry 4 } - -- The statistic related queries - -- This group contains several tables, each table can be used to provide - -- the indicated statistics for any firewall resource or service. The tables - -- all contain rows for (and are indexed by) each service that the statistic - -- applies to. - -- - -- The tables in this group can be used to provide statistics on: - -- - -- packet level data (packetStatTable) - -- service level data (fwStatTable) - -- - -- The packetStatTable includes variables to record the number of packets - -- handled by the firewall in various ways. - -- - -- In all the tables, for any Counter32 objects that are not supported, - -- a value of "0" is returned. packetStatTable OBJECT-TYPE SYNTAX SEQUENCE OF PacketStatEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table of firewall packet statistic entries." ::= { fwstatistic 1 } packetStatEntry OBJECT-TYPE SYNTAX PacketStatEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the table, containing information about a statistic." INDEX { packetStatServiceType, packetNetInterface } ::= { packetStatTable 1 } Grall [Page 48] Internet-Draft Firewall MIB 20 April 1998 PacketStatEntry ::= SEQUENCE { packetStatServiceType OBJECT IDENTIFIER, packetNetInterface InterfaceIndex, packetStatServiceDetail SnmpAdminString, packetsAccepted Counter32, packetsDropped Counter32, packetsEncrypted Counter32, packetsInvalid Counter32, packetsIgnore Counter32, packetsRejected Counter32, packetsForwarded Counter32, packetsFragmented Counter32 } packetStatServiceType OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS not-accessible STATUS current DESCRIPTION "The identification of the type of service notifying about the event. This value may be chosen from the fwmib.service or vendor specific trees. The description in packetStatServiceDetail can be used to designate a particular service from within this service type." ::= { packetStatEntry 1 } packetNetInterface OBJECT-TYPE SYNTAX InterfaceIndex MAX-ACCESS not-accessible STATUS current DESCRIPTION "The interface number that the packet(s) arrived on." ::= { packetStatEntry 2 } packetStatServiceDetail OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "Specific service information. This can be used to further designate the particular service. It can also be used to designate different types of packet statistics from the same service (e.g., the kernel counts rejected packets Grall [Page 49] Internet-Draft Firewall MIB 20 April 1998 meant to be forwared and meant to be accepted as two seperate counts)." ::= { packetStatEntry 3 } packetsAccepted OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Number of packets accepted." ::= { packetStatEntry 4 } packetsDropped OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Number of packets dropped." ::= { packetStatEntry 5 } packetsEncrypted OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Number of packets encrypted." ::= { packetStatEntry 6 } packetsInvalid OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Number of bad (see section 4.0) packets received." ::= { packetStatEntry 7 } packetsIgnore OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION Grall [Page 50] Internet-Draft Firewall MIB 20 April 1998 "Number of bad (see section 4.0) packets ignored." ::= { packetStatEntry 8 } packetsRejected OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Number of packets rejected." ::= { packetStatEntry 9 } packetsForwarded OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Number of packets forwarded." ::= { packetStatEntry 10 } packetsFragmented OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Number of packets fragmented." ::= { packetStatEntry 11 } - -- The Firewall Statistics Table Definition - -- - -- This table can be used to provide the statistics - -- for any firewall resource or service. This table contains rows for - -- (and are indexed by) each service to which the statistic applies. - -- - -- This table can be used to provide statistics on any of the events - -- that are also reported via traps, as well as any other events included - -- in EventTypeUnitTC. For example to report on the number of users - -- that where denied access to the ftp service you could use the following: - -- - -- resource = OID (service.svcFileTransfer.ftp) - -- resourceDetails = STRING ("the ftp proxy") - -- statisticType = accessDenied(1403) Grall [Page 51] Internet-Draft Firewall MIB 20 April 1998 - -- statsDataType = count - -- statsValue = INTEGER (35) - -- statDescription = STRING ("The number of users of the ftp proxy that...") - -- statStartTime = TimeStamp (####) - -- statElapsedTime = ?? - -- - -- The table contains a column to provide details about the statistic - -- being reported on. So, for example, if the statistic is for a particular - -- user, this can be provided in the statDescription. resourceStatTable OBJECT-TYPE SYNTAX SEQUENCE OF ResourceStatEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table of firewall statistic entries." ::= { fwstatistic 2 } resourceStatEntry OBJECT-TYPE SYNTAX ResourceStatEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the table, containing information about a firewall statistic." INDEX { statResourceType, statType } ::= { resourceStatTable 1 } ResourceStatEntry ::= SEQUENCE { statResourceType OBJECT IDENTIFIER, statResourceDetails SnmpAdminString, statType EventTypeUnitTC, statDataType INTEGER, statValue OCTET STRING, statDescription SnmpAdminString } statResourceType OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS not-accessible STATUS current DESCRIPTION "The identification of the type of service providing statistics Grall [Page 52] Internet-Draft Firewall MIB 20 April 1998 This value may be chosen from the fwmib.service or vendor specific trees. The description in statResourceDetails can be used to designate a particular service from within this service type." ::= { resourceStatEntry 1 } statResourceDetails OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "Specific service information. This can be used to designate the particular service reporting the statistic." ::= { resourceStatEntry 2 } statType OBJECT-TYPE SYNTAX EventTypeUnitTC MAX-ACCESS not-accessible STATUS current DESCRIPTION "The type of statistic this row is reporting on. This along with statResourceType provides a unique index into the table." ::= { resourceStatEntry 3 } statDataType OBJECT-TYPE SYNTAX INTEGER { counter(1), int(2), percent(3), gauge(4), timestmp(5) } MAX-ACCESS read-only STATUS current DESCRIPTION "The data type of the statistic value in this row. This value is used to interpret the data provided in statValue." ::= { resourceStatEntry 4 } statValue OBJECT-TYPE SYNTAX OCTET STRING (SIZE(1..8)) MAX-ACCESS read-only Grall [Page 53] Internet-Draft Firewall MIB 20 April 1998 STATUS current DESCRIPTION "The value of the statistic, the type of this value is provided in statDataType. Regardless of the type of the value, the bytes are interpreted in network byte order. @?@ any opinions @?@ If the statDataType value is 'counter' then @?@ any restrictions? If the statDataType value is 'int' then this value shall be @?@X bytes long maximum. @?@ any opinions? If the statDataType value is 'percent' then this value shall be an integer value between 00 and 100 inclusive. If the statDataType value is 'gauge' then this value shall be @?@. If the statDataType value is 'timestmp' then this value shall be @?@." ::= { resourceStatEntry 5 } statDescription OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "A more detailed description of the statistic provided in case the statType does not give a good indication of what the data in statValue represents." ::= { resourceStatEntry 6 } - -- - -- fwtrap group - -- - -- The fwtrap group defines the trap types that a firewall may - -- send. fwtrap OBJECT IDENTIFIER ::= { fwmib 4 } - -- Traps are defined using the conventions in SNMPv2-SMI - -- - -- The networkEventTrap is used for events related to the network - -- operation in the firewall. This includes packet screening events and Grall [Page 54] Internet-Draft Firewall MIB 20 April 1998 - -- service events. The trap contains the OID/row index of the - -- netEventDetailsTable and the OID/row and index of the vendor private - -- table. Then the management station can choose to access the event - -- details without having to query the base table. networkEventTrap NOTIFICATION-TYPE OBJECTS { basicEventsLogTableTrapIndex, basicEventTime, basicEventSource, basicEventType, basicEventDescription, basicEventDetailsTableRow, basicEventVendorDetailsTableRow } STATUS current DESCRIPTION "Network event notification from network components." ::= { fwtrap 1 } -- Example use: see introduction. - -- The healthEventTrap is used for events related to configuration problems, - -- resource problems, service problems, and system problems. The - -- basicEventDetailsTableIndex represents the index of the row in - -- the healthEventDetailsTable related to this event. healthEventTrap NOTIFICATION-TYPE OBJECTS { basicEventsLogTableTrapIndex, basicEventTime, basicEventSource, basicEventType, basicEventDescription, basicEventDetailsTableRow, basicEventVendorDetailsTableRow } STATUS current DESCRIPTION "Notification on events concerning the status and health of the firewall" ::= { fwtrap 2 } Grall [Page 55] Internet-Draft Firewall MIB 20 April 1998 -- Example use: see introduction. - -- The managementEventTrap is for events that relate to configuration - -- changes, operating system changes, and patches to components on the - -- firewall. The basicEventDetailsTableIndex represents the index of - -- the row in the mgmtEventDetailsTable related to this event. managementEventTrap NOTIFICATION-TYPE OBJECTS { basicEventsLogTableTrapIndex, basicEventTime, basicEventSource, basicEventType, basicEventDescription, basicEventDetailsTableRow, basicEventVendorDetailsTableRow } STATUS current DESCRIPTION "Notification of a configuration related event." ::= { fwtrap 3 } -- Example use: see introduction. - -- conformance information, see RFC1444 fwmibConformance OBJECT IDENTIFIER ::= { fwmib 5 } fwmibCompliances OBJECT IDENTIFIER ::= { fwmibConformance 1 } fwmibGroups OBJECT IDENTIFIER ::= { fwmibConformance 2 } - -- compliance statements fwCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMPv2 entities which implement the Firewall MIB." MODULE -- this module GROUP basicEventsLogGroup DESCRIPTION "If the firewall will be sending traps, then the Grall [Page 56] Internet-Draft Firewall MIB 20 April 1998 basicEventsLog group is mandatory." ::= { fwmibCompliances 1 } - -- units of conformance basicEventsLogGroup OBJECT-GROUP OBJECTS { basicEventsLogTableLastValidRow, basicEventsLogTableTrapIndex, basicEventTime, basicEventSource, basicEventType, basicEventDescription, basicEventDetailsTableRow, basicEventVendorDetailsTableRow } STATUS current DESCRIPTION "A collection of objects allowing the description of events occurring on a firewall." ::= { fwmibGroups 1 } otherEventsLogGroup OBJECT-GROUP OBJECTS { netEventsLogTableLastValidRow, netEventInterface, netEventProtocol, netEventICMPCommand, netEventSrcIpAddress, netEventMappedSrcIpAddress, netEventDstIpAddress, netEventMappedDstIpAddress, netEventSrcIpPort, netEventMappedSrcIpPort, netEventDstIpPort, netEventMappedDstIpPort, netEventService, netEventServiceInformation, netEventAuthdEntity, netEventRuleID, netEventActionReason, healthEventsLogTableLastValidRow, healthEventResourceType, healthEventResourceDetails, healthEventProblemDetail, managementEventsLogTableLastValidRow, managementEventSubjectName, managementEventSubjectAction, managementEventActionDetail, managementEventObjectManaged } STATUS current DESCRIPTION "A collection of objects allowing the description of event details occurring on a firewall." ::= { fwmibGroups 2 } Grall [Page 57] Internet-Draft Firewall MIB 20 April 1998 fwqueryGroup1 OBJECT-GROUP OBJECTS { fwProductName, fwVersionMajor, fwVersionMinor, fwOSName, fwOSVersion } STATUS current DESCRIPTION "A collection of objects allowing the collection of generic information about the firewall." ::= { fwmibGroups 3 } fwqueryGroup2 OBJECT-GROUP OBJECTS { fwModuleInformation, fwModuleVersion, fwModulePatchLevel, fwModuleLicenseKey, fwModuleSerialNumber, fwModuleCfgID, fwModuleCfgDate, fwModuleCfgState } STATUS current DESCRIPTION "A collection of objects allowing the collection of information about modules on the firewall." ::= { fwmibGroups 4 } fwqueryGroup3 OBJECT-GROUP OBJECTS { resourceInformation, resourceStatusDetail, resourceStatusInfo } STATUS current DESCRIPTION "A collection of objects allowing the collection of information about service status on the firewall." ::= { fwmibGroups 5 } fwqueryGroup4 OBJECT-GROUP OBJECTS { packetStatServiceDetail, packetsAccepted, packetsDropped, packetsEncrypted, packetsInvalid, packetsIgnore, packetsRejected, packetsForwarded, packetsFragmented } Grall [Page 58] Internet-Draft Firewall MIB 20 April 1998 STATUS current DESCRIPTION "A collection of objects allowing the collection of packet statistics on the firewall." ::= { fwmibGroups 6 } fwqueryGroup5 OBJECT-GROUP OBJECTS { statResourceDetails, statDataType, statValue, statDescription } STATUS current DESCRIPTION "A collection of objects allowing the collection of statistics about serivces/resources on the firewall." ::= { fwmibGroups 7 } END 6. Acknowledgments The Firewall MIB has benefitted greatly from the comments and instrumen- tation work of many people. In addition to those already mentioned ear- lier in this document, the following individuals have contributed to this specification (with advance apologies to anyone who may have been left out of this list): Grall [Page 59] Internet-Draft Firewall MIB 20 April 1998 Lee Brown Dave Chouihard Mike Coram Holly Ding Dorit Dor Bill Funk Dale Lancaster Ken Laube Herbert Lin Ian McDonnell Thomas Oeser Ashok Nadkarni Poornima Rao Ephraim Vider Cliff Wang Michael Wittig 7. Security Considerations @?@ Portions still TBD... @?@ Address known threats @?@ Address methods to mitigate threads and any residual risks Users of this MIB will have access to data which is potentially not secure. Users should take reasonable steps to protect the data for dis- closure by using SNMPv3 or other encryption methods. It is not recom- mended that objects in the MIB be supported or used in an "untrusted" or unknown network environment unless privacy, authentication, and integrity are provided (eg., use encryption). There is the potential for unauthorized management stations to access firewall MIB objects. Users should use SNMPv3 to provide management identification and authentication. Write operations to MIB objects are not supported, i.e., SNMP SETs are currently not supported by this MIB. Many SNMP implementations and net- work architectures do not support secure communications. After SNMPv3 is established the MIB may be expanded to include objects that can be written. The MIB defines very few objects related to configuration data. As described in the section titled "Monitoring of Firewall Devices", there is a risk of exposing a firewall's configuration, and possibly provide Grall [Page 60] Internet-Draft Firewall MIB 20 April 1998 an adversary information on a firewall's weaknesses. 8. References [1] Cerf, V., "IAB Recommendations for the Development of Internet Net- work Management Standards", RFC 1052, NRI, April 1988. [2] Cerf, V., "Report of the Second Ad Hoc Network Management Review Group", RFC 1109, NRI, August 1989. [3] Rose M., and K. McCloghrie, "Structure and Identification of Manage- ment Information for TCP/IP-based internets", STD 16, RFC 1155, Performance Systems International, Hughes LAN Systems, May 1990. [4] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Structure of Management Information for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1902, January 1996. [5] McCloghrie K., and M. Rose, Editors, "Management Information Base for Network Management of TCP/IP-based internets", STD 17, RFC 1213, Performance Systems International, March 1991. [6] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network Management Protocol", STD 15, RFC 1157, SNMP Research, Performance Systems International, Performance Systems International, MIT Laboratory for Computer Science, May 1990. [7] SNMPv2 working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol Operations for Version 2 of the Simple Net- work Management Protocol (SNMPv2)", RFC 1905, January 1996. [8] McCloghrie, K., and F. Kastenholz, "Evolution of the Interfaces Group of MIB-II", RFC 1573, Hughes LAN Systems, FTP Software, Janu- ary 1994. [9] Information processing systems - Open Systems Interconnection - Specification of Abstract Syntax Notation One (ASN.1), Interna- tional Organization for Standardization. International Standard 8824, (December, 1987). [10] Information processing systems - Open Systems Interconnection - Specification of Basic Encoding Rules for Abstract Notation One (ASN.1), International Organization for Standardization. Interna- tional Standard 8825, (December, 1987). [11] Rose, M., and K. McCloghrie, Editors, "Concise MIB Definitions", Grall [Page 61] Internet-Draft Firewall MIB 20 April 1998 RFC 1212, Performance Systems International, Hughes LAN Systems, March 1991. [12] Rose, M., Editor, "A Convention for Defining Traps for use with the SNMP", RFC 1215, Performance Systems International, March 1991. [13] Harrington, D., Presuhn, R., Wijnen, B., "An Architecture for Describing SNMP Management Frameworks", RFC 2261, Cabletron Sys- tems, Inc., January 1998. 9. Author's Address Cindy Grall Trusted Information Systems 3415 S. Sepulvida Blvd., suite 700 Los Angeles, CA 90034 Phone: (310) 737-1744 EMail: grall@tis.com Appendix A: Sample Configurations and Scripts This appendix will contain configuration and script samples for using this MIB with some popular SNMP management products. Appendix B: Changes This section will be removed before final submittal as an RFC. Since draft 00 (24 November 1997) of the Firewall MIB, the following changes were made: Grall [Page 62] Internet-Draft Firewall MIB 20 April 1998 * The textual convention SnmpAdminString was added and all objects using Utf8String where changed to use SnmpAdminString. * More words were added to address things this MIB is NOT meant to address. * The three network event log tables were combined into one table, references throughout the MIB to the old tables were removed/changed as needed. * Examples were moved into the RFC text and updated to reflect latest MIB definition. * The main OID name for the mib changed from 'spfw' to 'fwmib'. * Some tables now use the InterfaceIndex textual convention from RFC 2233. * Some values (hardware, system, service) in EventTypeUnitTC were combined into one resource set. * Several new entries in EventTypeUnitTC were added. * A resourceStatusInfo object was added to the resource status table. * The service statistics table was redone. * Each trap has a one-to-one correspondence to an event log table, so reference for the OID to the details table was removed from the trap's objects. * The conformance groups were split up so that more MIB objects can be optional. * All index objects were changed to be 'not-accessible' as a result basicEventLogIndex could not be used in the traps, so a new object called basicEventsLogTableTrapIndex was created for this purpose. Note that this list does not reflect minor changes in wording or correc- tion of typographical or grammatical errors. Grall [Page 63]