• ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
The HP Community is where owners of HP products, like you, volunteer to help each other find solutions.
HP Recommended

Hello.  I'm running a VBP 4555 11.2.17 parallel to my firewall.  That is to say the VBP has a public routable IP on the WAN interface and a private non-routable IP on the LAN interface.  I think after the 11.2.17 update for Heartbleed, SNMP queries on the LAN interface stopped responding.  I discovered today that if I enable the option "Allow SNMP access through firewall" it again works as expected.  I'm under the impression I DON'T want to do that as it allows SNMP queries from the WAN interface.  It appears to be all or nothing.  Am I understanding this incorrectly?

4 REPLIES 4
HP Recommended

Downloaded the config file, and I see this:

 

FILE:/etc/config/ewn_inittab
snmpd:unknown:/bin/snmpd -f  172.29.10.2 101.101.101.101 #(Changed for privacy)
ntpd:unknown:/bin/ntpd -n -g -Q -c /etc/config/ntp.conf -p /var/run/ntp.pid -f /etc/config/driftfile
slog:unknown:/sbin/syslogd -m0 -n
FILE:/etc/config/fw_defs.conf
FW_ENABLE=on
ENABLE_HTTP=on
ENABLE_HTTPS=off
ENABLE_TELNET=off
ENABLE_SNMP=off
ENABLE_SSH=off
TCP_ALLOW=""
UDP_ALLOW=""
ENABLE_LDROP=on
PPTP_ENABLE=off
PPTP_IP=
ENABLE_HTTPS_ALTPORT=off
ENABLE_DOD_BANNER=off

 

This seems to suggest SNMP is disabled locally. I also find it interesting that the snmpd line has both my LAN and WAN IPs listed.  Maybe that is the issue?  Should I change it to:

 

snmpd:unknown:/bin/snmpd -f  172.29.10.2

 

and

 

ENABLE_SNMP=on

HP Recommended

Hello SeaDave

 

What SNMP version do you use?

What have you configured on page System > Service Configuration?

 

By default, the VBP-E Firewall disables all management protocols on the WAN interface. Management protocols are allowed by default on the LAN interface. When deselecting a management protocol, the systemwill deny access from the WAN interface only. It's strange if VBP blocks SNMP on LAN.

 

I'm not sure about /etc/config/ewn_inittab file config, but you can deny access on SNMP port through WAN interface using User Commands section and following string:

iptables -I INPUT -i eth1+ -p tcp –dport 161 -j DROP

 

Regards

 

HP Recommended

I can use v1, 2c, or 3 with additonal secrets/SSL.  I'm trying to use 1 for simplicities sake.  It was working fine before the 11.2.17 update for the OpenSSL vul fix.  Regarding Services Config:

 

Enable SNMPv1 - Enabled

SNMPv1 RO Community - populated with our community name

SNMPv1 Trag Agent IP Address - populated with LAN IP

 

SNMPv3 not configured

 

SNMP Common Config

Location - Populated

Contact - Populated

Port - 161

 

Remote System Logging - Not configured

 

Management Source Address - Not configured

 

Hostname - Populated

 

MOS Scoring - Enabled

 

 

 

 

HP Recommended

Hmm.  So I tried to edit the config file by changing the following:

 

FILE:/etc/config/ewn_inittab
snmpd:unknown:/bin/snmpd -f  172.29.10.2 (I removed the WAN IP)
ntpd:unknown:/bin/ntpd  -4  -n -g -Q -c /etc/config/ntp.conf -p /var/run/ntp.pid -f /etc/config/driftfile
slog:unknown:/sbin/syslogd -m0 -n
FILE:/etc/config/fw_defs.conf
FW_ENABLE=on
ENABLE_HTTP=on
ENABLE_HTTPS=off
ENABLE_TELNET=off
ENABLE_SNMP=on (I changed this to on)
ENABLE_SSH=off
TCP_ALLOW=""
UDP_ALLOW=""
ENABLE_LDROP=on
PPTP_ENABLE=off
PPTP_IP=
ENABLE_HTTPS_ALTPORT=off
ENABLE_DOD_BANNER=off

 

After uploading and reboot, SNMP is now working again, but when I checked the config, the WAN IP had returned to the snmpd line.

 

My main concern is that someone could interrogate SNMP from the WAN which is obviously bad.  I do have management IP restrictions and that may prevent that from occuring.  I'll try to scan the WAN IP for SNMP to see if that is the case or not.

† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.