FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
Article Id 204090
Description This article describe how to configure SNMP V3 on FortiManager and FortiAnalyzer as well as how to validate this configuration and take the debug if necessary.

1) Enable SNMP service on interface and configure a user SEC-TEST will be used:


# config system interface

    edit 1

        set allowaccess snmp ...



# config system snmp sysinfo
    set status enable


# config system snmp user
(user)# edit SEC-TEST <----- New entry 'SEC-TEST' added.


It is possible choose the notification and traps:

# (SEC-TEST)# set

events SNMP notifications (traps) to send.
notify-hosts Hosts to send notifications (traps) to.
notify-hosts6 IPv6 hosts to send notifications (traps) to.
queries Enable/disable queries for this user.
query-port SNMPv3 query port.
security-level Security level for message authentication and encryption.


It is possible to choose security level.

(SEC-TEST) # set security-level



Message with authentication but no privacy (encryption).



Message with authentication and privacy (encryption).



Message with no authentication and no privacy (encryption).


If the SNMP Trap receive is and the authorization password is 'fortinet' as well as the privacy password ,the below config will appear.

# config system snmp use
    edit "SEC-TEST"
        set events disk_low ha_switch intf_ip_chg sys_reboot cpu_high mem_low cpu-high-exclude-nice
        set notify-hosts
        set security-level auth-priv
        set auth-pwd "fortinet"
        set priv-pwd "fortinet"


2) Then to test it it is possible to use snmpwalk on linux:


If the FortiManager has IP, it will be the below command:


# snmpwalk -v3 -l authPriv -u SEC-TEST -a SHA -A "fortinet" -x AES -X "fortinet"

iso. = ""
iso. = OID: iso.
iso. = Timeticks: (311316) 0:51:53.16
iso. = ""
iso. = STRING: "FMG-VM64"
iso. = ""
iso. = INTEGER: 0
iso. = INTEGER: 12
iso. = INTEGER: 1

3) Use the debug below if there is any issue.


# exe tac report

# config of the FMG or FAZ<----- dat backup config file.

# diag debug app snmpd 255

# diag debug enable


In another window.


# diag sniffer packet any "port 161 and host <linux station>" 3 0 a



Then run the snmpwalk command in step2 and send the output of all above commands.




# diag debug disable

# diag debug reset


Related article.

How to get and troubleshoot MIBs and OIDs from SNMP

CLI reference - snmp