FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
carabhavi
Staff
Staff
Article Id 196866

Description


This article describes the configuration of the FortiGate SNMP agent in order for the SNMP manager to get status information from the FortiGate unit and for the FortiGate unit to send traps to the SNMP manager.

 

Scope

 

FortiGate.

Solution


To configure SNMP access - GUI:

 

  1. Go to Network -> Interfaces.
  2. Choose an interface that an SNMP manager connects to and select 'Edit'.
  3.  In Administrative Access, select 'SNMP'.
  4. Select 'OK'.

Note: The trusted hosts’ configuration applies to most forms of administrative access including HTTPS, SSH, and SNMP.
When a trusted host is identified for an administrator account, FortiOS accepts that administrator’s login only from one of the trusted hosts. A login, even with proper credentials, from a non-trusted host is dropped.


To configure the SNMP agent – GUI:

 

If No SNMP option under the system, check the VDOM options, maybe global is not selected.

This happens when the VDOM option is enabled. In that case, the SNMP option is visible under global VDOM.

 

SNMP.png

 

  1. Go to System -> SNMP and select 'Enable' for the SNMP Agent.
  2.  Enter a descriptive name for the agent.
  3. Enter the location of the FortiGate.
  4. Enter a contact or administrator for the SNMP Agent or FortiGate unit.
  5. Select 'Apply'.

 

To add an SNMP v1/v2c community - GUI:

 

  1. Go to System -> SNMP.
  2.  In the SNMP v1/v2c area, select 'Create New'.
  3. Enter a Community Name.
  4. Enter the IP address and Identify the SNMP.
  5. Select the interface if the SNMP manager is not on the same subnet as the FortiGate unit.
  6.  Enter the Port number that the SNMP managers in this community use for SNMP v1 and SNMP v2c queries to receive configuration information from the FortiGate.
  7. Select the Enable check box to activate queries for each SNMP version,
  8. Enter the Local and Remote port numbers that the FortiGate unit uses to send SNMP v1 and SNMP v2c traps to the SNMP managers in this community.
  9. Select the Enable check box to activate traps for each SNMP version.
  10. Select 'OK'.

 

To add an SNMP v3 community - GUI:

 

  1. Go to System -> SNMP.
  2. In the SNMP v3 area, select 'Create New'.
  3.  Enter a User Name.
  4.  Select a Security Level and associated authorization algorithms.
  5.  Enter the IP address of the Notification Host SNMP managers that can use the settings in this SNMP community to monitor the FortiGate.
  6.  Enter the Port number that the SNMP managers in this community use to receive configuration information from the FortiGate unit.
  7.  Select the Enable check box to activate queries for each SNMP version.
  8. Select the Enable check box to activate traps.
  9.  Select 'OK'.

 

Two types of MIB files are available for FortiGate units: The Fortinet MIB and the FortiGate Core MIB.

Go to System -> SNMP and select 'Download FortiGate SNMP MIB File' and 'Download Fortinet Core MIB File'. 
Configure the SNMP manager to receive traps from the FortiGate unit. 

If units are in HA.
Each unit in the cluster sends its own traps and manager can query both units.

A dedicated HA management port has to be enabled in the HA settings.

Note.
The ha-management interface needs to be cleared from all configuration and references (e.g. routes, DHCP server, policies…) – 'Ref' need to be 0. Otherwise 'mgmt1' will not be presented as an interface to choose.

5.2 and 5.4:

 

config system ha
    set ha-mgmt-status enable
    set ha-mgmt-interface "mgmt1"
    set ha-mgmt-interface-gateway x.x.x.x
end
config system ha
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "interfaceX"
            set gateway x.x.x.x
        next
    end
end

 

since 5.6:

'ha-direct' setting has to be enabled on the SNMP settings

For SNMPv2:

 

config system snmp community
    edit 1
config hosts
    edit 1
        set ha-direct enable
    next
next
end
config system snmp user
    edit 1
        set ha-direct enable
    next
next
end

 

For SNMPv3:
For troubleshooting collect the below debug command output

Putty1:

 

diagnose debug application snmpd -1
diagnose debug console timestamp enable

 

Putty2:

 

diagnose sniffer packet any "port 161 or  port 162" 6 0 a

 

Important Note.

Always make sure the SNMP agent is enabled in the below CLI section:

 

config system snmp sysinfo
   set status enable
end