Tavve zoneranger User Manual page 63

Each verified SNMP trap will be compared to the set of all configured Forwarding Rules. If the
SNMP trap meets the conditions of a Forwarding Rule, the SNMP trap is securely sent to the
corresponding Ranger Gateway to be ultimately sent to the Destination Host and Port as configured
in that specific Forwarding Rule. An SNMP Trap may match multiple Forwarding Rules, even to
the same Ranger Gateway. Unless the group name of the ZoneRangers which are forwarding the
traps is the same in which case the traps will be deduplicated, the traps will be forwarded multiple
times.
After a trap has passed a Forwarding Rule, the trap may also be configured to be converted to an
SNMPv1 or SNMPv2c. If an SNMPv3 or SNMPv2c inform is received and it is to be forwarded as
SNMPv1, it will be converted to a trap. In this case, the ZoneRanger will respond to the originating
device with an appropriate response after forwarding the trap.
The ZoneRanger is only able to process an incoming SNMPv3 Inform if there is a configured
SNMPv3 user or the Inform is using noAuthNoPriv Security Level. When the ZoneRanger is able
to process an incoming SNMPv3 Inform, the ZoneRanger will convert the Inform to an SNMPv3
Trap, forward the trap based on any configured forwarding rules, and respond to the client that the
Inform was received. ZoneRanger can forward SNMPv3 traps which use any Security Level
regardless of whether or not there is a configured SNMPv3 user.
There are some limitations when SNMPv3 users are not configured for SNMPv3 traps and informs:
1. Encrypted notifications will not match any trap filters using properties of the PDU with the
exception of version.
2. The ZoneRanger will not return responses to the client when it receives an SNMPv3 Inform.
3. Duplicate encrypted notifications will not be discarded on the Ranger Gateway.
Syslog Forwarding
ZoneRanger has the capability to receive Syslog messages from managed devices and forward those
messages through a Ranger Gateway to another application. When an Syslog message is received
by ZoneRanger, the message is inspected to determine whether or not to be syntactically correct.
Thus, if the message does not meet the RFC definition of a correctly formatted Syslog message, it
will be discarded. If the Syslog message is verified to be syntactically correct, it will be processed
by the ZoneRanger forwarding service. Otherwise, it will be discarded.
Syslog filters may be use to further refine the forwarding of messages within a particular syslog
forwarding rule. When configuring a syslog type Forwarding Rule, the Edit button allows for the
syslog filter specification. ZoneRanger has the ability to specially process syslog messages sent
from Cisco devices (Cisco Syslog). Specific syslog filters may be created related to Cisco syslog
messages. The following conditions may be used in the creation of syslog filter specification:
Condition
ZoneRanger 5.5 User's Guide
Description
63