Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
RuiChang
Staff
Staff

Created on ‎08-15-2024 01:57 PM

Article Id 333387

Technical Tip: SNMP trap configuration for FortiManager and FortiAnalyzer to FortiSIEM

Description

 

This article describes a method to configure FortiManager and FortiAnalyzer to set up an SNMP trap to FortiSIEM.

 

Scope

FortiSIEM, FortiManager, FortiAnalyzer.

 

Solution

 

FortiSIEM can be configured to receive an SNMP trap from FortiManager and FortiAnalyzer to monitor the performance. Use the following procedure for the configuration:

 

 

  1. On FortiManager/FortiAnalyzer, configure the settings below:
  1. Enable SNMP on the interface:

 

 

RuiChang_0-1723691545594.png

 

 

  1. Configure the SNMPv3 user under Network -> SNMPv3:

 

 

RuiChang_0-1723691573110.png

 

 

  1. In the FortiManager/FortiAnalyzer CLI, configure the command below:

 

 

 

config sys snmp sysinfo

set status enable

end

 

 

  1. In FortiSIEM, configure SNMP discovery for FortiManager/FortiAnalyzer. See this guide.

 

 

Note:

Users should be able to get FortiManager/FortiAnalyzer in the CMDB:

 

RuiChang_0-1723691594799.png

 

 

 

  1. In the FortiSIEM CLI, stop the phParser and run the following command:

 

 

phtools --stop phParser
snmptrapd -f -Dlcd_set_enginetime -Lo

 

Note:

While the command is running on the FortiSIEM, go to FortiManager/FortiAnalyzer CLI to send a test trap.

 

diag test application snmpd 4

 

Monitor the output in FortiSIEM and record the Engine ID as below:

 

RuiChang_0-1723691625533.png

 

Press Ctrl + C to stop the command in the FortiSIEM CLI.

 

 

  1. Go to the FortiSIEM CLI and configure the following:

 

#vi /etc/snmp/snmptrapd.conf

 

 

#disableAuthorization no
#createUser -e 0x<engineId from FortiManager/FortiAnalyzer> <snmptrapuser> <authprotocol> <authpassphrase> <privprotocol> <privpassphrase>
#authUser log,execute,net <snmptrapuser>

 

Example:

 

RuiChang_0-1723691729601.png

 

  1. In the FortiSIEM CLI, run the command below to test if the Trap is received from FortiManager/FortiAnalyzer:

snmptrapd -f -Dusm -Lo

 

Note:

After running the command above on the FortiSIEM CLI, send a test Trap from FortiManager/FortiAnalyzer:

 

diag test application snmpd 4

 

RuiChang_0-1723691748669.png

 

  1. Start the phParser and monitor the GUI:

 

phtools –start phParser

 

Note:

Test to ensure the Trap from FortiManager/FortiAnalyzer is received in the GUI as well:

 

diag test application snmpd 4

 

RuiChang_0-1723691767604.png

 

 

Note:

The Event Type will show as FortiGate-Generic because the Parser for FortiSIEM is using the FortiOS Generic parser. Check the raw event log and verify the serial number of FortiManager/FortiAnalyzer for verification.

 

Related documents:

758
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.