Description
This article describes the configuration of the FortiGate SNMP agent in order for the SNMP manager to get status information from the FortiGate unit and for the FortiGate unit to send traps to the SNMP manager.
Scope
FortiGate.
Solution
To configure SNMP access - GUI:
Note: The trusted hosts’ configuration applies to most forms of administrative access including HTTPS, SSH, and SNMP.
When a trusted host is identified for an administrator account, FortiOS accepts that administrator’s login only from one of the trusted hosts. A login, even with proper credentials, from a non-trusted host is dropped.
To configure the SNMP agent – GUI:
If No SNMP option under the system, check the VDOM options, maybe global is not selected.
This happens when the VDOM option is enabled. In that case, the SNMP option is visible under global VDOM.
To add an SNMP v1/v2c community - GUI:
To add an SNMP v3 community - GUI:
Two types of MIB files are available for FortiGate units: The Fortinet MIB and the FortiGate Core MIB.
Go to System -> SNMP and select 'Download FortiGate SNMP MIB File' and 'Download Fortinet Core MIB File'.
Configure the SNMP manager to receive traps from the FortiGate unit.
If units are in HA.
Each unit in the cluster sends its own traps and manager can query both units.
A dedicated HA management port has to be enabled in the HA settings.
Note.
The ha-management interface needs to be cleared from all configuration and references (e.g. routes, DHCP server, policies…) – 'Ref' need to be 0. Otherwise 'mgmt1' will not be presented as an interface to choose.
5.2 and 5.4:
config system ha
set ha-mgmt-status enable
set ha-mgmt-interface "mgmt1"
set ha-mgmt-interface-gateway x.x.x.x
end
config system ha
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface "interfaceX"
set gateway x.x.x.x
next
end
end
since 5.6:
'ha-direct' setting has to be enabled on the SNMP settings
For SNMPv2:
config system snmp community
edit 1
config hosts
edit 1
set ha-direct enable
next
next
end
config system snmp user
edit 1
set ha-direct enable
next
next
end
For SNMPv3:
For troubleshooting collect the below debug command output
Putty1:
diagnose debug application snmpd -1
diagnose debug console timestamp enable
Putty2:
diagnose sniffer packet any "port 161 or port 162" 6 0 a
Important Note.
Always make sure the SNMP agent is enabled in the below CLI section:
config system snmp sysinfo
set status enable
end
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.