FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
mgoswami
Staff
Staff
Article Id 339035
Description This article describes how to discover a device via SNMP and troubleshoot on failure for FortiSIEM.
Scope FortiSIEM.
Solution

First, check that the device supports SNMP from the External Systems Configuration Guide in section Supported Devices And Applications by Vendor in Discovery Overview and Performance Monitoring Overview.

 

Requirements for SNMP Device Discovery:

  • An SNMP agent must be enabled on the network device.
  • An SNMP community must be configured.
  • The FortiSIEM node performing the discovery must be set as an allowed host on the device.
  • There must be connectivity between FortiSIEM and the network device on UDP ports 161 (for queries) and 162 (for traps).

 

To check if the discovery process is running:

Use the following command to list currently running processes:

 

phstatus

 

The phDiscover process handles discovery in FortiSIEM.

 

Enable debug logging for the discovery process and agent manager with these commands:

 

phtools --change-log DEBUG phDiscover
phtools --change-log DEBUG phAgentManager

 

This changes the log level to 'DEBUG', providing more detailed information for troubleshooting.

 

Collect logs for the device:

Run the following command to monitor the logs for the device being discovered:

 

tail -f /opt/phoenix/log/phoenix.log | grep -i <ip_address_of_device>

 

Initiate discovery from the GUI: Admin -> Discovery -> Select the device to be discovered -> Discover. Logs should appear once the discovery process is completed.

 

After collecting logs, revert the debug mode to INFO:

 

phtools --change-log=INFO phAgentManager
phtools --change-log=INFO phDiscover

 

Logs collected via the 'tail' command will reveal the specific error causing the failure. 

Below is an example log for failed SNMP discovery:

 
Screenshot 2024-09-04 184346.png

 

If SNMP is configured as the discovery credential but discovery fails, use the snmpwalk command on the FortiSIEM CLI to diagnose the issue.

To manually test SNMP connectivity, establish an SSH connection to the node performing the discovery and run:

 

snmpwalk -c <community> -v <version> <ip_address>

 

For example: snmpwalk -c public -v 2c 10.0.1.2

 

For SNMPv3, use:

 

snmpwalk -v3 -u <username> -l authPriv -a md5 -A '<password>' -x des -X '<password>' <PA_Firewall_IP>

 

Note: Adjust the command to match the SNMP configuration on the server.

 

If snmpwalk fails, discovery on the FortiSIEM GUI will also fail. Verify the following:

  • Is the SNMP agent configured and enabled on the device? Some devices may require an additional setting to enable the agent.
  • Is the SNMP host correctly configured? If discovery is performed by a collector, ensure the host IP is that of the collector, not the supervisor.
  • If using SNMPv3, try testing a basic SNMPv2c configuration to isolate issues with the more complex SNMPv3 setup.
  • Check network connectivity:
    • Ensure UDP ports 161 and 162 are open between devices.
    • Firewalls or NAT devices between the FortiSIEM node and network device may alter the source IP address of SNMP queries.

By following these steps, it should be possible to identify and resolve issues with FortiSIEM's SNMP discovery.