Precautions for using SNMP on the firewall

1

Precautions for using firewall SNMP:
�?When adding users to an SNMP group, local users are not recommended. Instead, it is recommended that Authentication, Authorization, Accounting (AAA) users on the RADIUS server and Huawei Terminal Access Controller Access Control System (HWTACACS) server be used for verification.
�?When the MIB browser or NMS interworks with the firewall, it is recommended that SNMPv2c or SNMPv3 be used to ensure that the MIB browser or NMS can read MIB information from the firewall properly.
�?SNMPv3 is recommended because it outperforms SNMPv1 and SNMPv2c in security.

Other related questions:
Roles of SNMP on the firewall
Simple Network Management Protocol (SNMP) has three roles. �?Network management system (NMS) The NMS sends all types of query packets to managed devices and receives alarms sent from managed devices. �?Agent The agent is a process that resides on managed devices. The functions of the agent are as follows: The agent receives and parses query packets sent from the NMS. The agent reads or writes management variables based on the packet type, and generates and returns response packets to the NMS. Based on the alarm conditions defined on each protocol module, when alarm conditions are met, for example, entry to or exit from the system view or device restart, the corresponding module active sends an alarm of such events to the NMS through the agent. �?Managed device Managed devices are managed by the NMS, and generate and report alarms.

Questions about using Raman boards
Question: Issues are likely to occur on Raman boards during deployment or maintenance, most of which are caused by customer lines and can be resolved by cleaning the optical path, replacing the ODF connectors, or fiber splicing. The following shows some examples of the questions of the customers and Huawei engineers: 1. Why is the maximum gain different before and after the RAU replacement for the same link? 2. Under certain conditions, the customer lines cannot be rectified in a short time. The actual maximum gain of the Raman board is only 5 dB or 6 dB (stable) whereas the system stability is excellent. Will the system run stably in this condition for a long time? Are there any pigtail burning risks? 3. The Raman lasers were closed before line operations, but the pigtails of some sites are still burned. Why cannot the mechanisms such as IPA or return loss detection avoid fiber burning? Answer: 1. Why is the maximum gain different before and after the RAU replacement for the same link? Answer: The actual gain of the RAU is closely related to fiber quality. Operators might contaminate the end faces of the pigtails or the Line port of the RAU, resulting in different end face environments before and after the replacement and different maximum gain of the RAU board. Fiber quality indicators include: a. Whether the insertion loss of long fibers is normal. b. Whether there are points of insertion loss change (detectable by OTDR meters). c. Whether the end faces of the fibers at connection points within 20 km of the near end have been burned (fiber splicing needed) or dirty (cleaning needed). Fiber end face microscopes can be used to observe whether the end faces are clean (For detailed instructions, see RAU Deployment Guide). d. Whether the pigtails at the near end have a bend radius of less than 3 cm. 2. Under certain conditions, the customer lines cannot be rectified in a short time. The actual maximum gain of the Raman board is only 5 dB or 6 dB (stable) whereas the system stability is excellent. Will the system run stably in this condition for a long time? Are there any pigtail burning risks? Answer: No long-term testing has been carried out in Huawei R&D labs. If the actual maximum gain of the Raman board is only 5 dB or 6 dB (stable), Huawei cannot fully guarantee long-term stable running. Due to extremely high reverse output power of Raman boards, even slight abnormalities at the near end can cause the Raman amplifiers' failure to reaching the standard maximum gain. As a result, the system may not able to run stably in a long-term, leaving potential risks for future maintenance. Therefore, the customers are advised to rectify optical fibers. 3. The Raman lasers were closed before line operations, but the pigtails of some sites are still burned. Why cannot the mechanisms such as IPA or return loss detection avoid fiber burning? Answer: Return loss detection cannot avoid 100% fiber burning. Instead, it lowers the fiber burning probability. The optics mechanism of return loss detection is that using detection light with lower power to ensure no fiber burning when the laser is turned on, and a part of the detection light are reflected to the Raman module when it reached the end face. The Raman module uses the ratio between the power of the detection light and reflection light (return loss) to determine whether the end face is normal. However, in actual situations, even the end face is already dirty, there is a low probability that the measured return loss can still be normal due to the random reflection angles, and the Raman laser will be turned on, and the fibers will be burned. To avoid these issues, the customers should be notified of the risks and requirements about Raman boards in advance. If abnormal line attenuation occurs, the customers should be encouraged to use fiber splicing for handling.

Restrictions and precautions for using OSPF
Restrictions and precautions for using OSPF are as follows: To establish an OSPF neighboring relationship, devices need to exchange DD packets. DD packets are OSPF unicast packets. By default, OSPF unicast packets are not forwarded under the control of security policies. Therefore, you need to configure a security policy on the FW to permit the OSPF packets between the Local zone and the security zone where the neighboring device resides. Otherwise, the OSPF neighboring relationship fails to be established. Or you can run the undo firewall packet-filter basic-protocol enable command to disable the function of security policy control over OSPF unicast packets. After that, the firewall directly forwards OSPF unicast packets even if a security policy whose action is deny is configured.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top