5.9 Ensure SNMP is set to OOB management only


SNMP should only be configured on Out of Band management interfaces.


By default the SNMP service will listen for incoming connections on all interfaces which have an IP Address configured, exposing SNMP to users on all networks through which the router is reachable.

In higher security environments management services, such as SNMPv3, should be restricted such as to only be reachable through the Out of Band management port which is available on most JUNOS platforms.

The name of the Out of Band Management port varies considerably between platforms, typically:

fxp[0-9] on most routing platforms and SRX firewalls

me[0-9] on most EX and some QFX switches

em[0-9] on some EX and QFX switches

jmgmt0 on NFX platforms

NOTE: SNMP does not appear to be configured on the target. This check is not applicable.


To restrict SNMP to required interfaces issue the following command from the [edit snmp] hierarchy;

[edit snmp]
user@host#set interface <interface or interface list>

To delete an existing interface from the list issue the following command from the [edit snmp] hierachy;

[edit snmp]
user@host#delete interface <interface>

Default Value:

By default SNMP, when configured, is accessible over all configured interfaces.

See Also


Item Details


References: 800-53|SC-7(15), CSCv7|11.7

Plugin: Juniper

Control ID: 9cb7b2c4c07a8276a2b1574fecb0b784e2b4c1cc34b9db4241c4df18be8beb7a