Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jan_Scholten
Contributor

SNMPv3 no luck with that

I am trying to integrate Fortigate in a monitoring tool. As we have the switche monitored using snmpv3 i tried that with Fortogate as well, but no luck. I' ll test anything with Paessler SNMP-tester, which is a handy little tool for check whether snmp works " in general" Device to monitor: Fortigate 110C HA running 5.0.7 Setup: allow SNMP on interface System -> Config -> SNMP enable SNMP Agent Add something in SNMPv3: User: FortigateV3 Auth & private Pass: " 12345678" Regardless of encrpytion and or Auth Protocol i can not query the FGT. (which works fine with the switches) I added a V2 community that worked fine. any hints on how to use SnmpV3?
6 REPLIES 6
Warren_Olson_FTNT

Assuming you have the allow query checkbox enabled(it is by default) and have something for notification host, your config seems like it should respond to queries. What are you using to query, do you have the syntax if it' s snmpget? Have you tried doing a capture/flow trace on the fortigate to ensure traffic isn' t getting dropped for some reason, ie an interface policy in place etc?
emnoc
Esteemed Contributor III

Qs; Do you have any view enabled? Do you have SNMP allowaccess on the interface your querying? Did you do a diag debug flow? did you do a diag debug app snmpd -1 and diag debug en remember to reset and disable it after your done Here' s a post on SNMPv3 and a few devices; http://socpuppet.blogspot.com/2012/12/snmpv3-for-security.html

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Jan_Scholten
Contributor

@emnoc: I have allowaccess for snmp (as it works fine with snmpv2). views? i must admit i only used the fortigate gui´there i can' t configure any views. I found the link by myself, but it does not really help.. @Warren: i have the query checkbos checked (as it querys fine with snmpv2) i query using the paessler snmptester (for tests) and query system uptime and standard interfaces, both giving out data over snmpv2. Using v3 does not change the query itself, so i don' t expect any problems. I' ll do some more tests.. Doing a debug app snmp -1 shows a errno 48 (USM decryption error) while i am pretty sure that my password (and mechanism) is correct.
emnoc
Esteemed Contributor III

Did you run diag debug app snmpd -1 like suggested earlier ? It will tell you what' s the problem or give you and ideal as to where to go next. Also be advised that the password length and special characters could be an issues also. Take a simple pass-phrases 1st before inserting a complex one. e.g mysimplepassword vrs my^3t*d3gd(yhere Than work backwards from that point. You need to apply the correct pass-phrase for both authentication and encryption.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Jan_Scholten
Contributor

yes i did some further research. snmpv3 works with (this tool) and auth/no priv. every try to encrypt my PDUs did not result in a working solution. diag debug snmp shows errno 48 (USM decryption error) if i use the correct encryption type, and in errno44 if i misconfigure one site. Will do some Lab setup with other tools when i return.. i will update this thread once i find the solution (in either the test tool or the fortigate)
emnoc
Esteemed Contributor III

USM decryption error
Be advise, some snmp tools don' t support all of the encryption types. e.g ( under my bsd host ) set authentication protocol (MD5|SHA) set privacy protocol (DES|AES) While others support des , AES and 3des, even tho the specs never selected 3DES for snmp. if in doubt run the test from a unix host with the proper protocol and auth-type Here' s my working SNMPv3 user; config system snmp user edit " nmsuser" set security-level auth-priv set auth-pwd ENC AAAAqop1mfcLSm5tIddCKgN8N157KfKxx59hX12S0uCgVfCYs13kXIpbmuFy1RqiaJzt4MlynF5FfPPjCktNwtxTU/vgLqyOSGNgTp2tu8Lgx4uY set priv-pwd ENC AAAAqop1mfcLSm5tIddCKgN8N157KfKxx59hX12S0uCgVfCYubA1XOW3RWbIPqpk4WbUsT7D1yPFkJGZFSIF35zkbvkF32dnrde2AB0QFn1zyt17 next end This should default to SHA and AES128 for fortiOS. But you are on the right track with your diagnostics.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors