-- ***************************************************************** -- SONICWALL-FIREWALL-TRAP -- -- February 2001, Initial Version, Susan Yan -- June 2002, Add new trap type, Susan Yan -- Apr 2003, Add new trap type, Susan Yan -- May 2003, Add new trap type, Susan Yan -- Sep 2003, Add new trap group and type, Susan Yan -- Sep 2003, Add new trap group, Susan Yan -- Jan 2004, Add new trap type, Susan Yan -- -- Version: Enhanced v1.3 -- -- Copyright (c) 2001 - 2004 by SonicWall, Inc. -- All rights reserved. -- ***************************************************************** SONICWALL-FIREWALL-TRAP-MIB DEFINITIONS ::= BEGIN IMPORTS DisplayString, TEXTUAL-CONVENTION FROM SNMPv2-TC IpAddress, snmpModules, OBJECT-TYPE, NOTIFICATION-TYPE, MODULE-IDENTITY FROM SNMPv2-SMI sonicwallFw FROM SONICWALL-SMI; sonicwallFwTrapModule MODULE-IDENTITY LAST-UPDATED "200401030000Z" ORGANIZATION "SonicWall, Inc." CONTACT-INFO " SonicWall Inc. Postal: 1143 Borregas Avenue Sunnyvale, CA 94089 USA Tel: +1 408 745 9600 Fax: +1 408 745 9300 E-mail: product@sonicwall.com" DESCRIPTION "The MIB Module for SonicWALL Firewall Trap." REVISION "200401030000 DESCRIPTION "Add new trap type." ::= { sonicwallFw 1 } -- ********************************************************************* -- Standard Traps -- ********************************************************************* snmpTraps OBJECT IDENTIFIER ::= {snmpModules 1 1 5 } coldStart NOTIFICATION-TYPE STATUS current DESCRIPTION "This trap signifies that the SonicWALL appliance is re-initializing itself such that the agent's configuration or the appliance itself implementation may be altered. " ::= { snmpTraps 1 } warmStart NOTIFICATION-TYPE STATUS current DESCRIPTION "This trap signifies that the SonicWALL appliance is re-initializing itself such that neither the agent configuration nor the appliance implementation is altered. " ::= { snmpTraps 2 } authenticationFailure NOTIFICATION-TYPE STATUS current DESCRIPTION "This trap signifies that the SonicWALL appliance is the addressee of a protocol message that is not properly authenticated. " ::= { snmpTraps 5 } -- ********************************************************************* -- Type define -- ********************************************************************* MacAddress ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "ethernet address." SYNTAX OCTET STRING (SIZE (6)) FwTrapType ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Trap type of firewall. The type have 4 digitals, ABCD. AB represent trap catalog, CD represent trap type in the catalog." SYNTAX INTEGER { -- =========== System Environment====================================== trapTypeSysEnvVoltageFail (101), -- Voltages Out of Tolerance trapTypeSysEnvFanFail (102), -- Fan Failure trapTypeSysEnvTempYellow (103), -- Thermal Yellow trapTypeSysEnvTempRed (104), -- Thermal Red trapTypeSysEnvTempRedExceed (105), -- Thermal Red Timer Exceeded -- =========== Attack ================================================= trapTypePingOfDeathBlocked (501), -- Ping of death blocked trapTypeIPSpoofDetected (502), -- IP spoof detected trapTypePossibleSynFlood (503), -- Possible SYN flood attack trapTypeProbableSynFlood (504), -- Probable SYN flood attack trapTypeLandAttack (505), -- Land Attack Dropped trapTypeAttemptedAdminLoginFromWAN (506), -- Attempted administrator login from WAN trapTypeLogUnknownSpi (507), -- Unknown IPSec SPI trapTypeLogIpsecAuthFailure (508), -- IPSec Authentication Failed trapTypeLogIpsecDecryptFailure (509), -- IPSec Decryption Failed trapTypeLogIllegalIpsecPeer (510), -- IPSec packet from or to an illegal host trapTypeNetBusDropped (511), -- NetBus Attack Dropped trapTypeBackOrificeDropped (512), -- Back Orifice Attack Dropped trapTypeNetSpyDropped (513), -- Net Spy Attack Dropped trapTypeSub7Dropped (514), -- Sub Seven Attack Dropped trapTypeRipperDropped (515), -- Ripper Attack Dropped trapTypeStrikerDropped (516), -- Striker Attack Dropped trapTypeSennaSpyDropped (517), -- Senna Spy Attack Dropped trapTypePriorityDropped (518), -- Priority Attack Dropped trapTypeIniKillerDropped (519), -- Ini Killer Attack Dropped trapTypeSmurfDropped (520), -- Smurf Amplification Attack Dropped trapTypePortScanPossible (521), -- Possible Port Scan trapTypePortScanProbable (522), -- Probable Port Scan trapTypeLogIkeProposalReject (523), -- IKE Responder: IPSec proposal not acceptable trapTypeAVReceivedAlert (524), -- Received AV Alert trapTypeLogAddTest (525), -- Add an attack message trapTypeAVExpiredMsg (526), -- Received AV Alert: Your SonicWALL Network Anti-Virus subscription has expired. trapTypeForbiddenAttachment (527), -- Forbidden E-mail attachment altered trapTypeTcpFinScanDropped (528), -- Probable TCP FIN scan trapTypeTcpXmasScanDropped (529), -- Probable TCP XMAS scan trapTypeTcpNullScanDropped (530), -- Probable TCP NULL scan trapTypeReplayDetected (531), -- IPSEC Replay Detected trapTypeFakeCertFound (532), -- Fraudulent Microsoft Certificate Blocked trapTypeDhcpRelayIpSpoof (533), -- IP spoof detected on packet to Central Gateway, packet dropped trapTypeForbiddenAttDeleted (534), -- Forbidden E-mail attachment deleted trapTypeIkeProposalBadMode (535), -- IKE Responder: Mode %d - not tunnel mode trapTypeIkeProposalPhase1IdMismatch (536), -- IKE Responder: No matching Phase 1 ID found for proposed remote network trapTypeIkeProposalBadZeroRemAddr (537), -- IKE Responder: Proposed remote network is 0.0.0.0 but not DHCP relay nor default route trapTypeIkeProposalNoRemNetMatch (538), -- IKE Responder: No match for proposed remote network address trapTypeIkeProposalAddrWithDefGw (539), -- IKE Responder: Default LAN gateway is set but peer is not proposing to use this SA as his default route trapTypeIkeProposalOutsideNotNatPub (540), -- IKE Responder: Tunnel terminates outside firewall but proposed local network is not NAT public address trapTypeIkeProposalInsideNotLanDmz (541), -- IKE Responder: Tunnel terminates inside firewall but proposed local network is not on LAN or DMZ trapTypeIkeProposalLanAddrOnDmz (542), -- IKE Responder: Tunnel terminates on DMZ but proposed local network is on LAN trapTypeIkeProposalDmzAddrOnLan (543), -- IKE Responder: Tunnel terminates on LAN but proposed local network is on DMZ trapTypeIkeProposalAhPfsMismatch (544), -- IKE Responder: AH Perfect Forward Secrecy mismatch trapTypeIkeProposalEspPfsMismatch (545), -- IKE Responder: ESP Perfect Forward Secrecy mismatch trapTypeIkeProposalAlgKeyMismatch (546), -- IKE Responder: Algorithms and/or keys do not match trapTypeTcpXmasTreeDropped (547), -- TCP Xmas Tree Blocked trapTypeIkeProposalOutsideRemNotNatPub (548), -- Tunnel terminates outside firewall but proposed remote network is not NAT public address trapTypeIkeProposalBadZeroLocAddr (549), -- IKE Responder: Proposed local network is 0.0.0.0 but SA has no LAN Default Gateway trapTypeDroppedMsgPartial (550), -- E-Mail fragment dropped trapTypeFtpPasvRspSpoof (551), -- FTP: PASV response spoof attack dropped trapTypeAVExpirationWarningMsg (552), -- Received AV Alert: Your SonicWALL Network Anti-Virus subscription will expire in 7 days. trapTypeIkeProposalAddrWithOutDefGw (553), -- IKE Responder: Default LAN gateway is not set but peer is proposing to use this SA as a default route. trapTypeMalformedIpPacket (554), -- Malformed IP packet dropped. trapTypeFtpPortBounceAttack (555), -- FTP: PORT bounce attack dropped. trapTypeFtpPasvBounceAttack (556), -- FTP: PASV response bounce attack dropped. trapTypeFtpDataPort (557), -- FTP: Data connection from non default port dropped trapTypeTcpSynFinDropped (558), -- TCP Syn/Fin packet dropped trapTypeUserLoginDisabled (559), -- User login not enabled from %s trapTypeWrongAdminPasswd (560), -- Administrator login denied trapTypeUserLoginLockout (561), -- User login failure rate exceeded - logins from user IP address denied trapTypeCFSExpirationWarningMsg (562), -- Received CFS Alert: Your SonicWALL Content Filtering subscription will expire in 7 days. trapTypeCFSExpirationMsg (563), -- Received CFS Alert: Your SonicWALL Content Filtering subscription has expired. trapTypeMafiaExpirationWarningMsg (564), -- Received E-Mail Filter Alert: Your SonicWALL E-Mail Filtering subscription will expire in 7 days. trapTypeMafiaExpirationMsg (565), -- Received E-Mail Filter Alert: Your SonicWALL E-Mail Filtering subscription has expired. trapTypeMaxFailedDials (566), -- Maximum sequential failed dial attempts (10) to a single dial-up number: %s trapType30MinDialDelay (567), -- Regulatory requirements prohibit %s from being re-dialed for 30 minutes trapTypeSpankAttackDropped (568), -- Spank attack multicast packet dropped trapTypeIDPDetectionAlert (569), -- IDP Detection Alert: %s trapTypeIDPPreventionAlert (570), -- IDP Prevention Alert: %s trapTypeIDPExpiredMsg (571), -- Received IDP Alert: Your SonicWALL Intrusion Prevention (IDP) subscription has expired. -- =========== System Errors ================================================= trapTypeLogFull (601), -- Log full; deactivating SonicWALL trapTypeLogProblemLoadingCheckSettings (602), -- Problem loading the Filter list; check Filter settings trapTypeLogProblemLoadingCheckDNS (603), -- Problem loading the Filter list; check your DNS server trapTypeLogProblemEmailingCheckSettings (604), -- Problem sending log email; check log settings trapTypeIllegalLanAddressInUse (605), -- Illegal LAN address in use trapTypeNATCouldntRemap (606), -- NAT could not remap incoming packet trapTypeCacheFull (607), -- The cache is full; %d open connections; some will be dropped trapTypeConnDroppedTooManyIP (608), -- License exceeded: Connection dropped because too many IP addresses are in use on your LAN trapTypeLogOutOfMemory (609), -- Diagnostic Code E trapTypeInternalErr (610), -- Diagnostic Code D trapTypeLogSuspendReboot (611), -- Diagnostic Code A trapTypeLogDeadlockReboot (612), -- Diagnostic Code B trapTypeLogLowMemReboot (613), -- Diagnostic Code C trapTypeHaIdlePrimary (614), -- Primary firewall has transitioned to Idle trapTypeHaMissedHeartbeatPrimary (615), -- Primary missed heartbeats from Active Backup: Primary going Active trapTypeHaMissedHeartbeatBackup (616), -- Backup missed heartbeats from Active Primary: Backup going Active trapTypeHaErrorReceivedPrimary (617), -- Primary received error signal from Active Backup: Primary going Active trapTypeHaErrorReceivedBackup (618), -- Backup received error signal from Active Primary: Backup going Active trapTypeHaBackupPreempt (619), -- Backup firewall being preempted by Primary trapTypeHaPrimaryPreempt (620), -- Primary firewall preempting Backup trapTypeLogHttpServerReboot (621), -- Diagnostic Code F trapTypeBackupActivePreempt (622), -- Backup going Active in preempt mode after reboot trapTypeCflUpdateApplianceNotRegistered (623), -- Problem loading the Filter list; Appliance not registered. trapTypeCflUpdateSubscriptionExpired (624), -- Problem loading the Filter list; Subscription expired. trapTypeCflUpdateErrorTransient (625), -- Problem loading the Filter list; Try loading it again. trapTypeCflUpdateErrorTransientAuto (626), -- Problem loading the Filter list; Retrying later. trapTypeCflUpdateErrorInternal (627), -- Problem loading the Filter list; Flash write failure. trapTypeCflApplianceCflExpired (628), -- The loaded content filter list has expired. trapTypeHaSetError (629), -- Error setting the IP address of the backup, please manually set to backup LAN IP trapTypeHaSyncError (630), -- Error updating HA peer configuration trapTypeCflSubscriptionExpiredEmail (631), -- Content filter subscription expired. trapTypeDhcpRelayTableSyncFailure (632), -- Failed to synchronize Relay IP Table trapTypeBackupLinkDown (633), -- Backup WAN link down, Primary going Active trapTypePrimaryLinkDown (634), -- Primary WAN link down, Backup going Active trapTypeWanLinkDown (635), -- The current WAN interface is not ready to route packets. trapTypeWanIpChange (636), -- Wan IP Changed trapTypeWfoProbeFailed (637), -- Probing failure on %s trapTypeWfoProbeSuccess (638), -- Probing succeeded on %s trapTypeWanModeIs (639), -- The network connection in use is %s trapTypeEtherPortUp (640), -- %s Ethernet Port Up trapTypeEtherPortDown (641), -- %s Ethernet Port Down trapTypeWlanReboot (642), -- Diagnostic Code D trapTypeGlobalVPNClientNotAuthorized (643), -- Global VPN Client connection is not allowed. Appliance is not registered. trapTypeRtcBatteryDead1 (644), -- Real time clock battery failure Time values may be incorrect trapTypeRtcBatteryDead2 (645), -- If not already enabled, enabling NTP is recommended trapTypeMultiIfLinkUp (646), -- Interface %s Link Is Up trapTypeMultiIfLinkDown (647), -- Interface %s Link Is Down trapTypeOlderPrefs (648), -- A prior version of preferences was loaded because the most recent preferences file was inaccessible trapTypePrefsTooBig (649), -- The preferences file is too large to be saved in available flash memory trapTypePrefsDefaulted (650), -- All preference values have been set to factory default values trapTypeWlbFailover (651), -- WLB Failover in progress trapTypeWlbFailback (652), -- WLB Failback initiated by %s trapTypeWlbResourceAvailable (653), -- WLB Resource is now available trapTypeWlbResourceFailed (654), -- WLB Resource failed trapTypeLogStackMarginReboot (655), -- Diagnostic Code G trapTypeLogDeleteReboot (656), -- Diagnostic Code H trapTypeLogDeleteStackReboot (657), -- Diagnostic Code I trapTypeVPNClientLicenseExceeded (658), -- Global VPN Client License Exceeded: Connection denied trapTypeFipsChangeState2Error (659), -- Entering FIPS Error State trapTypeBlockQuickModeWithDefaultKeyId (660), -- Blocked Quick Mode for Client using Default KeyId trapTypeLogProblemAddingL2tpIpPool (661), -- Adding L2TP IP pool Address object Failed trapTypeHaSyncingError (662), -- Error Synchronizing HA Peer Firewall trapTypeHaRebootingError (663), -- Error Rebooting HA Peer Firewall trapTypeHaHaLicenseError (664), -- License of HA pair doesn't match trapTypeHaRebootReceivedPrimary (665), -- Primary received reboot signal from Backup trapTypeHaRebootReceivedBackup (666), -- Backup firewall being preempted by Primary -- =========== Blocked Web Sites ================================================= trapTypeWebSiteBlocked (701), -- Web site blocked trapTypeNewsgroupBlocked (702), -- Newsgroup blocked trapTypeWebSiteAccessed (703), -- Web site accessed trapTypeNewsgroupAccessed (704), -- Newsgroup accessed trapTypeProxyAccessBlocked (705), -- Access to Proxy Server Blocked -- =========== Vpn Tunnel Status ================================================= trapTypeVpnTunnelStatus (801), -- IPSec tunnel status -- =========== WIDS ============================================================== trapTypeWlanRogueAP (901), -- Found Rogue Access Point trapTypeWlanSeqCheck (902), -- wlan sequence number out of order trapTypeWlanAssoFlood (903), -- Association Flood from wlan station trapTypeWlanProbeCheck (904) -- WLAN client null probing } -- **************************** Enterprise Specific Traps Information ******************************* sonicwallFwTrapInfo OBJECT IDENTIFIER ::= {sonicwallFwTrapModule 1} -- ****************************************************************************************** -- -- The swTrapInfoTable -- -- This table contains information that is -- for the basic event on the firewall. -- ****************************************************************************************** swTrapInfoTable OBJECT IDENTIFIER ::= { sonicwallFwTrapInfo 1 } swTrapInfoTrapType OBJECT-TYPE SYNTAX FwTrapType MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "trap type ." ::= { swTrapInfoTable 1 } swTrapInfoTrapDescription OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "The description of the trap. " ::= { swTrapInfoTable 2 } swTrapInfoSrcIpAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "The source ip address. " ::= { swTrapInfoTable 3 } swTrapInfoDstIpAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "The destination ip address. " ::= { swTrapInfoTable 4 } swTrapInfoSrcPort OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "The destination port. " ::= { swTrapInfoTable 5 } swTrapInfoDstPort OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "The destination port. " ::= { swTrapInfoTable 6 } swTrapInfoSrcMacAddress OBJECT-TYPE SYNTAX MacAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "The source MAC address. " ::= { swTrapInfoTable 7 } swTrapInfoDstMacAddress OBJECT-TYPE SYNTAX MacAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "The destination MAC address. " ::= { swTrapInfoTable 8 } swTrapInfoIpType OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "The ip type. " ::= { swTrapInfoTable 9 } swTrapInfoPrivMsg OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "The additional message. " ::= { swTrapInfoTable 10 } swTrapInfoIpAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "The ip address. " ::= { swTrapInfoTable 11 } swTrapInfoSaName OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Name of the SA. " ::= { swTrapInfoTable 12 } swTrapInfoFwSrlNumber OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Serial number of the firewall this trap is coming from. " ::= { swTrapInfoTable 13 } swTrapInfoSaStatus OBJECT-TYPE SYNTAX INTEGER { up (1), down(0) } MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "The status of the IPSec Tunnel. " ::= { swTrapInfoTable 14 } swTrapInfoSrcAddrBegin OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "First address of the local network behind the firewall ( LAN side)." ::= { swTrapInfoTable 15 } swTrapInfoSrcAddrEnd OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Last address of the local network. ( LAN side)." ::= { swTrapInfoTable 16 } swTrapInfoDstAddrBegin OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "First address of the remote network ." ::= { swTrapInfoTable 17 } swTrapInfoDstAddrEnd OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Last address of the remote network." ::= { swTrapInfoTable 18 } swTrapInfoGateway OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Address of the tunnel end point." ::= { swTrapInfoTable 19 } swTrapInfoIsDHCPCentral OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "If the Tunnel is a DHCP Central" ::= { swTrapInfoTable 20 } -- ****************************************************************************************** -- -- sonicwall firewall trap group -- -- This group defines the trap which sonicwall firewall generated -- ****************************************************************************************** sonicwallFwTrapRoot OBJECT IDENTIFIER ::= {sonicwallFwTrapModule 2} swFwTrapAttack NOTIFICATION-TYPE OBJECTS { swTrapInfoTrapType, swTrapInfoTrapDescription } STATUS current DESCRIPTION "This trap indicates that the firewall have detected a attack. The bound objects provide more detailed information about this problem." ::= { sonicwallFwTrapRoot 0 1 } swFwTrapSysError NOTIFICATION-TYPE OBJECTS { swTrapInfoTrapType, swTrapInfoTrapDescription } STATUS current DESCRIPTION "This trap indicates that there is a system problem with the SonicWALL appliance. The bound objects provide more detailed information about this problem." ::= { sonicwallFwTrapRoot 0 2 } swFwTrapBlkWebSite NOTIFICATION-TYPE OBJECTS { swTrapInfoTrapType, swTrapInfoTrapDescription } STATUS current DESCRIPTION "This trap indicates that there is a web site was blocked by the firewall. The bound objects provide more detailed information about this problem." ::= { sonicwallFwTrapRoot 0 3} swFwTrapIpsecTunnel NOTIFICATION-TYPE OBJECTS { swTrapInfoTrapType, swTrapInfoTrapDescription, swTrapInfoSaName, swTrapInfoFwSrlNumber, swTrapInfoSaStatus, swTrapInfoSrcAddrBegin, swTrapInfoSrcAddrEnd, swTrapInfoDstAddrBegin, swTrapInfoDstAddrEnd, swTrapInfoGateway, swTrapInfoIsDHCPCentral } STATUS current DESCRIPTION "This trap indicates that there has bee a change in the IPSec tunnel status along with the parameters required to indentify the tunnel ." ::= { sonicwallFwTrapRoot 0 4} swFwTrapWlanIDS NOTIFICATION-TYPE OBJECTS { swTrapInfoTrapType, swTrapInfoTrapDescription } STATUS current DESCRIPTION "This trap indicates that there is a wireless intrusion detected by the firewall. The bound objects provide more detailed information about this problem." ::= { sonicwallFwTrapRoot 0 5} swFwTrapSysEnv NOTIFICATION-TYPE OBJECTS { swTrapInfoTrapType, swTrapInfoTrapDescription } STATUS current DESCRIPTION "This trap indicates that there is a system environment problem detected by the firewall. The bound objects provide more detailed information about this problem." ::= { sonicwallFwTrapRoot 0 6} END