Configuring SNMP in FIPS mode

FIPS mode requires Simple Network Management Protocol version 3 (SNMPv3) with the authentication and privacy (authPriv) option. SNMP version 1 and version 2 use a community string mechanism to provide secured access to management data. The community string is sent as clear text between an SNMP manager and an SNMP agent.  This type of communication is unsecure, allowing intruders to access SNMP information on the network.

The SNMPv3 protocol uses the User-based Security Model (USM) and View-based Access Control Model (VACM) to authenticate and control management access to SNMP messaging data. SNMPv3 has three security levels: no authentication no privacy (noAuthNoPriv), authentication and no privacy (authNoPriv), and authentication and privacy (authPriv).

Enabling FIPS mode and restarting the NetScaler appliance removes the following SNMP configurations from the appliance:

  1. Community configuration for SNMPv1 and SNMPv2 protocols.
  2. SNMPv3 groups configured with the noAuthNoPriv or authNoPriv security-level option.
  3. Traps configured for SNMPv1 or SNMPv2, or SNMPv3 with the noAuthNoPriv security-level option.

After restarting the appliance, configure SNMPv3 with the authPriv option. For more information about configuring authPriv option in SMNP v3, see SNMPV3 topic

Note:

Enabling FIPS mode and restarting your appliance blocks execution of the following SNMP trap and group commands:

1.  add snmp community <communityName> <permissions>

2.  add snmp trap <trapClass> <trapDestination> ... [-version: v1/v2]   [-td <positive_integer>] [-destPort <port>] [-communityName <string>] [-srcIP <ip_addr|ipv6_addr>] [-severity <severity>] [-allPartitions ( ENABLED | DISABLED )]

3.  add snmp group <name> <securityLevel : noAuthNoPriv/ authNoPriv > -readViewName <string>

4.  bind snmp trap specific <TrapIp>-userName <v3 user name> -securityLevel <noAuthNoPriv/ authNoPriv>

Configuring SNMP in FIPS mode

In this article