1-- ***************************************************************** 2-- CISCO-FIREWALL-MIB 3-- 4-- April, 1999 Jim Fitzgerald 5-- 6-- Copyright (c) 1999-2005 by cisco Systems, Inc. 7-- All rights reserved. 8-- ***************************************************************** 9 10CISCO-FIREWALL-MIB DEFINITIONS ::= BEGIN 11 12IMPORTS 13 OBJECT-GROUP, 14 NOTIFICATION-GROUP, 15 MODULE-COMPLIANCE FROM SNMPv2-CONF 16 17 MODULE-IDENTITY, 18 OBJECT-TYPE, 19 NOTIFICATION-TYPE, 20 Counter32, 21 Gauge32, 22 Unsigned32, 23 IpAddress FROM SNMPv2-SMI 24 25 DateAndTime, 26 TEXTUAL-CONVENTION, 27 RowPointer FROM SNMPv2-TC 28 29 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 30 InterfaceIndexOrZero FROM IF-MIB 31 ciscoMgmt FROM CISCO-SMI; 32 33 34ciscoFirewallMIB MODULE-IDENTITY 35 LAST-UPDATED "200512060000Z" 36 ORGANIZATION "Cisco Systems, Inc." 37 CONTACT-INFO 38 " Cisco Systems 39 Customer Service 40 41 Postal: 170 W Tasman Drive 42 San Jose, CA 95134 43 USA 44 45 Tel: +1 800 553-NETS 46 47 E-mail: cs-pix@cisco.com 48 cs-iosfw@cisco.com" 49 DESCRIPTION "MIB module for monitoring Cisco Firewalls." 50 REVISION "200512060000Z" 51 DESCRIPTION 52 "Added the copyright statement and updated the imports 53 such that Unsigned32 is imported from SNMPv2-SMI instead 54 of CISCO-TC. Added a new NOTIFICATION-GROUP 55 ciscoFirewallMIBNotificationGroupRev1 to include all the 56 notifications defined in the MIB. Obsoleted the 57 OBJECT-GROUP ciscoFirewallMIBNotificationGroup. Deprecated 58 the MODULE-COMPLIANCE ciscoFirewallMIBCompliance and added 59 a new MODULE-COMPLIANCE ciscoFirewallMIBComplianceRev1." 60 REVISION "9904291200Z" 61 DESCRIPTION 62 "Initial version of this MIB module." 63 ::= { ciscoMgmt 147 } 64 65ciscoFirewallMIBObjects OBJECT IDENTIFIER ::= { ciscoFirewallMIB 1 } 66 67cfwEvents OBJECT IDENTIFIER ::= { ciscoFirewallMIBObjects 1 } 68 cfwBasicEvents OBJECT IDENTIFIER ::= { cfwEvents 1 } 69 cfwNetEvents OBJECT IDENTIFIER ::= { cfwEvents 2 } 70 71 72cfwSystem OBJECT IDENTIFIER ::= { ciscoFirewallMIBObjects 2 } 73 cfwStatus OBJECT IDENTIFIER ::= { cfwSystem 1 } 74 cfwStatistics OBJECT IDENTIFIER ::= { cfwSystem 2 } 75 76-- Textual Conventions 77 78ResourceStatistics ::= TEXTUAL-CONVENTION 79 STATUS current 80 DESCRIPTION 81 "This textual convention is used to identify various statistics 82 that are related to the resources on a firewall. 83 84 highUse : The highest load the resource has had for a 85 time period. The time period will be 86 implementation dependent. 87 highLoad : The highest load the resource has had since 88 startup. 89 maximum : The maximum amount of the resource that is 90 available. 91 minimum : The minimum amount of the resource that is 92 available. 93 low : The lowest amount of the resource that has been 94 available since startup. 95 high : The highest amount of the resource that has been 96 available since startup. 97 average : The average amount of the resource that has been 98 available since startup. 99 free : The amount of the resource that is currently 100 available since startup. 101 inUse : The amount of the resource that is currently 102 in use, eg. CPU usage, memory usage." 103 SYNTAX INTEGER { 104 highUse(1), 105 highLoad(2), 106 maximum(3), 107 minimum(4), 108 low(5), 109 high(6), 110 average(7), 111 free(8), 112 inUse(9) 113 } 114 115Hardware ::= TEXTUAL-CONVENTION 116 STATUS current 117 DESCRIPTION 118 "This textual convention is used to describe various hardware 119 resouces that can be monitored by the firewall. 120 121 memory - identifies memory. 122 disk - identifies disk. 123 power - identifies power. 124 netInterface - identifies a network interface. 125 tape - identifies a tape drive. 126 controller - identifies hardware controller. 127 cpu - identifies CPU. 128 primaryUnit - identifies the primary unit of the two 129 identical firewalls configured redundancy. 130 secondaryUnit - identifies the secondary unit of the two 131 identical firewalls configured redundancy. 132 other - identifies other hardware." 133 SYNTAX INTEGER { 134 memory(1), 135 disk(2), 136 power(3), 137 netInterface(4), 138 cpu(5), 139 primaryUnit(6), 140 secondaryUnit(7), 141 other(8) 142 } 143 144Services ::= TEXTUAL-CONVENTION 145 STATUS current 146 DESCRIPTION 147 148 "This textual convention is used to describe various services 149 that are monitored by the firewall. 150 151 otherFWService - a service that does not fit into any 152 other category. 153 fileXferFtp - identifies FTP, File Transfer Protocol. 154 fileXferTftp - identifies TFTP, Trivial File 155 Transfer Protocol 156 fileXferFtps - identifies FTP, File Transfer 157 Protocol running over Secure Sockets Layer. 158 loginTelnet - identifies telnet 159 loginRlogin - identifies rlogin. 160 loginTelnets - identifies telnet over 161 Secure Sockets Layer(SSL). 162 remoteExecSunRPC - identifies Sun Remote 163 Procedure Call Protocol. 164 remoteExecMSRPC - identifies Microsoft Remote 165 Procedure Call Protocol. 166 remoteExecRsh - identifies the remote shell. 167 remoteExecXserver - identifies the Xwindows server. 168 webHttp - identifies Hyper Text Transfer Protocol. 169 webHttps - identifies the secure HTTP protocol. 170 mailSmtp - identifies SMTP, Simple Mail Transfer Protocol. 171 mailSmtps - identifies SMTP, Simple Mail Transfer Protocol 172 running over Secure Sockets Layer (SSL). 173 multimediaStreamworks - identifies streamworks. 174 multimediaH323 - identifies H323. 175 multimediaNetShow - identifies NetShow. 176 multimediaVDOLive - identifies vDOLive. 177 multimediaRealAV - identifies RealAV. 178 multimediaRTSP - identifies Real Time Streaming Protocol 179 dbOracle - identifies Oracle's SQL*Net. 180 dbMSsql - identifies MicroSoft SQL. 181 contInspProgLang - identifies a payload as a programming 182 language such as Java or ActiveX. 183 contInspUrl - identifies a payload as a URL. 184 directoryNis - identifies NIS, Network Information Service. 185 directoryDns - identifies DNS, Domain Name Service. 186 directoryNetbiosns - identifies NetBIOSNS - NetBIOS Name Service. 187 directoryNetbiosdgm - identifies NetBIOSNS - NetBIOS 188 datagram Service. 189 directoryNetbiosssn - identifies NetBIOSNS - NetBIOS 190 Session Service. 191 directoryWins - identifies Windows Internet Naming 192 Service (WINS). 193 qryWhois - identifies WhoIs service. 194 qryFinger - identifies finger. 195 qryIdent - identifies Ident. 196 fsNfsStatus - identifies Network File System (NFS) Status. 197 fsNfs - identifies Network File System (NFS). 198 fsCifs - identifies CIFS, Common Internet 199 File Service. 200 protoIcmp - identifies ICMP, Internet Control Message Protocol. 201 protoTcp - identifies TCP, Transmission Control Protocol. 202 protoUdp - identifies UDP, User Datagram Protocol. 203 protoIp - identifies IP, Internet Protocol. 204 protoSnmp - identifies SNMP, Simple Network Management Protocol." 205 206 SYNTAX INTEGER { 207 otherFWService(1), 208 fileXferFtp(2), 209 fileXferTftp(3), 210 fileXferFtps(4), 211 loginTelnet(5), 212 loginRlogin(6), 213 loginTelnets(7), 214 remoteExecSunRPC(8), 215 remoteExecMSRPC(9), 216 remoteExecRsh(10), 217 remoteExecXserver(11), 218 webHttp(12), 219 webHttps(13), 220 mailSmtp(14), 221 multimediaStreamworks(15), 222 multimediaH323(16), 223 multimediaNetShow(17), 224 multimediaVDOLive(18), 225 multimediaRealAV(19), 226 multimediaRTSP(20), 227 dbOracle(21), 228 dbMSsql(22), 229 contInspProgLang(23), 230 contInspUrl(24), 231 directoryNis(25), 232 directoryDns(26), 233 directoryNetbiosns(27), 234 directoryNetbiosdgm(28), 235 directoryNetbiosssn(29), 236 directoryWins(30), 237 qryWhois(31), 238 qryFinger(32), 239 qryIdent(33), 240 fsNfsStatus(34), 241 fsNfs(35), 242 fsCifs(36), 243 protoIcmp(37), 244 protoTcp(38), 245 protoUdp(39), 246 protoIp(40), 247 protoSnmp(41) 248 } 249 250HardwareStatus ::= TEXTUAL-CONVENTION 251 STATUS current 252 DESCRIPTION 253 "This textual convention is used to describe various events 254 that are related to the resources on a firewall. 255 other : Generic resource event. 256 up : The resource is in service. 257 down : The resource is not in service. 258 error : There has been an error for this resource. 259 overTemp : The resource is overheating. 260 busy : The resource is busy. 261 noMedia : A device doesn't have its needed media. 262 backup : Processing has switched to the backup. 263 active : This is the active unit. 264 standby : This is the standby unit." 265 266 SYNTAX INTEGER { 267 other(1), 268 up(2), 269 down(3), 270 error(4), 271 overTemp(5), 272 busy(6), 273 noMedia(7), 274 backup(8), 275 active(9), 276 standby(10) 277 } 278 279SecurityEvent ::= TEXTUAL-CONVENTION 280 STATUS current 281 DESCRIPTION 282 "This textual convention is used to describe various 283 security-related events and statistics on a firewall. 284 285 other : Generic attack event. 286 none : No attack is occurring, an informational 287 event. 288 dos : A denial of service attack has been detected. 289 recon : A pattern of reconnaissance activity has been 290 detected. 291 pakFwd : A packet forwarding attack has been detected. 292 addrSpoof : A spoofed address has been detected. 293 svcSpoof : A spoofed service (eg., DNS) has been detected. 294 thirdParty : This site is being used as a third-party for 295 an attack on another network. For example, the 296 'smurf' attack or email spamming. 297 complete : An attack has terminated 298 invlPak : An invalid packet with attack characteristics 299 has been detected. 300 illegCmd : An illegal command has been found. 301 policy : An attempt has reen made to violate a security 302 policy." 303 304 SYNTAX INTEGER { 305 other(1), 306 none(2), 307 dos(3), 308 recon(4), 309 pakFwd(5), 310 addrSpoof(6), 311 svcSpoof(7), 312 thirdParty(8), 313 complete(9), 314 invalPak(10), 315 illegCom(11), 316 policy(12) 317 } 318 319ContentInspectionEvent ::= TEXTUAL-CONVENTION 320 STATUS current 321 DESCRIPTION 322 "Content inspection events, these events report that 323 something was found in the application payload. The 324 details entry in the event can report on what was 325 found (eg., virus, company private info., etc), what it 326 was found in (eg., html, win32 executable, e-mail), and 327 what was done with it (eg., the quarantine location). 328 329 other : A content inspection event. Used to indicate 330 that some content inspection has occurred that 331 is not covered by the other content inspection 332 enumerations. 333 okay : The check of the content was okay, nothing 'bad' 334 was found. 335 error : There was an error while checking the content. 336 found : Something was found that the content inspection 337 engine has determined merits attention. 338 clean : The content inspection engine has found something 339 that violates the security policy and has 340 neutralized the content in the data flow. 341 reject : The content inspection engine has found something 342 that violates the security policy and has discarded 343 the content. 344 saved : The content inspection engine has found something 345 that violates the security policy and has stored 346 it in a quarentine storage area." 347 SYNTAX INTEGER { 348 other(1), 349 okay(2), 350 error(3), 351 found(4), 352 clean(5), 353 reject(6), 354 saved(7) 355 } 356 357ConnectionEvent ::= TEXTUAL-CONVENTION 358 STATUS current 359 DESCRIPTION 360 "This textual convention is used to describe various events 361 and statistics that are related to the connections that 362 occur on a firewall. 363 364 other : A generic connection event. 365 accept : A connection has been acccepted. 366 error : An error has occurred for a connection. 367 drop : The connection has been dropped. 368 close : A connection has been closed. 369 timeout : A connection has been timed out. 370 refused : A connection has been refused. 371 reset : A connection has been reset. 372 noResp : A connection has received no response." 373 SYNTAX INTEGER { 374 other(1), 375 accept(2), 376 error(3), 377 drop(4), 378 close(5), 379 timeout(6), 380 refused(7), 381 reset(8), 382 noResp(9) 383 } 384 385ConnectionStat ::= TEXTUAL-CONVENTION 386 STATUS current 387 DESCRIPTION 388 "This textual convention is used to describe various 389 connections statistics. 390 391 other : A generic connection event. 392 totalOpen : Total open connections since reboot. 393 currentOpen : The number of connections currently open. 394 currentClosing : The number of connections currently closing. 395 currentHalfOpen : The number of connections currently half-open. 396 currentInUse : The number of connections currently in use. 397 high : The highest number of connections in use at 398 any one time since system startup." 399 SYNTAX INTEGER { 400 other(1), 401 totalOpen(2), 402 currentOpen(3), 403 currentClosing(4), 404 currentHalfOpen(5), 405 currentInUse(6), 406 high(7) 407 } 408 409AccessEvent ::= TEXTUAL-CONVENTION 410 STATUS current 411 DESCRIPTION 412 "This textual convention is used to describe various events 413 and statistics that are related to the access control on a 414 firewall. 415 416 other : Miscellaneous access event. 417 grant : A service has allowed access based on all 418 of its access checks. 419 deny : a client was denied use of a service. 420 denyMult : A client was denied use of a service 421 multiple times. 422 error : An error has ocurred during the access 423 control process." 424 SYNTAX INTEGER { 425 other(1), 426 grant(2), 427 deny(3), 428 denyMult(4), 429 error(5) 430 } 431 432AuthenticationEvent ::= TEXTUAL-CONVENTION 433 STATUS current 434 DESCRIPTION 435 "This textual convention is used to describe various events 436 and statistics that are related to authorization. 437 438 other : Miscellaneous authentication event. 439 succ : A client successfuly authenticated. 440 error : Error while authenticating. 441 fail : A client failed an authenticating. 442 succPriv : A client accessed a service with special 443 privileges. 444 failPriv : A client failed to access a service with 445 special privileges. 446 failMult : Multiple failed authentication attempts by 447 a client." 448 SYNTAX INTEGER { 449 other(1), 450 succ(2), 451 error(3), 452 fail(4), 453 succPriv(5), 454 failPriv(6), 455 failMult(7) 456 } 457 458GenericEvent ::= TEXTUAL-CONVENTION 459 STATUS current 460 DESCRIPTION 461 "Generic Events - events for which there is no more specific 462 enumeration 463 abnormal : An abnormal event has occurred that is neither 464 'okay' nor an 'error'. 465 okay : A normal event occurred or the system has changed 466 from an abnormal state to a normal state 467 error : An error event occurred" 468 SYNTAX INTEGER { 469 abnormal(1), 470 okay(2), 471 error(3) 472 } 473 474-- 475-- The cfwBasicEventsGroup 476-- 477-- This group defines the table containing information that is 478-- for every logged event on the firewall. The table is 479-- defined along with one variable to obtain the index value of 480-- the last row in the table. The table is indexed by the 481-- integer-valued cfwBasicEventIndex which is assigned to events 482-- in ascending chronological order, such that the oldest event 483-- stored in the table has the numerically smallest value of 484-- cfwBasicEventIndex." 485-- 486-- The index of the last row also indicates the total number 487-- modulo 2**32 of events logged in the table since reboot. 488-- Events are not retained across reboots. 489-- 490 491cfwBasicEventsTableLastRow OBJECT-TYPE 492 SYNTAX Unsigned32 493 MAX-ACCESS read-only 494 STATUS current 495 DESCRIPTION 496 "The index value of the most recently created row 497 in the cfwBasicEventsTable. This number starts at 498 1 and increase by one with each new log entry. When 499 this number wraps, all events are deleted." 500 ::= { cfwBasicEvents 1 } 501 502cfwBasicEventsTable OBJECT-TYPE 503 SYNTAX SEQUENCE OF CfwBasicEventsEntry 504 MAX-ACCESS not-accessible 505 STATUS current 506 DESCRIPTION 507 "Table of basic data for firewall events. The agent 508 may choose to delete the instances of cfwBasicEventsEntry 509 as required because of lack of memory. The oldest Events 510 will be selected first for deletion." 511 ::= { cfwBasicEvents 2 } 512 513cfwBasicEventsEntry OBJECT-TYPE 514 SYNTAX CfwBasicEventsEntry 515 MAX-ACCESS not-accessible 516 STATUS current 517 DESCRIPTION 518 "An entry in the table, containing general information 519 about an event. This table will always be sparse, i.e., 520 each row will instanciate only a subet of the columnar 521 objects." 522 INDEX { cfwBasicEventIndex } 523 ::= { cfwBasicEventsTable 1 } 524 525CfwBasicEventsEntry ::= SEQUENCE { 526 cfwBasicEventIndex Unsigned32, 527 cfwBasicEventTime DateAndTime, 528 cfwBasicSecurityEventType SecurityEvent, 529 cfwBasicContentInspEventType ContentInspectionEvent, 530 cfwBasicConnectionEventType ConnectionEvent, 531 cfwBasicAccessEventType AccessEvent, 532 cfwBasicAuthenticationEventType AuthenticationEvent, 533 cfwBasicGenericEventType GenericEvent, 534 cfwBasicEventDescription SnmpAdminString, 535 cfwBasicEventDetailsTableRow RowPointer 536 } 537 538cfwBasicEventIndex OBJECT-TYPE 539 SYNTAX Unsigned32 540 MAX-ACCESS not-accessible 541 STATUS current 542 DESCRIPTION 543 "An index that uniquely identifies an entry in the 544 log table. These indices are assigned beginning 545 with 1 and increase by one with each new event logged." 546 ::= { cfwBasicEventsEntry 1 } 547 548cfwBasicEventTime OBJECT-TYPE 549 SYNTAX DateAndTime 550 MAX-ACCESS read-only 551 STATUS current 552 DESCRIPTION 553 "The time that the event occurred." 554 ::= { cfwBasicEventsEntry 2 } 555 556cfwBasicSecurityEventType OBJECT-TYPE 557 SYNTAX SecurityEvent 558 MAX-ACCESS read-only 559 STATUS current 560 DESCRIPTION 561 "The type of security-related event that this row contains. 562 If the event is not security-related this object will not 563 be instantiated." 564 ::= { cfwBasicEventsEntry 3 } 565 566cfwBasicContentInspEventType OBJECT-TYPE 567 SYNTAX ContentInspectionEvent 568 MAX-ACCESS read-only 569 STATUS current 570 DESCRIPTION 571 "The type of content inspection-related event that this row 572 contains. If the event is not content inspection-related 573 this object will not be instantiated." 574 ::= { cfwBasicEventsEntry 4 } 575 576cfwBasicConnectionEventType OBJECT-TYPE 577 SYNTAX ConnectionEvent 578 MAX-ACCESS read-only 579 STATUS current 580 DESCRIPTION 581 "The type of connection-related event that this row contains. 582 If the event is not connection-related this object will not 583 be instantiated." 584 ::= { cfwBasicEventsEntry 5 } 585 586cfwBasicAccessEventType OBJECT-TYPE 587 SYNTAX AccessEvent 588 MAX-ACCESS read-only 589 STATUS current 590 DESCRIPTION 591 "The type of access-related event that this row contains. 592 If the event is not access-related this object will not be 593 instantiated." 594 ::= { cfwBasicEventsEntry 6 } 595 596cfwBasicAuthenticationEventType OBJECT-TYPE 597 SYNTAX AuthenticationEvent 598 MAX-ACCESS read-only 599 STATUS current 600 DESCRIPTION 601 "The type of authentication-related event that this row 602 contains. If the event is not authentication-related this 603 object will not be instantiated." 604 ::= { cfwBasicEventsEntry 7 } 605 606cfwBasicGenericEventType OBJECT-TYPE 607 SYNTAX GenericEvent 608 MAX-ACCESS read-only 609 STATUS current 610 DESCRIPTION 611 "The type of generic event that this row contains. If the 612 event does not fall into one of the other categories this 613 object will be populated. Otherwise, this object will not 614 be instantiated." 615 ::= { cfwBasicEventsEntry 8 } 616 617cfwBasicEventDescription OBJECT-TYPE 618 SYNTAX SnmpAdminString 619 MAX-ACCESS read-only 620 STATUS current 621 DESCRIPTION 622 "A description of the event. The value of the object may 623 be a zero-length string." 624 ::= { cfwBasicEventsEntry 9 } 625 626cfwBasicEventDetailsTableRow OBJECT-TYPE 627 SYNTAX RowPointer 628 MAX-ACCESS read-only 629 STATUS current 630 DESCRIPTION 631 "A pointer to a row in the table containing details 632 about this event. Generally, the table will be the 633 cfwNetEventsTable but a Cisco-defined table may also 634 appear here. If there there is no more detailed 635 information for this event the value of this object 636 will have the value {0 0}." 637 ::= { cfwBasicEventsEntry 10 } 638 639-- 640-- Network Events 641-- 642-- A details table with information related to network events 643-- or events involving "users" of the firewall resources and services 644-- (eg., traffic flows through the firewall or a user authenticating 645-- to use a firewall service). 646 647cfwNetEventsTableLastRow OBJECT-TYPE 648 SYNTAX Unsigned32 649 MAX-ACCESS read-only 650 STATUS current 651 DESCRIPTION 652 "The index value of the last row in the 653 cfwNetEventsTable. This number starts at 1 and 654 increase by one with each new log entry. When this 655 number wraps, all events are deleted." 656 ::= { cfwNetEvents 1 } 657 658cfwNetEventsTable OBJECT-TYPE 659 SYNTAX SEQUENCE OF CfwNetEventsEntry 660 MAX-ACCESS not-accessible 661 STATUS current 662 DESCRIPTION 663 "Table of detailed data for network events. The 664 agent may choose to delete the instances of 665 cfwBasicEventsEntry as required because of lack of 666 memory. It is an implementation-specific matter as 667 to when this deletion may occur. It is recommended 668 that the oldest log instances are deleted first." 669 ::= { cfwNetEvents 2} 670 671cfwNetEventsEntry OBJECT-TYPE 672 SYNTAX CfwNetEventsEntry 673 MAX-ACCESS not-accessible 674 STATUS current 675 DESCRIPTION 676 "An entry in the table, containing detailed information 677 about an event. Note that this table may be sparse. 678 If Network Address Translation is not enabled 679 cfwNetEventInsideSrcIpAddress and 680 cfwNetEventInsideDstIpAddress will not be instantiated 681 in the row. If Port Address Translation is not enabled 682 cfwNetEventInsideSrcIpPort and 683 cfwNetEventInsideDstIpPort will not be instantiated 684 in the row. Entries are added to this table at the 685 same time that events are added to the cfwBasicEventsTable. 686 These two tables may be configured to be different 687 sizes so there may not be a one-to-one correspondence 688 between rows in the two tables." 689 INDEX { cfwNetEventIndex } 690 ::= { cfwNetEventsTable 1 } 691 692 693CfwNetEventsEntry ::= SEQUENCE { 694 cfwNetEventIndex Unsigned32, 695 cfwNetEventInterface InterfaceIndexOrZero, 696 cfwNetEventSrcIpAddress IpAddress, 697 cfwNetEventInsideSrcIpAddress IpAddress, 698 cfwNetEventDstIpAddress IpAddress, 699 cfwNetEventInsideDstIpAddress IpAddress, 700 cfwNetEventSrcIpPort INTEGER, 701 cfwNetEventInsideSrcIpPort INTEGER, 702 cfwNetEventDstIpPort INTEGER, 703 cfwNetEventInsideDstIpPort INTEGER, 704 cfwNetEventService Services, 705 cfwNetEventServiceInformation SnmpAdminString, 706 cfwNetEventIdentity SnmpAdminString, 707 cfwNetEventDescription SnmpAdminString 708 } 709 710cfwNetEventIndex OBJECT-TYPE 711 SYNTAX Unsigned32 712 MAX-ACCESS not-accessible 713 STATUS current 714 DESCRIPTION 715 "An index that uniquely identifies an entry in the 716 log table. These indices are assigned beginning with 717 one and increase by one with each new log entry. When 718 this number wraps, all events are deleted in order to 719 allow the NMS to differentiate between old and new 720 events." 721 ::= { cfwNetEventsEntry 1 } 722 723cfwNetEventInterface OBJECT-TYPE 724 SYNTAX InterfaceIndexOrZero 725 MAX-ACCESS read-only 726 STATUS current 727 DESCRIPTION 728 "The interface most closely associated with this event. 729 For example, for an event that relates to the receipt of 730 a packet, this object identifies the interface on which 731 the packet was received. If there are multiple interfaces 732 associated with an event, the interface most closely 733 associated with the cause of the event will be used. 734 For example, for an event for the setup of a TCP 735 connection, the interface on the initiator's side 736 of the connection would be preferred. If there is no 737 associated interface, then this object has the value zero." 738 ::= { cfwNetEventsEntry 2 } 739 740cfwNetEventSrcIpAddress OBJECT-TYPE 741 SYNTAX IpAddress 742 MAX-ACCESS read-only 743 STATUS current 744 DESCRIPTION 745 "Source IP address in the IP packet that caused the 746 event. If there is no packet associated with the 747 event this object has the value of zero. If the event is 748 the result of multiple packets with different source 749 addresses, this value may be zero or an address taken 750 from an arbitrarily chosen packet in the sequence of 751 packets causing the event." 752 ::= { cfwNetEventsEntry 3 } 753 754cfwNetEventInsideSrcIpAddress OBJECT-TYPE 755 SYNTAX IpAddress 756 MAX-ACCESS read-only 757 STATUS current 758 DESCRIPTION 759 "Source IP address after Network Address Translation 760 has been applied. If NAT has not been applied to the 761 source address in this packet this object will not 762 be instantiated, resulting in a sparse table. If the 763 event is the result of multiple packets with different 764 source addresses, this value may be zero or an address 765 taken from an arbitrarily chosen packet in the sequence 766 of packets causing the event." 767 ::= { cfwNetEventsEntry 4 } 768 769cfwNetEventDstIpAddress OBJECT-TYPE 770 SYNTAX IpAddress 771 MAX-ACCESS read-only 772 STATUS current 773 DESCRIPTION 774 "Destination IP address in the IP packet that caused 775 the event. If there is no packet associated with 776 the event this object has the value of zero. If the event 777 is the result of multiple packets with different destination 778 addresses, this value may be zero or an address taken 779 from an arbitrarily chosen packet in the sequence of 780 packets causing the event." 781 ::= { cfwNetEventsEntry 5 } 782 783cfwNetEventInsideDstIpAddress OBJECT-TYPE 784 SYNTAX IpAddress 785 MAX-ACCESS read-only 786 STATUS current 787 DESCRIPTION 788 "Destination IP address after Network Address Translation 789 has been applied. If NAT has not been applied to the 790 destination address in this packet this object will not 791 be instantiated, resulting in a sparse table. If the event 792 is the result of multiple packets with different destination 793 addresses, this value may be zero or an address taken 794 from an arbitrarily chosen packet in the sequence of 795 packets causing the event." 796 ::= { cfwNetEventsEntry 6 } 797 798cfwNetEventSrcIpPort OBJECT-TYPE 799 SYNTAX INTEGER (0..65535) 800 MAX-ACCESS read-only 801 STATUS current 802 DESCRIPTION 803 "Source UDP/TCP port in the IP packet that caused 804 the event. If there is no packet associated with the 805 event this object has the value of zero. If the event 806 is the result of multiple packets with different source 807 ports, this value may be zero or a port taken from an 808 arbitrarily chosen packet in the sequence of packets 809 causing the event." 810 ::= { cfwNetEventsEntry 7 } 811 812 813cfwNetEventInsideSrcIpPort OBJECT-TYPE 814 SYNTAX INTEGER (0..65535) 815 MAX-ACCESS read-only 816 STATUS current 817 DESCRIPTION 818 "Source UDP/TCP port after Port Address Translation 819 has been applied. If PAT has not been applied to the 820 source port in this packet this object will not be 821 instantiated, resulting in a sparse table. If the 822 event is the result of multiple packets with different 823 source ports, this value may be zero or a port taken 824 from an arbitrarily chosen packet in the sequence of 825 packets causing the event." 826 ::= { cfwNetEventsEntry 8 } 827 828cfwNetEventDstIpPort OBJECT-TYPE 829 SYNTAX INTEGER (0..65535) 830 MAX-ACCESS read-only 831 STATUS current 832 DESCRIPTION 833 "Destination UDP/TCP port in the IP packet that caused 834 the event. If there is no packet associated with the 835 event this object has the value of zero. If the event is 836 the result of multiple packets with different destination 837 ports, this value may be zero or a port taken from an 838 arbitrarily chosen packet in the sequence of packets 839 causing the event." 840 ::= { cfwNetEventsEntry 9 } 841 842cfwNetEventInsideDstIpPort OBJECT-TYPE 843 SYNTAX INTEGER (0..65535) 844 MAX-ACCESS read-only 845 STATUS current 846 DESCRIPTION 847 "Destination UDP/TCP port after Port Address Translation 848 has been applied. If PAT has not been applied to the 849 Destination port in this packet this object will not be 850 instantiated, resulting in a sparse table. If the event 851 is the result of multiple packets with different 852 destination ports, this value may be zero or a port 853 taken from an arbitrarily chosen packet in the sequence 854 of packets causing the event." 855 ::= { cfwNetEventsEntry 10 } 856 857cfwNetEventService OBJECT-TYPE 858 SYNTAX Services 859 MAX-ACCESS read-only 860 STATUS current 861 DESCRIPTION 862 "The identification of the type of service involved 863 with this event." 864 ::= { cfwNetEventsEntry 11 } 865 866cfwNetEventServiceInformation OBJECT-TYPE 867 SYNTAX SnmpAdminString 868 MAX-ACCESS read-only 869 STATUS current 870 DESCRIPTION 871 "Specific service information. This can be used to 872 describe the particular service indentified by 873 cfwNetEventService and can reflect whether the service 874 is a local service or a gateway service. For example, 875 if the value for cfwNetEventService is loginTelnet 876 then the string provided might be 'local telnet'." 877 ::= { cfwNetEventsEntry 12 } 878 879cfwNetEventIdentity OBJECT-TYPE 880 SYNTAX SnmpAdminString 881 MAX-ACCESS read-only 882 STATUS current 883 DESCRIPTION 884 "This object will contain a description of the entity that 885 caused the event. The entity could be a userid, username, 886 processid or other identifier for the entity using the service. 887 If there is no such information then this object will contain 888 a zero-length string." 889 ::= { cfwNetEventsEntry 13 } 890 891cfwNetEventDescription OBJECT-TYPE 892 SYNTAX SnmpAdminString 893 MAX-ACCESS read-only 894 STATUS current 895 DESCRIPTION 896 "A detailed description of the event." 897 ::= { cfwNetEventsEntry 14 } 898 899-- The cfwHardwareStatus 900-- 901-- The resource information related queries, this table is for 902-- providing the status of the resources on the firewall. Resources 903-- can include hardware or software modules on the firewall. 904 905cfwHardwareStatusTable OBJECT-TYPE 906 SYNTAX SEQUENCE OF CfwHardwareStatusEntry 907 MAX-ACCESS not-accessible 908 STATUS current 909 DESCRIPTION 910 "Table of firewall cfwHardwareStatusEntry entries." 911 ::= { cfwStatus 1 } 912 913cfwHardwareStatusEntry OBJECT-TYPE 914 SYNTAX CfwHardwareStatusEntry 915 MAX-ACCESS not-accessible 916 STATUS current 917 DESCRIPTION 918 "An entry in the table, containing status information 919 about a resource." 920 INDEX { cfwHardwareType } 921 ::= { cfwHardwareStatusTable 1 } 922 923CfwHardwareStatusEntry ::= SEQUENCE { 924 cfwHardwareType Hardware, 925 cfwHardwareInformation SnmpAdminString, 926 cfwHardwareStatusValue HardwareStatus, 927 cfwHardwareStatusDetail SnmpAdminString 928 } 929 930cfwHardwareType OBJECT-TYPE 931 SYNTAX Hardware 932 MAX-ACCESS not-accessible 933 STATUS current 934 DESCRIPTION 935 "The hardware type for which this row provides 936 status information." 937 ::= { cfwHardwareStatusEntry 1 } 938 939cfwHardwareInformation OBJECT-TYPE 940 SYNTAX SnmpAdminString 941 MAX-ACCESS read-only 942 STATUS current 943 DESCRIPTION 944 "A detailed textual description of the resource 945 identified by cfwHardwareType." 946 ::= { cfwHardwareStatusEntry 2 } 947 948cfwHardwareStatusValue OBJECT-TYPE 949 SYNTAX HardwareStatus 950 MAX-ACCESS read-only 951 STATUS current 952 DESCRIPTION 953 "This object contains the current status of the resource." 954 ::= { cfwHardwareStatusEntry 3 } 955 956cfwHardwareStatusDetail OBJECT-TYPE 957 SYNTAX SnmpAdminString 958 MAX-ACCESS read-only 959 STATUS current 960 DESCRIPTION 961 "A detailed textual description of the current status of 962 the resource which may provide a more specific description 963 than cfwHardwareStatusValue." 964 ::= { cfwHardwareStatusEntry 4 } 965 966-- The cfwBufferStatistics 967-- 968-- This table is for providing the statistics for the buffers 969-- on the firewall. 970 971cfwBufferStatsTable OBJECT-TYPE 972 SYNTAX SEQUENCE OF CfwBufferStatsEntry 973 MAX-ACCESS not-accessible 974 STATUS current 975 DESCRIPTION 976 "A table conatining status information about a firewall's 977 buffers." 978 ::= { cfwStatistics 1 } 979 980cfwBufferStatsEntry OBJECT-TYPE 981 SYNTAX CfwBufferStatsEntry 982 MAX-ACCESS not-accessible 983 STATUS current 984 DESCRIPTION 985 "An entry in the table, containing status information 986 about a particular statistic for the set of buffers 987 of a particular size." 988 INDEX { cfwBufferStatSize, cfwBufferStatType } 989 ::= { cfwBufferStatsTable 1 } 990 991CfwBufferStatsEntry ::= SEQUENCE { 992 cfwBufferStatSize Unsigned32, 993 cfwBufferStatType ResourceStatistics, 994 cfwBufferStatInformation SnmpAdminString, 995 cfwBufferStatValue Gauge32 996 } 997 998cfwBufferStatSize OBJECT-TYPE 999 SYNTAX Unsigned32 1000 MAX-ACCESS not-accessible 1001 STATUS current 1002 DESCRIPTION 1003 "This object contains the size of the set of buffers 1004 for which this row contains the statistics given by 1005 cfwBufferStatType." 1006 ::= { cfwBufferStatsEntry 1 } 1007 1008cfwBufferStatType OBJECT-TYPE 1009 SYNTAX ResourceStatistics 1010 MAX-ACCESS not-accessible 1011 STATUS current 1012 DESCRIPTION 1013 "This object identifies the type of statistic given by 1014 this row for the particular set of buffers identified by 1015 cfwBufferStatSize." 1016 ::= { cfwBufferStatsEntry 2 } 1017 1018cfwBufferStatInformation OBJECT-TYPE 1019 SYNTAX SnmpAdminString 1020 MAX-ACCESS read-only 1021 STATUS current 1022 DESCRIPTION 1023 "A detailed textual description of the statistic 1024 identified by cfwBufferStatType." 1025 ::= { cfwBufferStatsEntry 3 } 1026 1027cfwBufferStatValue OBJECT-TYPE 1028 SYNTAX Gauge32 1029 MAX-ACCESS read-only 1030 STATUS current 1031 DESCRIPTION 1032 "The value of the buffer statistic." 1033 ::= { cfwBufferStatsEntry 4 } 1034 1035-- 1036-- The Firewall Connection Statistics Table 1037-- 1038-- This table can be used to provide the statistics for firewall 1039-- connection events or services. These "connections" can be 1040-- connections in a loose sense of the word - a UDP transaction 1041-- would qualify as a connection if the firewall maintains 1042-- state information to monitor the packets traversing the firewall 1043-- for this "connection". A uni-directional UDP "connection" could be 1044-- described as being "half-open" by a value of 'halfOpen' in 1045-- cfwConnectionStatType. 1046-- 1047-- This table contains multiple rows for each service to which the 1048-- statistic applies. 1049-- 1050 1051cfwConnectionStatTable OBJECT-TYPE 1052 SYNTAX SEQUENCE OF CfwConnectionStatEntry 1053 MAX-ACCESS not-accessible 1054 STATUS current 1055 DESCRIPTION 1056 "Table of firewall statistic instances." 1057 ::= { cfwStatistics 2 } 1058 1059cfwConnectionStatEntry OBJECT-TYPE 1060 SYNTAX CfwConnectionStatEntry 1061 MAX-ACCESS not-accessible 1062 STATUS current 1063 DESCRIPTION 1064 "An entry in the table, containing information about a 1065 firewall statistic." 1066 INDEX { cfwConnectionStatService, cfwConnectionStatType } 1067 ::= { cfwConnectionStatTable 1 } 1068 1069CfwConnectionStatEntry ::= SEQUENCE { 1070 cfwConnectionStatService Services, 1071 cfwConnectionStatType ConnectionStat, 1072 cfwConnectionStatDescription SnmpAdminString, 1073 cfwConnectionStatCount Counter32, 1074 cfwConnectionStatValue Gauge32 1075 } 1076 1077cfwConnectionStatService OBJECT-TYPE 1078 SYNTAX Services 1079 MAX-ACCESS not-accessible 1080 STATUS current 1081 DESCRIPTION 1082 "The identification of the type of connection providing 1083 statistics." 1084 ::= { cfwConnectionStatEntry 1 } 1085 1086cfwConnectionStatType OBJECT-TYPE 1087 SYNTAX ConnectionStat 1088 MAX-ACCESS not-accessible 1089 STATUS current 1090 DESCRIPTION 1091 "The state of the connections that this row contains 1092 statistics for." 1093 ::= { cfwConnectionStatEntry 2 } 1094 1095cfwConnectionStatDescription OBJECT-TYPE 1096 SYNTAX SnmpAdminString 1097 MAX-ACCESS read-only 1098 STATUS current 1099 DESCRIPTION 1100 "A detailed textual description of this statistic." 1101 ::= { cfwConnectionStatEntry 3 } 1102 1103cfwConnectionStatCount OBJECT-TYPE 1104 SYNTAX Counter32 1105 MAX-ACCESS read-only 1106 STATUS current 1107 DESCRIPTION 1108 "This is an integer that contains the value of the 1109 resource statistic. If a type of 'gauge' is more 1110 appropriate this object will be omitted resulting 1111 in a sparse table." 1112 ::= { cfwConnectionStatEntry 4 } 1113 1114cfwConnectionStatValue OBJECT-TYPE 1115 SYNTAX Gauge32 1116 MAX-ACCESS read-only 1117 STATUS current 1118 DESCRIPTION 1119 "This is an integer that contains the value of the 1120 resource statistic. If a type of 'counter' is more 1121 appropriate this object will be omitted resulting 1122 in a sparse table." 1123 ::= { cfwConnectionStatEntry 5 } 1124 1125 1126-- Notifications 1127 1128ciscoFirewallMIBNotificationPrefix OBJECT IDENTIFIER ::= 1129 { ciscoFirewallMIB 2 } 1130ciscoFirewallMIBNotifications OBJECT IDENTIFIER ::= 1131 { ciscoFirewallMIBNotificationPrefix 0 } 1132 1133cfwSecurityNotification NOTIFICATION-TYPE 1134 OBJECTS { 1135 cfwBasicEventTime, 1136 cfwBasicSecurityEventType, 1137 cfwBasicEventDescription, 1138 cfwBasicEventDetailsTableRow 1139 } 1140 STATUS current 1141 DESCRIPTION 1142 "This notification is used for events involving security 1143 events. The included objects provide more detailed 1144 information about the event." 1145 ::= { ciscoFirewallMIBNotifications 2 } 1146 1147cfwContentInspectNotification NOTIFICATION-TYPE 1148 OBJECTS { 1149 cfwBasicEventTime, 1150 cfwBasicContentInspEventType, 1151 cfwBasicEventDescription, 1152 cfwBasicEventDetailsTableRow 1153 } 1154 STATUS current 1155 DESCRIPTION 1156 "This notification is used to notify the NMS of content 1157 inspection events. The included objects provide more 1158 detailed information about the event." 1159 ::= { ciscoFirewallMIBNotifications 3 } 1160 1161cfwConnNotification NOTIFICATION-TYPE 1162 OBJECTS { 1163 cfwBasicEventTime, 1164 cfwBasicConnectionEventType, 1165 cfwBasicEventDescription, 1166 cfwBasicEventDetailsTableRow 1167 } 1168 STATUS current 1169 DESCRIPTION 1170 "This notification is used to notify the NMS of 1171 connection-oriented events. The included objects provide 1172 more detailed information about the event." 1173 ::= { ciscoFirewallMIBNotifications 4 } 1174 1175cfwAccessNotification NOTIFICATION-TYPE 1176 OBJECTS { 1177 cfwBasicEventTime, 1178 cfwBasicAccessEventType, 1179 cfwBasicEventDescription, 1180 cfwBasicEventDetailsTableRow 1181 } 1182 STATUS current 1183 DESCRIPTION 1184 "This notification is used to notify the NMS of access 1185 events. The included objects provide more detailed 1186 information about the event." 1187 ::= { ciscoFirewallMIBNotifications 5 } 1188 1189cfwAuthNotification NOTIFICATION-TYPE 1190 OBJECTS { 1191 cfwBasicEventTime, 1192 cfwBasicAuthenticationEventType, 1193 cfwBasicEventDescription, 1194 cfwBasicEventDetailsTableRow 1195 } 1196 STATUS current 1197 DESCRIPTION 1198 "This notification is used to notify the NMS of 1199 authentication events. The included objects provide 1200 more detailed information about the event." 1201 ::= { ciscoFirewallMIBNotifications 6 } 1202 1203cfwGenericNotification NOTIFICATION-TYPE 1204 OBJECTS { 1205 cfwBasicEventTime, 1206 cfwBasicGenericEventType, 1207 cfwBasicEventDescription, 1208 cfwBasicEventDetailsTableRow 1209 } 1210 STATUS current 1211 DESCRIPTION 1212 "This notification is used to notify the NMS of events 1213 that do not fall into the other categories. The included 1214 objects provide more detailed information about the event." 1215 ::= { ciscoFirewallMIBNotifications 7 } 1216 1217 1218-- Conformance 1219 1220ciscoFirewallMIBConformance OBJECT IDENTIFIER ::= { ciscoFirewallMIB 3 } 1221ciscoFirewallMIBCompliances OBJECT IDENTIFIER ::= 1222 { ciscoFirewallMIBConformance 1 } 1223ciscoFirewallMIBGroups OBJECT IDENTIFIER ::= 1224 { ciscoFirewallMIBConformance 2 } 1225 1226-- Conformance 1227 1228ciscoFirewallMIBCompliance MODULE-COMPLIANCE 1229 STATUS deprecated 1230 DESCRIPTION 1231 "The compliance statement for entities which implement 1232 the Cisco FirewallMIB." 1233 MODULE -- this module 1234 MANDATORY-GROUPS { ciscoFirewallMIBStatisticsGroup } 1235 ::= { ciscoFirewallMIBCompliances 1 } 1236 1237ciscoFirewallMIBComplianceRev1 MODULE-COMPLIANCE 1238 STATUS current 1239 DESCRIPTION 1240 "The compliance statement for entities which implement 1241 the Cisco FirewallMIB." 1242 MODULE -- this module 1243 MANDATORY-GROUPS { ciscoFirewallMIBStatisticsGroup } 1244 1245 GROUP ciscoFirewallMIBEventsGroup 1246 DESCRIPTION 1247 "Implementation of these objects is not required." 1248 GROUP ciscoFirewallMIBNotificationGroupRev1 1249 DESCRIPTION 1250 "Implementation of these notifications is not required." 1251 1252 ::= { ciscoFirewallMIBCompliances 2 } 1253 1254-- Units of Conformance 1255 1256ciscoFirewallMIBEventsGroup OBJECT-GROUP 1257 OBJECTS { 1258 cfwBasicEventsTableLastRow, 1259 cfwBasicEventTime, 1260 cfwBasicSecurityEventType, 1261 cfwBasicContentInspEventType, 1262 cfwBasicConnectionEventType, 1263 cfwBasicAccessEventType, 1264 cfwBasicAuthenticationEventType, 1265 cfwBasicGenericEventType, 1266 cfwBasicEventDescription, 1267 cfwBasicEventDetailsTableRow, 1268 cfwNetEventsTableLastRow, 1269 cfwNetEventInterface, 1270 cfwNetEventSrcIpAddress, 1271 cfwNetEventInsideSrcIpAddress, 1272 cfwNetEventDstIpAddress, 1273 cfwNetEventInsideDstIpAddress, 1274 cfwNetEventSrcIpPort, 1275 cfwNetEventInsideSrcIpPort, 1276 cfwNetEventDstIpPort, 1277 cfwNetEventInsideDstIpPort, 1278 cfwNetEventService, 1279 cfwNetEventServiceInformation, 1280 cfwNetEventIdentity, 1281 cfwNetEventDescription 1282 } 1283 STATUS current 1284 DESCRIPTION 1285 "Firewall events" 1286 ::= { ciscoFirewallMIBGroups 1 } 1287 1288ciscoFirewallMIBStatisticsGroup OBJECT-GROUP 1289 OBJECTS { 1290 cfwHardwareInformation, 1291 cfwHardwareStatusValue, 1292 cfwHardwareStatusDetail, 1293 cfwBufferStatInformation, 1294 cfwBufferStatValue, 1295 cfwConnectionStatDescription, 1296 cfwConnectionStatCount, 1297 cfwConnectionStatValue 1298 } 1299 STATUS current 1300 DESCRIPTION 1301 "Firewall statistics" 1302 ::= { ciscoFirewallMIBGroups 2 } 1303 1304ciscoFirewallMIBNotificationGroup OBJECT-GROUP 1305 OBJECTS { 1306 cfwBasicEventTime, 1307 cfwBasicSecurityEventType, 1308 cfwBasicContentInspEventType, 1309 cfwBasicConnectionEventType, 1310 cfwBasicAccessEventType, 1311 cfwBasicAuthenticationEventType, 1312 cfwBasicGenericEventType, 1313 cfwBasicEventDescription, 1314 cfwBasicEventDetailsTableRow 1315 } 1316 STATUS obsolete 1317 DESCRIPTION 1318 "Firewall Notifications" 1319 ::= { ciscoFirewallMIBGroups 3 } 1320 1321ciscoFirewallMIBNotificationGroupRev1 NOTIFICATION-GROUP 1322 NOTIFICATIONS { 1323 cfwSecurityNotification, 1324 cfwContentInspectNotification, 1325 cfwConnNotification, 1326 cfwAccessNotification, 1327 cfwAuthNotification, 1328 cfwGenericNotification 1329 } 1330 STATUS current 1331 DESCRIPTION 1332 "Firewall Notifications" 1333 ::= { ciscoFirewallMIBGroups 4 } 1334 1335END 1336 1337