Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
mdeparisse_FTNT
Staff
Staff

Created on ‎02-02-2022 08:56 AM Edited on ‎11-27-2025 01:21 AM By Moderator

Article Id 204090

Technical Tip: How to configure and test SNMPv3 and SNMPv2 config on FortiManager/FortiAnalyzer

Description This article describes how to configure and test SNMPv3 and SNMPv2 config on FortiManager/FortiAnalyzer.
Scope FortiManager, FortiAnalyzer.
Solution

How to configure SNMP V3:

  1. Enable the SNMP service on the interface and configure a user SEC-TEST will be used:

config system interface

    edit port1

        set allowaccess snmp ...

    next

end


config system snmp sysinfo
    set status enable      

end                                   

 

If this is set to disable but the system snmp user has been configured, the debug will not generate anything.

 

config system snmp user
(user)# edit SEC-TEST <- New entry 'SEC-TEST' added.

 

It is possible to choose the notifications and traps:


(SEC-TEST)# set


events SNMP notifications (traps) to send.
notify-hosts Hosts to send notifications (traps) to.
notify-hosts6 IPv6 hosts to send notifications (traps) to.
queries Enable/disable queries for this user.
query-port SNMPv3 query port.
security-level Security level for message authentication and encryption.

 

It is possible to choose a security level.


(SEC-TEST) # set security-level


auth-no-priv; A message with authentication but no privacy (encryption):


auth-priv; A Message with authentication and privacy (encryption):


no-auth-no-priv; Message with no authentication and no privacy (encryption):

 

If the SNMP Trap received is 10.5.53.226, and the authorization password is 'Fortinet' as well as the privacy password, the following config will appear.


config system snmp user
    edit "SEC-TEST"
        set events disk_low ha_switch intf_ip_chg sys_reboot cpu_high mem_low cpu-high-exclude-nice
        set notify-hosts 10.5.53.226
        set security-level auth-priv
        set auth-pwd "fortinet"
        set priv-pwd "fortinet"

        set query-port 161 (SNMPv3 query port (1 - 65535, default = 161)
              set notify-port 162 (1 - 65535, default = 162) <-- This new feature will be available from FortiManager/FortiAnalyzer v7.6.1.
    next
end

 

Note:

SNMPv1 and SNMPv2 support custom trap and query ports. However, SNMPv3 only supports custom query ports. Then, to test it, it is possible to use 'snmpwalk' on Linux:

 

If the FortiManager has IP 10.5.53.205, it will be the following command:

 

snmpwalk -v3 -l authPriv -u SEC-TEST -a SHA -A "fortinet" -x AES -X "fortinet" 10.5.53.205


iso.3.6.1.2.1.1.1.0 = ""
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.12356.103.1.64
iso.3.6.1.2.1.1.3.0 = Timeticks: (311316) 0:51:53.16
iso.3.6.1.2.1.1.4.0 = ""
iso.3.6.1.2.1.1.5.0 = STRING: "FMG-VM64"
iso.3.6.1.2.1.1.6.0 = ""
iso.3.6.1.2.1.1.7.0 = INTEGER: 0
iso.3.6.1.2.1.2.1.0 = INTEGER: 12
iso.3.6.1.2.1.2.2.1.1.1 = INTEGER: 1

 

To test SNMPv3 without authentication or privacy (no-auth-no-priv), configure the SNMPv3 user as follows:

 

config system snmp user

    edit "SEC-TEST"

        set events disk_low ha_switch intf_ip_chg sys_reboot cpu_high mem_low cpu-high-exclude-nice

        set notify-hosts 10.5.53.226

        set security-level no-auth-no-priv

        set query-port 161 (SNMPv3 query port (1 - 65535, default = 161)

        set notify-port 162 (1 - 65535, default = 162) <-- This new feature will be available from FortiManager/FortiAnalyzer v7.6.1.

    next

end

 

From a Linux system, test SNMP access using the command:

 

snmpwalk -v3 -l noAuthNoPriv -u SEC-TEST 192.168.251.75

 

To test SNMPv3 without authentication or privacy, configure the SNMPv3 user as follows:

Use the debug below if there is any issue:

 

execute tac report

config of the FMG or FAZ <----- Backup config file.

diagnose debug app snmpd 255

diagnose debug enable

 

In another window:

 

diagnose sniffer packet any "port 161 and host <linux station>" 3 0 a

 

Then run the 'snmpwalk' command in step 2 and send the output of all the above commands.

 

diagnose debug disable

diagnose debug reset

 

How to configure SNMP V2:
Different usernames and host IPs have been used to be clear for understanding.

 

  1. Enable SNMP service on the interface and configure a user 'FORTI-SNMP' will be used:

 

config system interface

    edit port1

        set allowaccess snmp ...

    next

end


config system snmp sysinfo
    set status enable
end

 

config system snmp user
(user)# edit FORTI-SNMP <----- New entry 'FORTI-SNMP' added.

 

It is possible to choose the notifications and traps:


(FORTI-SNMP)# set


events SNMP notifications (traps) to send.
notify-hosts Hosts to send notifications (traps) to.
notify-hosts6 IPv6 hosts to send notifications (traps) to.
queries Enable/disable queries for this user.
query-port SNMPv2 query port.
security-level Security level for message authentication and encryption.

 

It is possible to choose a security level.


(FORTI-SNMP) # set security-level


auth-no-priv; A message with authentication but no privacy (encryption):


auth-priv; A Message with authentication and privacy (encryption):


no-auth-no-priv; Message with no authentication and no privacy (encryption):

 

If the SNMP Trap received is 10.5.209.160, and the authorization password is 'Fortinet' as well as the privacy password, the following config will appear.


config system snmp user
    edit "FORTI-SNMP"
        set events disk_low ha_switch intf_ip_chg sys_reboot cpu_high mem_low cpu-high-exclude-nice
        set notify-hosts 10.5.209.160
        set security-level auth-priv
        set auth-pwd "fortinet"
        set priv-pwd "fortinet"

        set query-port 161 (SNMPv2 query port (1 - 65535, default = 161)
    next
end


Configuring a community for SNMP v2c is needed.

 

config system snmp community

     (community)# edit 1
        new entry '1' added

          (1)# set name SNMP-Linux

          (1)# set query_v2c_status enable

          (1)# set query_v2c_port 161

          (1)# config hosts

            (hosts)# edit 1
             new entry '1' added

            (1)# set interface port1
           (1)# set ip 10.5.209.160 255.255.240.0
(1)# end

 

  1. Then, to test it, it is possible to use snmpwalk on Linux. If the FortiManager has IP '10.5.49.115', it will be the following command:

 

snmpwalk -v2c -c "SNMP-Linux" -l authPriv -u FORTI-SNMP -a SHA -A "fortinet" -x AES -X "fortinet" 10.5.49.115


iso.3.6.1.2.1.1.1.0 = ""
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.12356.103.1.64
iso.3.6.1.2.1.1.3.0 = Timeticks: (311316) 0:51:53.16
iso.3.6.1.2.1.1.4.0 = ""
iso.3.6.1.2.1.1.5.0 = STRING: "FAZ-VM64"
iso.3.6.1.2.1.1.6.0 = ""
iso.3.6.1.2.1.1.7.0 = INTEGER: 0
iso.3.6.1.2.1.2.1.0 = INTEGER: 12
iso.3.6.1.2.1.2.2.1.1.1 = INTEGER: 1


Note:

Fortinet supports only the 'SNM' v2c 'community version'Use the debug below if there is any issue.

 

execute tac report

config of the FMG or FAZ <----- Backup config file.

diagnose debug app snmpd 255

diagnose debug enable

 

In another window:

 

diagnose sniffer packet any "port 161 and host <linux station>" 3 0 a

 

Then run the 'snmpwalk' command in step 2 and send the output of all the above commands.

 

diagnose debug disable

diagnose debug reset

 

Related documents:

Technical Tip: How to get and troubleshoot MIBs and OIDs from SNMP

Troubleshooting Tip: Testing FortiManager and FortiAnalyzer SNMPv3 from a Linux

Technical Tip: Integrating FortiAnalyzer and PRTG (SNMPv2)

snmp 
18982
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.