FortiWLC – Configuring SNMP

Leave a reply

Enabling, Disabling, and Reloading SNMP

Once an SNMP configuration is complete, enable it with the command snmp start: controller# snmp start

To turn off SNMP messaging, use the command snmp stop: controller# snmp stop

To reload the SNMP module, use the command reload-snmp: controller# reload‐snmp

SNMP Version 3 Support

The SNMPv3 architecture, supported by FortiWLC (SD) 4.0 and later, incorporates new descriptions for SNMP Entities (Managers, Agents, Proxy Forwarders), updated message formats, and standard MIBs used to configure access to entities. The SNMP Agent on Forti WLC is multi-lingual with simultaneous support for SNMPv1/v2c/v3 if configurations such as snmpcommunity for SNMPv1/v2c or SNMPv3-user for SNMPv3 are correct. New features include:

  • Security levels for user authentication using entity shared secret keys
  • Message time stamps
  • Data secrecy using encryption
  • Control of user access to MIB information based on the need to know
Security Levels

SNMPv3 provides both security levels and security models. A security level is the permitted level of security within a security model. A combination of a security level and a security model determine which security mechanism is employed when handling an SNMP packet. (See

Enabling, Disabling, and Reloading SNMP

Combinations of Security Levels and Security Models in this document.) SNMPv3 messages can be sent at any of the following three security levels:

  • No Authentication and No Encryption This is also called noAuth/noPriv. Priv refers to privacy. With this security, only a valid user name is required to access data or to send a trap. Authentication and No Encryption This is also called Auth/noPriv. With this security, you must be authenticated as a valid user for a message to be accepted. Authentication is accomplished by sharing a secret key and using that key to produce a message-hashed authentication code sent with each message.
  • Authentication and Encryption This is also called Auth/Priv. With this security, you are authenticated and the data payload is encrypted using a second shared secret key.
Security Models

SNMPv3 provides for both security levels and security models. A security model is an authentication strategy that is set up the group in which a user resides. Three security models are now available:

  • SNMPv1
  • SNMPv2c
  • SNMPv3

A combination of a security model and a security level will determine which security mechanism is employed when handling an SNMP packet. See Combinations of Security Levels and Security Models in this document.

Combinations of Security Levels and Security Models

The table below identifies the combinations of security models and levels and describes how security is handled with each combination.

Model Level Authentication Encryption What Happens
v1 noAuthNoPriv Community String No Uses a community string match for authentication
v2c noAuthNoPriv Community String No Uses a community string match for authentication
v3 noAuthNoPriv Username No Uses a username match for authentication

Enabling, Disabling, and Reloading SNMP

Model Level Authentication Encryption What Happens
v3 authNoPriv MD5 or SHA No Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms
v3 authPriv MD5 or SHA DES Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms. Provides DES 56-bit encryption in addition to authentication based on the CBC-DES (DES-56) standard
SNMP Version 3 Commands

The FortiWLC (SD) Command Reference has detailed descriptions of these commands.

  • snmpv3-user
  • snmpv3-user auth-key
  • snmpv3-user auth-protocol
  • snmpv3-user priv-key
  • snmpv3-user priv-protocol
  • snmpv3-user target ip-address
SNMP Version 3 Support Limitations

Currently, Fortinet does not support the following SNMPv3 features.

  • Since Forti WLC do not support write access for SNMP MIBS, all users belong to the Read

View Access Control table and they are handled as Read View with a group internally. View the Access Control Model (VACM) to determine if a user belonging to a specific group has access (Read, Write, Notify) to the management entity. Access Policy is defined by associating the respective read, write or notify view with a group.

  • SNMPv3 Notifications: Fortinet does not support SNMPv3 trap/inform. Along with the supported SNMPv3 feature (read only), Fortinet Network controllers still provide both SNMPv1/ v2c accessibility using the existing snmp-community table and SNMPv1 trap using snmptrap community table.

Enabling, Disabling, and Reloading SNMP

 

Pages: 1 2 3
This entry was posted in Administration Guides, FortiWLC on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.