Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
mdeparisse_FTNT
Staff
Staff

Created on ‎02-02-2022 08:56 AM Edited on ‎09-26-2022 06:23 AM By Community Manager

Article Id 204090

Technical Tip: How to configure and test SNMPv3 config on FortiManager/FortiAnalyzer

Description This article describe how to configure SNMP V3 on FortiManager and FortiAnalyzer as well as how to validate this configuration and take the debug if necessary.
Scope  
Solution

1) Enable SNMP service on interface and configure a user SEC-TEST will be used:

 

# config system interface

    edit 1

        set allowaccess snmp ...

    next

end


# config system snmp sysinfo
    set status enable
end

 

# config system snmp user
(user)# edit SEC-TEST <----- New entry 'SEC-TEST' added.

 

It is possible choose the notification and traps:


# (SEC-TEST)# set


events SNMP notifications (traps) to send.
notify-hosts Hosts to send notifications (traps) to.
notify-hosts6 IPv6 hosts to send notifications (traps) to.
queries Enable/disable queries for this user.
query-port SNMPv3 query port.
security-level Security level for message authentication and encryption.

 

It is possible to choose security level.


(SEC-TEST) # set security-level


auth-no-priv

 

Message with authentication but no privacy (encryption).


auth-priv

 

Message with authentication and privacy (encryption).


no-auth-no-priv

 

Message with no authentication and no privacy (encryption).

 

If the SNMP Trap receive is 10.5.53.226 and the authorization password is 'fortinet' as well as the privacy password ,the below config will appear.


# config system snmp use
    edit "SEC-TEST"
        set events disk_low ha_switch intf_ip_chg sys_reboot cpu_high mem_low cpu-high-exclude-nice
        set notify-hosts 10.5.53.226
        set security-level auth-priv
        set auth-pwd "fortinet"
        set priv-pwd "fortinet"
    next
end

 

2) Then to test it it is possible to use snmpwalk on linux:

 

If the FortiManager has IP 10.5.53.205, it will be the below command:

 

# snmpwalk -v3 -l authPriv -u SEC-TEST -a SHA -A "fortinet" -x AES -X "fortinet" 10.5.53.205


iso.3.6.1.2.1.1.1.0 = ""
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.12356.103.1.64
iso.3.6.1.2.1.1.3.0 = Timeticks: (311316) 0:51:53.16
iso.3.6.1.2.1.1.4.0 = ""
iso.3.6.1.2.1.1.5.0 = STRING: "FMG-VM64"
iso.3.6.1.2.1.1.6.0 = ""
iso.3.6.1.2.1.1.7.0 = INTEGER: 0
iso.3.6.1.2.1.2.1.0 = INTEGER: 12
iso.3.6.1.2.1.2.2.1.1.1 = INTEGER: 1

3) Use the debug below if there is any issue.

 

# exe tac report

# config of the FMG or FAZ<----- dat backup config file.

# diag debug app snmpd 255

# diag debug enable

 

In another window.

 

# diag sniffer packet any "port 161 and host <linux station>" 3 0 a

----

 

Then run the snmpwalk command in step2 and send the output of all above commands.

 

 

----

# diag debug disable

# diag debug reset

 

Related article.

How to get and troubleshoot MIBs and OIDs from SNMP

CLI reference - snmp 
2964
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.