I am trying to integrate Fortigate in a monitoring tool.
As we have the switche monitored using snmpv3 i tried that with Fortogate as well, but no luck.
I' ll test anything with Paessler SNMP-tester, which is a handy little tool for check whether snmp works " in general"
Device to monitor:
Fortigate 110C HA running 5.0.7
allow SNMP on interface
System -> Config -> SNMP
enable SNMP Agent
Add something in SNMPv3:
Auth & private Pass: " 12345678"
Regardless of encrpytion and or Auth Protocol i can not query the FGT. (which works fine with the switches)
I added a V2 community that worked fine.
any hints on how to use SnmpV3?
Assuming you have the allow query checkbox enabled(it is by default) and have something for notification host, your config seems like it should respond to queries.
What are you using to query, do you have the syntax if it' s snmpget? Have you tried doing a capture/flow trace on the fortigate to ensure traffic isn' t getting dropped for some reason, ie an interface policy in place etc?
Do you have any view enabled?
Do you have SNMP allowaccess on the interface your querying?
Did you do a diag debug flow?
did you do a diag debug app snmpd -1 and diag debug en remember to reset and disable it after your done
Here' s a post on SNMPv3 and a few devices;
@emnoc: I have allowaccess for snmp (as it works fine with snmpv2).
views? i must admit i only used the fortigate guiÂ´there i can' t configure any views.
I found the link by myself, but it does not really help..
@Warren: i have the query checkbos checked (as it querys fine with snmpv2) i query using the paessler snmptester (for tests) and query system uptime and standard interfaces, both giving out data over snmpv2. Using v3 does not change the query itself, so i don' t expect any problems.
I' ll do some more tests..
Doing a debug app snmp -1
shows a errno 48 (USM decryption error) while i am pretty sure that my password (and mechanism) is correct.
Did you run diag debug app snmpd -1 like suggested earlier ? It will tell you what' s the problem or give you and ideal as to where to go next.
Also be advised that the password length and special characters could be an issues also. Take a simple pass-phrases 1st before inserting a complex one.
Than work backwards from that point. You need to apply the correct pass-phrase for both authentication and encryption.
yes i did some further research.
snmpv3 works with (this tool) and auth/no priv.
every try to encrypt my PDUs did not result in a working solution.
diag debug snmp shows errno 48 (USM decryption error) if i use the correct encryption type, and in errno44 if i misconfigure one site.
Will do some Lab setup with other tools when i return..
i will update this thread once i find the solution (in either the test tool or the fortigate)
Be advise, some snmp tools don' t support all of the encryption types.
e.g ( under my bsd host )
set authentication protocol (MD5|SHA)
set privacy protocol (DES|AES)
While others support des , AES and 3des, even tho the specs never selected 3DES for snmp. if in doubt run the test from a unix host with the proper protocol and auth-type
Here' s my working SNMPv3 user;
config system snmp user
edit " nmsuser"
set security-level auth-priv
set auth-pwd ENC AAAAqop1mfcLSm5tIddCKgN8N157KfKxx59hX12S0uCgVfCYs13kXIpbmuFy1RqiaJzt4MlynF5FfPPjCktNwtxTU/vgLqyOSGNgTp2tu8Lgx4uY
set priv-pwd ENC AAAAqop1mfcLSm5tIddCKgN8N157KfKxx59hX12S0uCgVfCYubA1XOW3RWbIPqpk4WbUsT7D1yPFkJGZFSIF35zkbvkF32dnrde2AB0QFn1zyt17
This should default to SHA and AES128 for fortiOS.
But you are on the right track with your diagnostics.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.