Skip to main content
Coldforest
Coldforest
New Member
November 10, 2020
Question

SNMPv3 Users and usmUserTable Walk

  • November 10, 2020
  • 1 reply
  • 5588 views

Hello,

   I've enabled the SNMP agent on a FortiGate 60E (v5.6.12) and configured a single SNMPv3 user (w/auth+priv). I can walk the MIB tree from another system via SNMPv3 and this user. However, the MIB tree view appears to exclude the SNMP-USER-BASED-SM-MIB MIB (e.g., nothing displayed for usmUserTable). Is there a default VACM view that's configured that restricts this portion of the tree? How do I change this and/or how can I retrieve the portion of the MIB tree under 'snmpV2 (i.e., 1.1.3.6.1.6)? Other portions of the 'internet' branch (1.1.3.6.1) are walked successfully, including the FORTINET enterprise MIB objects (under 1.1.3.6.1.4.1).

   In addition (likely related to the above restriction) I'm unable to add SNMPv3 users to the usmUserTable via SNMPv3 (e.g., via the Linux 'snmpusm' command). The SNMP Manager I use would like to be able to do this for any SNMPv3 agent's that it manages.

Thanks.

1 reply

emnoc
emnoc
New Member
November 10, 2020

If the snmpwalk is "giving you a no item left in  this MIB view " or whatever the wording, than that branch of the tree does not exist.

 

And no , no default vacm  view control exist.

 

Ken Felix

Coldforest
ColdforestAuthor
New Member
November 10, 2020

Hi,

 

"...than that branch of the tree does not exist."

 

That would be paradoxical since the SNMPv3 user was necessarily defined in this part of the tree(??). Backing up a step, the "create SNMPv3 user" does imply that this is creating an SNMPv3 user as per the User Security Model (USM), which necessarily means the user will appear in the usmUserTable from this SNMP-USER-BASED-SM-MIB.

 

What am I missing here?

emnoc
emnoc
New Member
November 11, 2020

That is true and dandy but does not mean it's supported in fortios. You can confirm with support but not all "std"  parts or what we suspect are std MIBs are supported.

 

FWIW, I  just walked 6.4.3 and got zero responses also. I also still believe in fortiOS vacm is not supported. Junos and ciso-ios yes, but in fortios not 100% supported. Maybe someone from FTNT will chime in.

 

You can also 100% confirm in the snmpv3 user config section, no view based sub-config sections.

 

 

e.g

 config system snmp user    edit "kfelix"        set security-level auth-priv        set auth-pwd ENC MTAwNIMzwiwTlKnxwxi7rwWuIuWpu1uEVJ0qIWr8WHFHmi9QpNSubFg1m6U9BErvQO6LvHQ5CnV43615JqrRuoNRkylk05w96KgbmwXRQ0dfDtcRF3XQ1nri26RGAR3FqktxWSxjiu5WiSaRV43Gjh1e8Ve5DsG6fzRq/tShKFDIOqCUMEs7L+ycA7rnDN0P2y8Yzw==        set priv-pwd ENC MTAwNIMzwiwTlKnxwxi7rwWuIuWpu1uEVJ0qIWr8WHFHmi9QpNSubFg1m6U9BErvQO6LvHQ5CnV43615JqrRuoNRkylk05w96KgbmwXRQ0dfDtcRF3XQ1nri26RGAR3FqktxWSxjiu5WiSaRV43Gjh1e8Ve5DsG6fzRq/tShKFDIOqCUMEs7L+ycA7rnDN0P2y8Yzw==    nextend

 

Ken Felix

 

edited: IIRC a NFR was submitted for this feature, maybe someone from FTNT support can confirm this NFR. I think one of the RFI/RFP I was on for a military branch asked for this feature a few years back. I never follow upon on this .BTW JNPR won that bid. Let us know what you find out and if you do contact support. I'm curious.

 

 

 

 

Terms & ConditionsAccessibility statement