|
How to configure SNMP V3:
- Enable SNMP service on the interface and configure a user SEC-TEST will be used:
config system interface
edit port1
set allowaccess snmp ...
next
end
config system snmp sysinfo
set status enable
end
config system snmp user
(user)# edit SEC-TEST <- New entry 'SEC-TEST' added.
It is possible to choose the notification and traps:
(SEC-TEST)# set
events SNMP notifications (traps) to send.
notify-hosts Hosts to send notifications (traps) to.
notify-hosts6 IPv6 hosts to send notifications (traps) to.
queries Enable/disable queries for this user.
query-port SNMPv3 query port.
security-level Security level for message authentication and encryption.
It is possible to choose a security level.
(SEC-TEST) # set security-level
auth-no-priv; A message with authentication but no privacy (encryption):
auth-priv; A Message with authentication and privacy (encryption):
no-auth-no-priv; Message with no authentication and no privacy (encryption):
If the SNMP Trap received is 10.5.53.226 and the authorization password is 'Fortinet' as well as the privacy password, the below config will appear.
config system snmp use
edit "SEC-TEST"
set events disk_low ha_switch intf_ip_chg sys_reboot cpu_high mem_low cpu-high-exclude-nice
set notify-hosts 10.5.53.226
set security-level auth-priv
set auth-pwd "fortinet"
set priv-pwd "fortinet"
set query-port 161 (SNMPv3 query port (1 - 65535, default = 161)
set notify-port162(1 - 65535, default = 161) <-- This new feature will be available from FortiManager/FortiAnalyzer 7.6.1.
next
end
Note:
SNMPv1 and SNMPv2 support custom trap and query ports. However, SNMPv3 only supports custom query ports. Then to test it, it is possible to use 'snmpwalk' on Linux:
If the FortiManager has IP 10.5.53.205, it will be the below command:
snmpwalk -v3 -l authPriv -u SEC-TEST -a SHA -A "fortinet" -x AES -X "fortinet" 10.5.53.205
iso.3.6.1.2.1.1.1.0 = ""
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.12356.103.1.64
iso.3.6.1.2.1.1.3.0 = Timeticks: (311316) 0:51:53.16
iso.3.6.1.2.1.1.4.0 = ""
iso.3.6.1.2.1.1.5.0 = STRING: "FMG-VM64"
iso.3.6.1.2.1.1.6.0 = ""
iso.3.6.1.2.1.1.7.0 = INTEGER: 0
iso.3.6.1.2.1.2.1.0 = INTEGER: 12
iso.3.6.1.2.1.2.2.1.1.1 = INTEGER: 1
Use the debug below if there is any issue:
exe tac report
config of the FMG or FAZ <----- Backup config file.
diag debug app snmpd 255
diag debug enable
In another window:
diag sniffer packet any "port 161 and host <linux station>" 3 0 a
Then run the 'snmpwalk' command in step 2 and send the output of all the above commands.
diag debug disable
diag debug reset
How to configure SNMP V2:
Different usernames and host IPs have been used to be clear for understanding.
- Enable SNMP service on the interface and configure a user 'FORTI-SNMP' will be used:
config system interface
edit port1
set allowaccess snmp ...
next
end
config system snmp sysinfo
set status enable
end
config system snmp user
(user)# edit FORTI-SNMP <----- New entry 'FORTI-SNMP' added.
It is possible to choose the notification and traps:
(FORTI-SNMP)# set
events SNMP notifications (traps) to send.
notify-hosts Hosts to send notifications (traps) to.
notify-hosts6 IPv6 hosts to send notifications (traps) to.
queries Enable/disable queries for this user.
query-port SNMPv2 query port.
security-level Security level for message authentication and encryption.
It is possible to choose a security level.
(FORTI-SNMP) # set security-level
auth-no-priv; A message with authentication but no privacy (encryption):
auth-priv; A Message with authentication and privacy (encryption):
no-auth-no-priv; Message with no authentication and no privacy (encryption):
If the SNMP Trap received is 10.5.209.160 and the authorization password is 'Fortinet' as well as the privacy password, the below config will appear.
config system snmp user
edit "FORTI-SNMP"
set events disk_low ha_switch intf_ip_chg sys_reboot cpu_high mem_low cpu-high-exclude-nice
set notify-hosts 10.5.209.160
set security-level auth-priv
set auth-pwd "fortinet"
set priv-pwd "fortinet"
set query-port 161 (SNMPv2 query port (1 - 65535, default = 161)
next
end
Configuring a community for SNMP v2c is needed.
config system snmp community
(community)# edit 1
new entry '1' added
(1)# set name SNMP-Linux
(1)# set query_v2c_status enable
(1)# set query_v2c_port 161
(1)# config hosts
(hosts)# edit 1
new entry '1' added
(1)# set interface port1
(1)# set ip 10.5.209.160 255.255.240.0
(1)# end
2. Then to test it, it is possible to use snmpwalk on Linux. If the FortiManager has IP '10.5.49.115', it will be the below command:
snmpwalk -v2c -c "SNMP-Linux" -l authPriv -u FORTI-SNMP -a SHA -A "fortinet" -x AES -X "fortinet" 10.5.49.115
iso.3.6.1.2.1.1.1.0 = ""
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.12356.103.1.64
iso.3.6.1.2.1.1.3.0 = Timeticks: (311316) 0:51:53.16
iso.3.6.1.2.1.1.4.0 = ""
iso.3.6.1.2.1.1.5.0 = STRING: "FAZ-VM64"
iso.3.6.1.2.1.1.6.0 = ""
iso.3.6.1.2.1.1.7.0 = INTEGER: 0
iso.3.6.1.2.1.2.1.0 = INTEGER: 12
iso.3.6.1.2.1.2.2.1.1.1 = INTEGER: 1
Note:
Fortinet supports only 'SNM' v2c 'community version'. Use the debug below if there is any issue.
exe tac report
config of the FMG or FAZ <----- Backup config file.
diag debug app snmpd 255
diag debug enable
In another window:
diag sniffer packet any "port 161 and host <linux station>" 3 0 a
Then run the 'snmpwalk' command in step 2 and send the output of all the above commands.
diag debug disable
diag debug reset
Related documents:
Technical Tip: How to get and troubleshoot MIBs and OIDs from SNMP
Troubleshooting Tip: Testing FortiManager and FortiAnalyzer SNMPv3 from a Linux
CLI reference - snmp
|
