FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
mdeparisse_FTNT
Article Id 204090
Description This article describes how to configure and test SNMPv3 and SNMPv2 config on FortiManager/FortiAnalyzer.
Scope FortiManager, FortiAnalyzer.
Solution

How to configure SNMP V3:

  1. Enable SNMP service on the interface and configure a user SEC-TEST will be used:

config system interface

    edit port1

        set allowaccess snmp ...

    next

end


config system snmp sysinfo
    set status enable
end

 

config system snmp user
(user)# edit SEC-TEST <- New entry 'SEC-TEST' added.

 

It is possible to choose the notification and traps:


(SEC-TEST)# set


events SNMP notifications (traps) to send.
notify-hosts Hosts to send notifications (traps) to.
notify-hosts6 IPv6 hosts to send notifications (traps) to.
queries Enable/disable queries for this user.
query-port SNMPv3 query port.
security-level Security level for message authentication and encryption.

 

It is possible to choose a security level.


(SEC-TEST) # set security-level


auth-no-priv; A message with authentication but no privacy (encryption):


auth-priv; A Message with authentication and privacy (encryption):


no-auth-no-priv; Message with no authentication and no privacy (encryption):

 

If the SNMP Trap received is 10.5.53.226 and the authorization password is 'Fortinet' as well as the privacy password, the below config will appear.


config system snmp use
    edit "SEC-TEST"
        set events disk_low ha_switch intf_ip_chg sys_reboot cpu_high mem_low cpu-high-exclude-nice
        set notify-hosts 10.5.53.226
        set security-level auth-priv
        set auth-pwd "fortinet"
        set priv-pwd "fortinet"

        set query-port 161 (SNMPv3 query port (1 - 65535, default = 161)
             set notify-port162(1 - 65535, default = 161) <-- This new feature will be available from FortiManager/FortiAnalyzer 7.6.1.
    next
end

 

Note:

SNMPv1 and SNMPv2 support custom trap and query ports. However, SNMPv3 only supports custom query ports. Then to test it, it is possible to use 'snmpwalk' on Linux:

 

If the FortiManager has IP 10.5.53.205, it will be the below command:

 

snmpwalk -v3 -l authPriv -u SEC-TEST -a SHA -A "fortinet" -x AES -X "fortinet" 10.5.53.205


iso.3.6.1.2.1.1.1.0 = ""
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.12356.103.1.64
iso.3.6.1.2.1.1.3.0 = Timeticks: (311316) 0:51:53.16
iso.3.6.1.2.1.1.4.0 = ""
iso.3.6.1.2.1.1.5.0 = STRING: "FMG-VM64"
iso.3.6.1.2.1.1.6.0 = ""
iso.3.6.1.2.1.1.7.0 = INTEGER: 0
iso.3.6.1.2.1.2.1.0 = INTEGER: 12
iso.3.6.1.2.1.2.2.1.1.1 = INTEGER: 1

Use the debug below if there is any issue:

 

exe tac report

config of the FMG or FAZ <----- Backup config file.

diag debug app snmpd 255

diag debug enable

 

In another window:

 

diag sniffer packet any "port 161 and host <linux station>" 3 0 a

 

Then run the 'snmpwalk' command in step 2 and send the output of all the above commands.

 

diag debug disable

diag debug reset

 

How to configure SNMP V2:
Different usernames and host IPs have been used to be clear for understanding.

 

  1. Enable SNMP service on the interface and configure a user 'FORTI-SNMP' will be used:

 

config system interface

    edit port1

        set allowaccess snmp ...

    next

end


config system snmp sysinfo
    set status enable
end

 

config system snmp user
(user)# edit FORTI-SNMP <----- New entry 'FORTI-SNMP' added.

 

It is possible to choose the notification and traps:


(FORTI-SNMP)# set


events SNMP notifications (traps) to send.
notify-hosts Hosts to send notifications (traps) to.
notify-hosts6 IPv6 hosts to send notifications (traps) to.
queries Enable/disable queries for this user.
query-port SNMPv2 query port.
security-level Security level for message authentication and encryption.

 

It is possible to choose a security level.


(FORTI-SNMP) # set security-level


auth-no-priv; A message with authentication but no privacy (encryption):


auth-priv; A Message with authentication and privacy (encryption):


no-auth-no-priv; Message with no authentication and no privacy (encryption):

 

If the SNMP Trap received is 10.5.209.160 and the authorization password is 'Fortinet' as well as the privacy password, the below config will appear.


config system snmp user
    edit "FORTI-SNMP"
        set events disk_low ha_switch intf_ip_chg sys_reboot cpu_high mem_low cpu-high-exclude-nice
        set notify-hosts 10.5.209.160
        set security-level auth-priv
        set auth-pwd "fortinet"
        set priv-pwd "fortinet"

        set query-port 161 (SNMPv2 query port (1 - 65535, default = 161)
    next
end


Configuring a community for SNMP v2c is needed.

 

  config system snmp community

     (community)# edit 1
        new entry '1' added

          (1)# set name SNMP-Linux

          (1)# set query_v2c_status enable

          (1)# set query_v2c_port 161

          (1)# config hosts

            (hosts)# edit 1
             new entry '1' added

            (1)# set interface port1
           (1)# set ip 10.5.209.160 255.255.240.0
(1)# end

 

2. Then to test it, it is possible to use snmpwalk on Linux. If the FortiManager has IP '10.5.49.115', it will be the below command:

 

snmpwalk -v2c -c "SNMP-Linux" -l authPriv -u FORTI-SNMP -a SHA -A "fortinet" -x AES -X "fortinet" 10.5.49.115


iso.3.6.1.2.1.1.1.0 = ""
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.12356.103.1.64
iso.3.6.1.2.1.1.3.0 = Timeticks: (311316) 0:51:53.16
iso.3.6.1.2.1.1.4.0 = ""
iso.3.6.1.2.1.1.5.0 = STRING: "FAZ-VM64"
iso.3.6.1.2.1.1.6.0 = ""
iso.3.6.1.2.1.1.7.0 = INTEGER: 0
iso.3.6.1.2.1.2.1.0 = INTEGER: 12
iso.3.6.1.2.1.2.2.1.1.1 = INTEGER: 1


Note:

Fortinet supports only 'SNM' v2c 'community version'Use the debug below if there is any issue.

 

exe tac report

config of the FMG or FAZ <----- Backup config file.

diag debug app snmpd 255

diag debug enable

 

In another window:

 

diag sniffer packet any "port 161 and host <linux station>" 3 0 a

 

Then run the 'snmpwalk' command in step 2 and send the output of all the above commands.

 

diag debug disable

diag debug reset

 

Related documents:

Technical Tip: How to get and troubleshoot MIBs and OIDs from SNMP

Troubleshooting Tip: Testing FortiManager and FortiAnalyzer SNMPv3 from a Linux

CLI reference - snmp