Technical Tip: FortiGate responds SNMP query for non-notified hosts
Description
This article describes why FortiGate responds SNMP query for non-notified hosts.
Solution
As per the FortiGate SNMPv3 feature 'notify-hosts' ONLY affects which hosts SNMPv3 notifications will be sent to.
Instead, if authentication is needed, use the security-level (default: no-auth-no-priv)
no-auth-no-priv: Message with no authentication and no privacy (encryption).
auth-no-priv: Message with authentication but no privacy (encryption).
auth-priv: Message with authentication and privacy (encryption).
For example, if only authentication is needed, try:
Otherwise, SNMP Server will not respond to the query and will report an error as the following:
As per the FortiGate SNMPv3 feature 'notify-hosts' ONLY affects which hosts SNMPv3 notifications will be sent to the traps so this is not affect the host which is request for snmp query so FortiGate responses if Authentication matches.
This article describes why FortiGate responds SNMP query for non-notified hosts.
Solution
As per the FortiGate SNMPv3 feature 'notify-hosts' ONLY affects which hosts SNMPv3 notifications will be sent to.
Instead, if authentication is needed, use the security-level (default: no-auth-no-priv)
# config system snmp usersecurity-level: Security level for message authentication and encryption.
edit "test-snmp"
set security-level ?
no-auth-no-priv: Message with no authentication and no privacy (encryption).
auth-no-priv: Message with authentication but no privacy (encryption).
auth-priv: Message with authentication and privacy (encryption).
For example, if only authentication is needed, try:
# config system snmp userOnce configured, the SNMP Manager has to query with the correct authentication credentials.
edit "test-snmp"
set security-level auth-no-priv
set auth-proto sha
set auth-pwd password
next
end
Otherwise, SNMP Server will not respond to the query and will report an error as the following:
snmpd: usm recv parse: Message authentication or checking failed! user=test-user errno=-44Explanation.
snmpd: v3 recv: parse failed. errno=-44 (USM authentication failure)
As per the FortiGate SNMPv3 feature 'notify-hosts' ONLY affects which hosts SNMPv3 notifications will be sent to the traps so this is not affect the host which is request for snmp query so FortiGate responses if Authentication matches.