Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Goutham_FTNT
Staff
Staff

Created on ‎09-21-2015 04:02 AM Edited on ‎08-01-2023 07:12 AM By Moderator

Article Id 196434

Technical Tip: SNMP v3 connecting to PRTG and adding a custom sensor on PRTG SNMP tool using a FortiGate OID

Description

 
This article describes the steps to configure FortiGate's OID as a custom sensor on PRTG Network Monitor.
gouthams_FD37222_tn_FD37222-1.jpg

 

Scope

 

Any supported version of FortiGate.


Solution

 
GUI configuration

 Log in to the FortiGate device.

To enable SNMP on the Interface:
  • Navigate to System -> Network -> Interface.
  • Select Edit on the interface allowing SNMP.
  • Enable SNMP and select OK.

To create a new SNMP:

 

Navigate to System -> SNMP and select Create New below 'SNMP v1/v2c' or 'SNMP v3' on the FortiGate.

Provide the community name. This should match the community name on the PRTG.

Click on Add under Host and provide the IP address of the PRTG server, specify the interface as ANY and the Host type as 'Accept queries and send traps'. After, select OK.
 

To configure SNMP v3 on the Fortigate:

 

Refer to Technical Tip: How to configure FortiGate SNMP agent for monitoring.

 

Something like this should be shown after:

 

4.png

 5.png

 

The Host Ip address will be of the SNMP managers that can use the settings in this SNMP community to monitor the Fortigate.

This is all that will be necessary to configure on the FortiGate.


The OID for FortiGate and PRTG can become accessible with the steps below:

In order to create a custom sensor, the 'Fortinet Core MIB'  file is required in order to obtain the OID value as per the requirements of the custom sensor.

Navigate to System -> SNMP and download the Fortinet Core MIB file.

Open this MIB file using any MIB reader.

In this scenario, 'fg sys cpu usage' will be used as the example custom sensor.
MIB Reader
 Any third party free MIB reader software can be used.
  • Open the MIB reader and load the MIB file downloaded from FortiGate.
  • Navigate to FORTINET-FORTIGATE-MIB -> fg system info -> fg sys cpu usage.
  • Save the OID for 'fg sys cpu usage'.

PRTG SNMP Manager and Config:
 
  1. Go to Sensors -> Add -> Select 'Create a new Device' and select Continue.
  2. Provide the group name.
  3. Under 'Credentials For SNMP device', provide the SNMP Version: select v2c or v3c, then provide the community string as it was specified in the FortiGate SNMP community configuration. Set the SNMP port to 161 and select Continue.
  4. Make sure to add the device name, IP address and the IP version.
  5. The IP address should be the FortiGate device IP.

1.png

After configuring the above, scroll down and check for credentials for SNMP devices.

  1. Check the SNMP version is SNMP v3.
  2. Match the authentication method to what was added on the FortiGate with the correct password.
  3. Match the encryption type with the encryption key which was added in the Fortigate.

 2.png

 

  • After adding the device, add sensors.
  • Obtain the OID from the FortiGate SNMP MIB file and the Fortigate Core MIB.
  • Open it from the MIB Brower to get the desired OIDs.
  • For the device being added, select 'Add sensor', search for 'SNMP custom', and select 'Add This'.
  • Provide the Sensor Name and provide the OID value copied earlier from the MIB reader for 'fg sys cpu usage'.

3.png

 

If it is green, that means it is ready to send traffic and is working as intended.

If it is not working, a yellow sign or red exclamation mark symbol will be seen on the PRTG:

 

MicrosoftTeams-image (36).png

 


CLI configuration

FortiGate

 config system snmp community
edit 1
set name "snmp"
set status enable
config hosts
edit 1
set source-ip 0.0.0.0
set ip 172.26.48.5 255.255.255.0
set interface ''
set ha-direct disable
set host-type any
next
end
 
Verification in the CLI:

FortiGate
 
config system snmp community
edit 1
show full-configuration
set name "snmp"
set status enable
config hosts
edit 1
set source-ip 0.0.0.0
set ip 172.26.48.5 255.255.255.0
set interface ''
set ha-direct disable
set host-type any
next
end
set query-v1-status enable
set query-v1-port 161
set query-v2c-status enable
set query-v2c-port 161
set trap-v1-status enable
set trap-v1-lport 162
set trap-v1-rport 162
set trap-v2c-status enable
set trap-v2c-lport 162
set trap-v2c-rport 162
set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change bgp-established bgp-backward-transition ha-member-up ha-member-down ent-conf-change av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open faz-disconnect wc-ap-up wc-ap-down
next
end
 
Troubleshooting

Community mismatch error in FortiGate logs.
 
To resolve this error, make sure that the community name on the FortiGate and on the PRTG group match.

On the FortiGate, the community name can be found under System -> Config -> SNMP.

On the PRTG, navigate to Devices, select the group, navigate to Settings -> 'Credentials For SNMP device' -> Community name.

The MIB reader:
gouthams_FD37222_tn_FD37222-2.jpg

For SNMPv3 troubleshooting, collect the output from the following debug commands:

Putty1:

 

diagnose debug application snmpd -1

diagnose debug console timestamp enable

 

Putty2:

 

diagnose sniffer packet any "port 161 or  port 162" 6 0 a

Labels:
41666
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.