This article discusses the use of SNMP traps and logs related to alerting for security events.
Let’s look at an example:
IPv4 DoS Policy is active and logging enabled.
SNMP trap for event IPS detected an anomaly enabled.
Traffic is generated to trigger events.
Attacker : 192.168.0.4
Server targeted : 10.0.0.4
FortiGate MGMT IP : 172.16.0.1
NMS (SNMP trap destination) : 172.16.0.85
date=2022-07-09 time=18:03:06 eventtime=1657414986873030266 tz="-0700" logid="0720018433" type="utm" subtype="anomaly" eventtype="anomaly" level="alert" vd="root" severity="critical" srcip=192.168.0.4 srccountry="Reserved" dstip=10.0.0.4 dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" sessionid=0 action="detected" proto=1 service="PING" count=18990 attack="icmp_flood" icmpid="0x2f27" icmptype="0x08" icmpcode="0x00" attackid=16777316 policyid=1 policytype="DoS-policy" ref=http://www.fortinet.com/ids/VID16777316 msg="anomaly: icmp_flood, 650 > threshold 20, repeats 18990 times since last log, pps 656 of prior second" crscore=50 craction=4096 crlevel="critical"
SNMP trap generated:
Note: Clearly the log contains more information than the SNMP trap.
For some enterprises, receiving security events in their NMS via SNMP trap is a requested method for alerting.
For other enterprises, security event alerting is accomplished via log collection only.
Some other enterprises may even use a combination of both methods.
- Whether using SNMP traps and/or logging for security events, an enterprise should select the method(s) that meet their policies and better align with their processes and tools.
- Logs are by nature more complete than SNMP traps.
- Using the SNMP trap for alerting does not remove the need for logs as they will typically be used by security analysts to investigate an alert generated by snmp trap.
- More granular control can be applied to what is logged or not.
- Less granular control can be applied to what is sent as a trap or not (event family enabled or disabled).
- Logs and SNMP traps are generated by different processes and are independent of each other.
- As an example, logging can be disabled for a specific event, but an SNMP trap can still be generated.
- Filtering and more complex logic operations are typically done on the collecting side for alerting (NMS, SIEM, FortiSoc, etc).
- If SNMP traps are not required for alerting of a security type event, it is suggested to disable the non-required event type under the SNMP community configuration (System/SNMP) to optimize resource utilization (CPU, network, storage, etc.).
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.