Description

This article describes how to add known devices into FortiSIEM that are discovered as 'Generic' and need correct vendor, model, and device information. If the sys descriptor in the SNMP entry is not detailed enough, FortiSIEM will not be able to parse and pick up the device and vendor information. The obvious easiest resolution is to modify the sysdescr OID, but this may not be possible with some devices that cannot edit the description.

Scope

FortiSIEM.

Solution

1. Obtain the Following Information for the 'Generic' Device:

Vendor.

Model.

Hardware Model.

For example:

Vendor: HP.

Model: ProCurve Switch.

Hardware Model: 2950.

2. Run a snmpwalk against the sysOID:
   
   

   snmpwalk -v 2c -c <community string> <ip> sysObjectID.0

   
   For example:
   

   snmpwalk -v 2c -c public 172.30.59.133 sysObjectID.0

   SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.11.2.3.7.11.160

    

3. Open and Edit userSnmpSysObjId.csv (see path below). This will allow to modify and correct the Vendor, Model, Hardware Model, SysObjectId.
   
   vi /opt/phoenix/config/userSnmpSysObjId.csv
   
   

4. Insert the following entry into the file: ORIGINAL EMPTY FILE EXAMPLE: Vendor,Model,hwModel,OID.

   
   FILLED IN EXAMPLE: Vendor,Model,hwModel,OIDHP,ProCurve Switch,5406,SNMPv2-SMI::enterprises.11.2.3.7.11.160.
   
   
5. Save the Changes.
   
   
6. Proceed to repeat step 4 and insert to all the nodes, this will cover any time a new device is discovered with any other FortiSIEM node.
   
   
7. Additional Information:
    
   
   1. If the file does not exist, feel free and create it using the name in step 3.
   2. Add the following entries into /opt/phoenix/config/phoenix_config.txt:
       
      system_snmp_sysObjId_file=/opt/phoenix/config/systemSnmpSysObjId.csvuser_snmp_sysObjId_file=/opt/phoenix/config/userSnmpSysObjId.csv
      
      Make sure it is inserted under the 'phDiscover' Attribute Block. For example: 
      
      [BEGIN phDiscover]command_port = 7928discover_get_uri =phoenix/rest/deviceInfodiscover_put_uri =phoenix/rest/discovered/discoverdiscover_service_path=phoenix/rest/config/servicediscover_package_path=phoenix/rest/config/applicationPackagetask_status_put_uri=phoenix/rest/sync/task/statusdiscover_from_file=1 #0:from network; 1:from filediscover_file_dir=/opt/phoenix/config/discoverFile #not reqd if prev flag is 0system_snmp_sysObjId_file=/opt/phoenix/config/systemSnmpSysObjId.csvuser_snmp_sysObjId_file=/opt/phoenix/config/userSnmpSysObjId.csvsnmpwalk_timeout = 300 # secondssystem_call_timeout = 300 # secondsvm_discov_timeout = 900 # 15 minutessnmpwalk_v1_packet_timeout = 5 # secondsnmpwalk_v2_packet_timeout = 5 # secondbgp_max_discov_count = -1 # max number of auto discoveries in one hour (set to -1 to disable auto discover)discover_compress_threshold = 2048snmp_ping_times=5wmi_ping_times=5[END]
      
      
   3. Restart phDiscover after adding this into the phoenix_config.txt:
      
      killall -9 phDiscover

Related article:

Technical Note: FortiSIEM testing SNMP from the command line