Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Coldforest
New Contributor

SNMPv3 Users and usmUserTable Walk

Hello,

   I've enabled the SNMP agent on a FortiGate 60E (v5.6.12) and configured a single SNMPv3 user (w/auth+priv). I can walk the MIB tree from another system via SNMPv3 and this user. However, the MIB tree view appears to exclude the SNMP-USER-BASED-SM-MIB MIB (e.g., nothing displayed for usmUserTable). Is there a default VACM view that's configured that restricts this portion of the tree? How do I change this and/or how can I retrieve the portion of the MIB tree under 'snmpV2 (i.e., 1.1.3.6.1.6)? Other portions of the 'internet' branch (1.1.3.6.1) are walked successfully, including the FORTINET enterprise MIB objects (under 1.1.3.6.1.4.1).

   In addition (likely related to the above restriction) I'm unable to add SNMPv3 users to the usmUserTable via SNMPv3 (e.g., via the Linux 'snmpusm' command). The SNMP Manager I use would like to be able to do this for any SNMPv3 agent's that it manages.

Thanks.

5 REPLIES 5
emnoc
Esteemed Contributor III

If the snmpwalk is "giving you a no item left in  this MIB view " or whatever the wording, than that branch of the tree does not exist.

 

And no , no default vacm  view control exist.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Coldforest

Hi,

 

"...than that branch of the tree does not exist."

 

That would be paradoxical since the SNMPv3 user was necessarily defined in this part of the tree(??). Backing up a step, the "create SNMPv3 user" does imply that this is creating an SNMPv3 user as per the User Security Model (USM), which necessarily means the user will appear in the usmUserTable from this SNMP-USER-BASED-SM-MIB.

 

What am I missing here?

emnoc
Esteemed Contributor III

That is true and dandy but does not mean it's supported in fortios. You can confirm with support but not all "std"  parts or what we suspect are std MIBs are supported.

 

FWIW, I  just walked 6.4.3 and got zero responses also. I also still believe in fortiOS vacm is not supported. Junos and ciso-ios yes, but in fortios not 100% supported. Maybe someone from FTNT will chime in.

 

You can also 100% confirm in the snmpv3 user config section, no view based sub-config sections.

 

 

e.g

 config system snmp user    edit "kfelix"        set security-level auth-priv        set auth-pwd ENC MTAwNIMzwiwTlKnxwxi7rwWuIuWpu1uEVJ0qIWr8WHFHmi9QpNSubFg1m6U9BErvQO6LvHQ5CnV43615JqrRuoNRkylk05w96KgbmwXRQ0dfDtcRF3XQ1nri26RGAR3FqktxWSxjiu5WiSaRV43Gjh1e8Ve5DsG6fzRq/tShKFDIOqCUMEs7L+ycA7rnDN0P2y8Yzw==        set priv-pwd ENC MTAwNIMzwiwTlKnxwxi7rwWuIuWpu1uEVJ0qIWr8WHFHmi9QpNSubFg1m6U9BErvQO6LvHQ5CnV43615JqrRuoNRkylk05w96KgbmwXRQ0dfDtcRF3XQ1nri26RGAR3FqktxWSxjiu5WiSaRV43Gjh1e8Ve5DsG6fzRq/tShKFDIOqCUMEs7L+ycA7rnDN0P2y8Yzw==    nextend

 

Ken Felix

 

edited: IIRC a NFR was submitted for this feature, maybe someone from FTNT support can confirm this NFR. I think one of the RFI/RFP I was on for a military branch asked for this feature a few years back. I never follow upon on this .BTW JNPR won that bid. Let us know what you find out and if you do contact support. I'm curious.

 

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Coldforest

"That is true and dandy but does not mean it's supported in fortios. You can confirm with support but not all "std"  parts or what we suspect are std MIBs are supported."

 

Unless support follows these threads I guess I will otherwise need to contact them directly. The supported RFCs listed for FIOS v5.6 (https://docs.fortinet.com/document/fortigate/5.6.3/fortinet-supported-rfcs) indicates RFC 3414 (SNMPv3 USM) is indeed supported. The usmUserTable (et al) must necessarily then be supported. So there must be something more intricate that's in play here. Presumably support will know more.

emnoc
Esteemed Contributor III

I will contact support and give them that doc and also https://docs.fortinet.com/document/fortigate/6.4.0/supported-rfcs/40959/snmp and see what they say. Also ask them to update you on the NFR ( new feature request ) and the status on just this.

 

My understanding they are NOT supporting the full RFC. You can have them check the global settings and then config sys snmp xxxx to see if some hidden command enable it. I doubt you will find it. I just did a search in 6.4.x administration guide and also did not find anything.

 

Post what support finds for others to know.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors