SNMP

SNMP

Simple Network Management Protocol (SNMP) enables you to monitor hardware on your network. You can configure the hardware, such as the FortiGate SNMP agent, to report system information and send traps (alarms or event messages) to SNMP managers. An SNMP manager, or host, is a typically a computer running an application that can read the incoming trap and event messages from the agent and send out SNMP queries to the SNMP agents. A FortiManager unit can act as an SNMP manager to one or more FortiGate units. FortiOS supports SNMP using IPv4 and IPv6 addressing.

By using an SNMP manager, you can access SNMP traps and data from any FortiGate interface or VLAN subinterface configured for SNMP management access. Part of configuring an SNMP manager is to list it as a host in a community on the FortiGate unit it will be monitoring. Otherwise, the SNMP monitor will not receive any traps from that FortiGate unit or be able to query that unit.

The FortiGate SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP managers have read- only access to FortiGate system information through queries and can receive trap messages from the FortiGate unit.

To monitor FortiGate system information and receive FortiGate traps, you must first compile the Fortinet and FortiGate Management Information Base (MIB) files. A MIB is a text file that describes a list of SNMP data objects that are used by the SNMP manager. These MIBs provide information the SNMP manager needs to interpret the SNMP trap, event, and query messages sent by the FortiGate unit SNMP agent.

FortiGate core MIB files are available for download by going to System > Config > SNMP and selecting the download link on the page.

The Fortinet implementation of SNMP includes support for most of RFC 2665 (Ethernet-like MIB) and most of RFC 1213 (MIB II). For more information, see “Fortinet MIBs”. RFC support for SNMP v3 includes Architecture for SNMP Frameworks (RFC 3411), and partial support of User-based Security Model (RFC 3414).

SNMP traps alert you to events that occur such as an a full log disk or a virus detected.

SNMP fields contain information about the FortiGate unit, such as CPU usage percentage or the number of sessions. This information is useful for monitoring the condition of the unit on an ongoing basis and to provide more information when a trap occurs.

The FortiGate SNMP v3 implementation includes support for queries, traps, authentication, and privacy. Authentication and encryption are configured in the CLI. See the system snmp user command in the FortiGate CLI Reference.

 

SNMP configuration settings

Before a remote SNMP manager can connect to the FortiGate agent, you must configure one or more FortiGate interfaces to accept SNMP connections by going to System > Network > Interface. Select the interface and, in the Administrative Access, select SNMP.

For VDOMS, SNMP traps can only be sent on interfaces in the management VDOM. Traps cannot be sent over other interfaces outside the management VDOM.

To configure SNMP settings, go to System > Config > SNMP.

SNMP Agent                              Select to enable SNMP communication.

Description                                Enter descriptive information about the FortiGate unit. The description can be up to 35 characters.

Location                                     Enter the physical location of the FortiGate unit. The system location description can be up to 35 characters long.

Contact                                       Enter the contact information for the person responsible for this FortiGate unit. The contact information can be up to 35 characters.

SNMP v1/v2c section

To create a new SNMP community, see SNMP Community page.

Community Name                     The name to identify the community.

Queries                                       Indicates whether queries protocols (v1 and v2c) are enabled or disabled. A green check mark indicates queries are enabled; a gray x indicates queries are disabled. If one query is disabled and another one enabled, there will still be a green check mark.

Traps

Indicates whether trap protocols (v1 and v2c) are enabled or disabled. A green check mark indicates traps are enabled; a gray x indicates traps are disabled. If one query is disabled and another one enabled, there will still be a green check mark.

Enable                                        Select the check box to enable or disable the community.

SNMP v3 section

To create a new SNMP community, see SNMP Community pager.

User Name                                 The name of the SNMPv3 user.

Security Level                            The security level of the user.

Notification Host                       The IP address or addresses of the host.

Queries                                       Indicates whether queries are enabled or disabled. A green check mark indicates queries are enabled; a gray x indicates queries are disabled

New SNMP Community page

Community Name                     Enter a name to identify the SNMP community

Hosts (section)

 

IP Address

Enter the IP address and Identify the SNMP managers that can use the set- tings in this SNMP community to monitor the FortiGate unit.

You can also set the IP address to 0.0.0.0 to so that any SNMP manager can use this SNMP community.

Interface                                     Optionally, select the name of the interface that this SNMP manager uses to connect to the FortiGate unit. You only have to select the interface if the SNMP manager is not on the same subnet as the FortiGate unit. This can occur if the SNMP manager is on the Internet or behind a router.

In virtual domain mode, the interface must belong to the management VDOM to be able to pass SNMP traps.

Delete                                         Removes an SNMP manager from the list within the Hosts section.

Add                                             Select to add a blank line to the Hosts list. You can add up to eight SNMP

managers to a single community.

Queries (section)

Protocol                                      The SNMP protocol. In the v1 row, this means that the settings are for

SNMP v1. In the v2c row, this means that the settings are for SNMP v2c.

Port

Enter the port number (161 by default) that the SNMP managers in this community use for SNMP v1 and SNMP v2c queries to receive con- figuration information from the FortiGate unit. Select the Enable check box to activate queries for each SNMP version.

Note: The SNMP client software and the FortiGate unit must use the same port for queries.

Enable                                        Select to enable that SNMP protocol.

Traps (section)

Protocol                                      The SNMP protocol. In the v1 row, this means that the settings are for

SNMP v1. In the v2c row, this means that the settings are for SNMP v2c.

 

Local

Enter the remote port numbers (port 162 for each by default) that the FortiGate unit uses to send SNMP v1 or SNMP v2c traps to the SNMP man- agers in this community. Select the Enable check box to activate traps for each SNMP version.

Note: The SNMP client software and the FortiGate unit must use the same port for traps.

 

Remote                                       Enter the remote port number (port 162 is default) that the FortiGate unit uses to send SNMP v1 or v2c traps to the SNMP managers in this com- munity.

 

Note: The SNMP client software and the FortiGate unit must use the same port for queries.

 

Enable                                        Select to activate traps for each SNMP version.

 

SNMP Event                               Enable each SNMP event for which the FortiGate unit should send traps to the SNMP managers in this community.

 

CPU Over usage traps sensitivity is slightly reduced, by spreading values out over 8 polling cycles. This prevents sharp spikes due to CPU intensive short-term events such as changing a policy.

 

Power Supply Failure event trap is available only on some models.

 

AMC interfaces enter bypass mode event trap is available only on mod- els that support AMC modules.

 

Enable                                        Select to enable the SNMP event.

 

Create New SNMP V3 User

User Name                                 Enter the name of the user.

 

Security Level                            Select the type of security level the user will have.

 

Notification Host

Enter the IP address of the notification host. If you want to add more than one host, after entering the IP address of the first host, select the plus sign to add another host.

 

Enable Query                             Select to enable or disable the query. By default, the query is enabled.

 

Port                                             Enter the port number in the field.

 

Events                                         Select the SNMP events that will be associated with that user.

 

Gigabit interfaces

When determining the interface speed of a FortiGate unit with a 10G interface, the IF-MIB.ifSpeed may not return the correct value. IF-MIB.ifSpeed is a 32-bit gauge used to report interface speeds in bits/second and cannot convert to a 64-bit value. The 32-bit counter wrap the output too fast to be accurate.

In this case, you can use the value ifHighSpeed. It reports interface speeds in megabits/second. This ensures that 10Gb interfaces report the correct value.

 

SNMP agent

You need to first enter information and enable the FortiGate SNMP Agent. Enter information about the FortiGate unit to identify it so that when your SNMP manager receives traps from the FortiGate unit, you will know which unit sent the information.

 

To configure the SNMP agent – web-based manager

1. Go to System > Config > SNMP.

2. Select Enable for the SNMP Agent.

3. Enter a descriptive name for the agent.

4. Enter the location of the FortiGate unit.

5. Enter a contact or administrator for the SNMP Agent or FortiGate unit.

6. Select Apply.

 

To configure SNMP agent – CLI

config system snmp sysinfo set status enable

set contact-info <contact_information>

set description <description_of_FortiGate>

set location <FortiGate_location>

end

 

SNMP community

An SNMP community is a grouping of devices for network administration purposes. Within that SNMP community, devices can communicate by sending and receiving traps and other information. One device can belong to multiple communities, such as one administrator terminal monitoring both a firewall SNMP and a printer SNMP community.

Add SNMP communities to your FortiGate unit so that SNMP managers can connect to view system information and receive SNMP traps.

You can add up to three SNMP communities. Each community can have a different configuration for SNMP queries and traps. Each community can be configured to monitor the FortiGate unit for a different set of events. You can also add the IP addresses of up to 8 SNMP managers to each community.

When the FortiGate unit is in virtual domain mode, SNMP traps can only be sent on interfaces in the management virtual domain. Traps cannot be sent over other interfaces.

 

To add an SNMP v1/v2c community – web-based manager

1. Go to System > Config > SNMP.

2. In the SNMP v1/v2c area, select Create New.

3. Enter a Community Name.

4. Enter the IP address and Identify the SNMP managers that can use the settings in this SNMP community to monitor the FortiGate unit.

5. Select the interface if the SNMP manager is not on the same subnet as the FortiGate unit.

6. Enter the Port number that the SNMP managers in this community use for SNMP v1 and SNMP v2c queries to receive configuration information from the FortiGate unit. Select the Enable check box to activate queries for each SNMP version.

7. Enter the Local and Remote port numbers that the FortiGate unit uses to send SNMP v1 and SNMP v2c traps to the SNMP managers in this community.

8. Select the Enable check box to activate traps for each SNMP version.

9. Select OK.

 

To add an SNMP v1/v2c community – CLI

config system snmp community edit <index_number>

set events <events_list>

set name <community_name>

set query-v1-port <port_number>

set query-v1-status {enable | disable}

set query-v2c-port <port_number>

set query-v2c-status {enable | disable}

set status {enable | disable} set trap-v1-lport <port_number> set trap-v1-rport <port_number>

set trap-v1-status {enable | disable}

set trap-v2c-lport <port_number>

set trap-v2c-rport <port_number>

set trap-v2c-status {enable | disable}

end

 

To add an SNMP v3 community – web-based manager

1. Go to System > Config > SNMP.

2. In the SNMP v3 area, select Create New.

3. Enter a User Name.

4. Select a Security Level and associated authorization algorithms.

5. Enter the IP address of the Notification Host SNMP managers that can use the settings in this SNMP community to monitor the FortiGate unit.

6. Enter the Port number that the SNMP managers in this community use to receive configuration information from the FortiGate unit. Select the Enable check box to activate queries for each SNMP version.

7. Select the Enable check box to activate traps.

8. Select OK.

 

To add an SNMP v3 community – CLI

config system snmp user edit <index_number>

set security-level [auth-priv | auth-no-priv | no-auth-no-priv}

set queries enable

set query-port <port_number>

set notify-hosts <ip_address>

end

set events <event_selections>

 

Enabling on the interface

Before a remote SNMP manager can connect to the FortiGate agent, you must configure one or more FortiGate interfaces to accept SNMP connections.

 

To configure SNMP access – web-based manager

1. Go to System > Network > Interface.

2. Choose an interface that an SNMP manager connects to and select Edit.

3. In Administrative Access, select SNMP.

4. Select OK.

 

To configure SNMP access – CLI

config system interface edit <interface_name>

set allowaccess snmp

end

 

 

Fortinet MIBs

If the interface you are configuring already has protocols that are allowed access, use the command append allowaccess snmp instead, or else the other protocols will be replaced. For more information, see Adding and removing options from lists.

The FortiGate SNMP agent supports Fortinet proprietary MIBs as well as standard RFC 1213 and RFC 2665 MIBs. RFC support includes support for the parts of RFC 2665 (Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that apply to FortiGate unit configuration.

There are two MIB files for FortiGate units – the Fortinet MIB, and the FortiGate MIB. The Fortinet MIB contains traps, fields and information that is common to all Fortinet products. The FortiGate MIB contains traps, fields and information that is specific to FortiGate units. Each Fortinet product has its own MIB. If you use other Fortinet products you will need to download their MIB files as well. Both MIB files are used for FortiOS and FortiOS Carrier; there are no additional traps for the Carrier version of the operating system.

The Fortinet MIB and FortiGate MIB along with the two RFC MIBs are listed in tables in this section. You can download the two FortiGate MIB files from Fortinet Customer Support. The Fortinet MIB contains information for Fortinet products in general. the Fortinet FortiGate MIB includes the system information for The FortiGate unit and version of FortiOS. Both files are required for proper SNMP data collection.

To download the MIB files, go to System > Config > SNMP and select a MIB link in the FortiGate SNMP MIB section.

Your SNMP manager may already include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet proprietary MIB to this database to have access to the Fortinet specific information.

There were major changes to the MIB files between FortiOS Carrier v3.0 and v4.0. You need to use the new MIBs for FortiOS Carrier v4.0 or you may mistakenly access the wrong traps and fields.

MIB files are updated for each version of FortiOS. When upgrading the firmware ensure that you updated the Fortinet FortiGate MIB file as well.

 

Fortinet MIBs

MIB file name or RFC             Description

FORTINETCOREMIB.mib       The Fortinet MIB includes all system configuration information and trap information that is common to all Fortinet products.

Your SNMP manager requires this information to monitor FortiGate unit configuration settings and receive traps from the FortiGate SNMP agent.

 

FORTINETFORTIGATE– MIB.mib

The FortiGate MIB includes all system configuration information and trap information that is specific to FortiGate units.

Your SNMP manager requires this information to monitor FortiGate con- figuration settings and receive traps from the FortiGate SNMP agent. FortiManager systems require this MIB to monitor FortiGate units.

 

RFC1213 (MIB II)                      The FortiGate SNMP agent supports MIB II groups with these exceptions.

  • No support for the EGP group from MIB II (RFC 1213, section 3.11 and 6.10).
  • Protocol statistics returned for MIB II groups (IP/ICMP/TCP/UDP/etc.) do not accurately capture all FortiGate traffic activity. More accurate inform- ation can be obtained from the information reported by the Fortinet MIB.

 

RFC2665 (Ethernet-like MIB)

The FortiGate SNMP agent supports Ethernet-like MIB information. FortiGate SNMP does not support for the dot3Tests and dot3Errors groups.

 

SNMP get command syntax

Normally, to get configuration and status information for a FortiGate unit, an SNMP manager would use an SNMP get commands to get the information in a MIB field. The SNMP get command syntax would be similar to:

snmpget -v2c -c <community_name> <address_ipv4> {<OID> | <MIB_field>}

…where…

<community_name> is an SNMP community name added to the FortiGate configuration. You can add more than one community name to a FortiGate SNMP configuration. The most commonly used community name is public.

<address_ipv4> is the IP address of the FortiGate interface that the SNMP manager connects to.

{<OID> | <MIB_field>} is the object identifier (OID) for the MIB field or the MIB field name itself.

The SNMP get command gets firmware version running on the FortiGate unit. The community name is public. The IP address of the interface configured for SNMP management access is 10.10.10.1. The firmware version MIB field is fgSysVersion and the OID for this MIB field is 1.3.6.1.4.1.12356.101.4.1.1 The first command uses the MIB field name and the second uses the OID:

snmpget -v2c -c public 10.10.10.1 fgSysVersion.0

snmpget -v2c -c public 10.10.10.1 1.3.6.1.4.1.12356.101.4.1.1.0

The OIDs and object names used in these examples are dependent on the version of MIB and are subject to change.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in FortiOS, FortiOS 5.4 Handbook and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “SNMP

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.