Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jcovarrubias
Staff
Staff

Created on ‎10-14-2024 08:42 AM

Article Id 347279

Technical Tip: SNMP debugging deep dive for Antivirus TRAPS

Description This article describes tips to interpret SNMP (Simple Network Management Protocol) debug output as a user downloads malware file. Step-by-step instructions are provided on how to read and analyze SNMP debug output. 
Scope All FortiGate models.
Solution

In Troubleshooting Tip: How to troubleshoot SNMP traps not getting generated from the firewall, troubleshooting steps are described for enabling SNMP debugs in the firewall to confirm if TRAPS are generated by the FortiGate firewall (FortiGate). This guide will dive deep into the logs generated when a test file with a virus is downloaded as well as captures to see how the object identifier (OIDs) are displayed.

 

Network topology:

 

cuatro.gif

 

Test to see whether the FortiGate is generating and sending a trap when malware is downloaded:

 

Configuration:

 

  1. Traps have been enabled for Antivirus (AV) events:

 

conf.png

 

 

  1. SNMP overall configuration:

dos.gif

 

 

The expected debugs from an SNMP perspective when a user downloads malware are as follows:

 

diagnose debug app snmp -1

diagnose debug enable

 

snmpd: attempting v1 trap: av_virus(601) <- Starts the process to generate the TRAP on V1.
snmpd: trap from (10.0.1.254 -> 10.0.1.11)
snmpd: av trap: EICAR_TEST_FILE <- Type of trap AV and name of the file on V1.
snmpd: trap send(10.0.1.254:162 -> 10.0.1.11:162) bytes sent=145 total=145
snmpd: attempting v2c trap: av_virus(601) <- Starts the process to generate the TRAP on V1.
snmpd: get : system.3.0 -> () -> 0
snmpd: av trap: EICAR_TEST_FILE <- Type of trap "AV" and name of the file for V2.
snmpd: trap send(10.0.1.254:162 -> 10.0.1.11:162) bytes sent=169 total=169 <- Start of the function to send trap and message build.
snmpd: trap request av_virus(0000000000000259) -> queue 1 in 0, 0 interval
snmpd: queue is 0 entries long.
snmpd: queueing trap 8000000000001000@4382431894 (4382431894)
snmpd: queue is 1 entries long.
snmpd: dequeueing trap 8000000000001000@4382431894 (4382431894)
snmpd: sending to hosts: av_virus(601)
snmpd: attempting v1 trap: av_virus(601)
snmpd: trap from (10.0.1.254 -> 10.0.1.11)
snmpd: av trap: EICAR_TEST_FILE
snmpd: trap send(10.0.1.254:162 -> 10.0.1.11:162) bytes sent=145 total=145 <- Trap V1 sent.
snmpd: attempting v2c trap: av_virus(601)
snmpd: get : system.3.0 -> () -> 0
snmpd: av trap: EICAR_TEST_FILE
snmpd: trap send(10.0.1.254:162 -> 10.0.1.11:162) bytes sent=169 total=169 <- Trap V2 sent.

 

The view from the packet capture:

 

tres.png

 
132
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.