Integration of NETSNMP application on a Firewall device

 

Description

The existing SNMP implementation has to be rewritten because it does not support a single point of management for multi-blade and cluster architectures. It also suffers from the following limitations:

  • It is single threaded hence does not scale well
  • Requires significant code modifications to add new MIBs

The existingimplementation needs to be rewritten to provide a single point of management support for standalone, HA, and clustered configurations of Firewall instances running on SSP service blades. The new implementation will provide for flexible registration of MIBs, and provide for greater system-wide stability.

Solution


This requiresthe target device to provide tunneled network access for SNMP traffic to the MA, both as a server (for SNMP get operations), and as a client (for traps/informs). Net-SNMP provides a mib conversion tool called mib2c that converts a MIB definition file into stubbed-out ‘C’ code. This was used as the starting point for the support of each MIB.

The NetSnmp subagent (SA) runs in the same process (i.e. memory space) as the target device, because it requires access to internal configuration data, counters, etc, that must be reported via SNMP.

The SA will remain single-threaded within a given instance. However, the Master agent(MA) can introduce parallelism amongst multiple instances of target device in a cluster/HA environment. Given that multiple processes (MA and SA) must cooperate to handle SNMP messages

In order to best leverage the Net-SNMP SA code, a single instance of the SA is created for all contexts. The context associated with an SNMP get operations will be inferred based on the context-specific interface on which the request is received.

The SA runs as a thread in the context of the control point. This allows the driver-code to maintain knowledge of the context associated with the request via the context specific functions, throughout the lifetime of handling that request.

Challenges

  • The Target Firewall device runs a single monolithic process which runs in user-space and owns the data interfaces. Hence, processes other than that do not have external network access.
  • Conversion of all the existing MIBs to follow NetSnmp standards.

LET’S GET IN TOUCH

Please fill out the form below and we’ll contact you to schedule a live demonstration with one of our platform experts.