Technical Tip: How to configure and test SNMPv3 and SNMPv2 config on FortiManager/FortiAnalyzer

mdeparisse_FTNT · ‎02-02-2022

Description

This article describes how to configure and test SNMPv3 and SNMPv2 config on FortiManager/FortiAnalyzer.

Scope

FortiManager, FortiAnalyzer.

Solution

How to configure SNMP V3:

Enable the SNMP service on the interface and configure a user SEC-TEST will be used:

config system interface

edit port1

set allowaccess snmp ...

config system snmp sysinfo
set status enable
end

config system snmp user
(user)# edit SEC-TEST <- New entry 'SEC-TEST' added.

It is possible to choose the notification and traps:

(SEC-TEST)# set

events SNMP notifications (traps) to send.
notify-hosts Hosts to send notifications (traps) to.
notify-hosts6 IPv6 hosts to send notifications (traps) to.
queries Enable/disable queries for this user.
query-port SNMPv3 query port.
security-level Security level for message authentication and encryption.

It is possible to choose a security level.

(SEC-TEST) # set security-level

auth-no-priv; A message with authentication but no privacy (encryption):

auth-priv; A Message with authentication and privacy (encryption):

no-auth-no-priv; Message with no authentication and no privacy (encryption):

If the SNMP Trap received is 10.5.53.226 and the authorization password is 'Fortinet' as well as the privacy password, the below config will appear.

config system snmp user
edit "SEC-TEST"
set events disk_low ha_switch intf_ip_chg sys_reboot cpu_high mem_low cpu-high-exclude-nice
set notify-hosts 10.5.53.226
set security-level auth-priv
set auth-pwd "fortinet"
set priv-pwd "fortinet"

set query-port 161 (SNMPv3 query port (1 - 65535, default = 161)
set notify-port 162 (1 - 65535, default = 162) <-- This new feature will be available from FortiManager/FortiAnalyzer v7.6.1.
next
end

Note:

SNMPv1 and SNMPv2 support custom trap and query ports. However, SNMPv3 only supports custom query ports. Then, to test it, it is possible to use 'snmpwalk' on Linux:

If the FortiManager has IP 10.5.53.205, it will be the following command:

snmpwalk -v3 -l authPriv -u SEC-TEST -a SHA -A "fortinet" -x AES -X "fortinet" 10.5.53.205

iso.3.6.1.2.1.1.1.0 = ""
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.12356.103.1.64
iso.3.6.1.2.1.1.3.0 = Timeticks: (311316) 0:51:53.16
iso.3.6.1.2.1.1.4.0 = ""
iso.3.6.1.2.1.1.5.0 = STRING: "FMG-VM64"
iso.3.6.1.2.1.1.6.0 = ""
iso.3.6.1.2.1.1.7.0 = INTEGER: 0
iso.3.6.1.2.1.2.1.0 = INTEGER: 12
iso.3.6.1.2.1.2.2.1.1.1 = INTEGER: 1

To test SNMPv3 without authentication or privacy (no-auth-no-priv), configure the SNMPv3 user as follows:

config system snmp user

edit "SEC-TEST"

set events disk_low ha_switch intf_ip_chg sys_reboot cpu_high mem_low cpu-high-exclude-nice

set notify-hosts 10.5.53.226

set security-level no-auth-no-priv

set query-port 161 (SNMPv3 query port (1 - 65535, default = 161)

set notify-port 162 (1 - 65535, default = 162) <-- This new feature will be available from FortiManager/FortiAnalyzer v7.6.1.

From a Linux system, test SNMP access using the command:

snmpwalk -v3 -l noAuthNoPriv -u SEC-TEST 192.168.251.75

To test SNMPv3 without authentication or privacy, configure the SNMPv3 user as follows:

Use the debug below if there is any issue:

exe tac report

config of the FMG or FAZ <----- Backup config file.

diagnose debug app snmpd 255

diagnose debug enable

In another window:

diagnose sniffer packet any "port 161 and host <linux station>" 3 0 a

Then run the 'snmpwalk' command in step 2 and send the output of all the above commands.

diagnose debug disable

diagnose debug reset

How to configure SNMP V2:
Different usernames and host IPs have been used to be clear for understanding.

Enable SNMP service on the interface and configure a user 'FORTI-SNMP' will be used:

config system interface

edit port1

set allowaccess snmp ...

config system snmp sysinfo
set status enable
end

config system snmp user
(user)# edit FORTI-SNMP <----- New entry 'FORTI-SNMP' added.

It is possible to choose the notification and traps:

(FORTI-SNMP)# set

events SNMP notifications (traps) to send.
notify-hosts Hosts to send notifications (traps) to.
notify-hosts6 IPv6 hosts to send notifications (traps) to.
queries Enable/disable queries for this user.
query-port SNMPv2 query port.
security-level Security level for message authentication and encryption.

It is possible to choose a security level.

(FORTI-SNMP) # set security-level

auth-no-priv; A message with authentication but no privacy (encryption):

auth-priv; A Message with authentication and privacy (encryption):

no-auth-no-priv; Message with no authentication and no privacy (encryption):

If the SNMP Trap received is 10.5.209.160 and the authorization password is 'Fortinet' as well as the privacy password, the below config will appear.

config system snmp user
edit "FORTI-SNMP"
set events disk_low ha_switch intf_ip_chg sys_reboot cpu_high mem_low cpu-high-exclude-nice
set notify-hosts 10.5.209.160
set security-level auth-priv
set auth-pwd "fortinet"
set priv-pwd "fortinet"

set query-port 161 (SNMPv2 query port (1 - 65535, default = 161)
next
end

Configuring a community for SNMP v2c is needed.

config system snmp community

(community)# edit 1
new entry '1' added

(1)# set name SNMP-Linux

(1)# set query_v2c_status enable

(1)# set query_v2c_port 161

(1)# config hosts

(hosts)# edit 1
new entry '1' added

(1)# set interface port1
(1)# set ip 10.5.209.160 255.255.240.0
(1)# end

Then, to test it, it is possible to use snmpwalk on Linux. If the FortiManager has IP '10.5.49.115', it will be the following command:

snmpwalk -v2c -c "SNMP-Linux" -l authPriv -u FORTI-SNMP -a SHA -A "fortinet" -x AES -X "fortinet" 10.5.49.115

iso.3.6.1.2.1.1.1.0 = ""
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.12356.103.1.64
iso.3.6.1.2.1.1.3.0 = Timeticks: (311316) 0:51:53.16
iso.3.6.1.2.1.1.4.0 = ""
iso.3.6.1.2.1.1.5.0 = STRING: "FAZ-VM64"
iso.3.6.1.2.1.1.6.0 = ""
iso.3.6.1.2.1.1.7.0 = INTEGER: 0
iso.3.6.1.2.1.2.1.0 = INTEGER: 12
iso.3.6.1.2.1.2.2.1.1.1 = INTEGER: 1