SNMP – FortiAnalyzer – FortiOS 6.2.3

SNMP

Enable the SNMP agent on the FortiAnalyzer device so it can send traps to and receive queries from the computer that is designated as its SNMP manager. This allows for monitoring the FortiAnalyzer with an SNMP manager.

SNMP has two parts – the SNMP agent that is sending traps, and the SNMP manager that monitors those traps. The SNMP communities on monitored FortiGate devices are hard coded and configured by the FortiAnalyzer system – they are not user configurable.

The FortiAnalyzer SNMP implementation is read-only — SNMP v1, v2c, and v3 compliant SNMP manager applications, such as those on your local computer, have read-only access to FortiAnalyzer system information and can receive FortiAnalyzer system traps.

SNMP agent

The SNMP agent sends SNMP traps originating on the FortiAnalyzer system to an external monitoring SNMP manager defined in a SNMP community. Typically an SNMP manager is an application on a local computer that can read the SNMP traps and generate reports or graphs from them.

The SNMP manager can monitor the FortiAnalyzer system to determine if it is operating properly, or if there are any critical events occurring. The description, location, and contact information for this FortiAnalyzer system will be part of the information an SNMP manager will have — this information is useful if the SNMP manager is monitoring many devices, and it will enable faster responses when the FortiAnalyzer system requires attention.

Go to System Settings > Advanced > SNMP to configure the SNMP agent.

The following information and options are available:

SNMP Agent Select to enable the SNMP agent. When this is enabled, it sends FortiAnalyzer SNMP traps.
Description Optionally, type a description of this FortiAnalyzer system to help uniquely identify this unit.
Location Optionally, type the location of this FortiAnalyzer system to help find it in the event it requires attention.
Contact Optionally, type the contact information for the person in charge of this FortiAnalyzer system.
SNMP v1/2c The list of SNMP v1/v2c communities added to the FortiAnalyzer configuration.
  Create New Select Create New to add a new SNMP community. If SNMP agent is not selected, this control will not be visible.

For more information, see SNMP v1/v2c communities on page 205.

  Edit Edit the selected SNMP community.
  Delete Delete the selected SNMP community or communities.
  Community Name The name of the SNMP community.
  Queries The status of SNMP queries for each SNMP community. The enabled icon indicates that at least one query is enabled. The disabled icon indicates that all queries are disabled.
  Traps The status of SNMP traps for each SNMP community. The enabled icon indicates that at least one trap is enabled. The disabled icon indicates that all traps are disabled.
  Enable Enable or disable the SNMP community.
SNMP v3   The list of SNMPv3 users added to the configuration.
  Create New Select Create New to add a new SNMP user. If SNMP agent is not selected, this control will not be visible.

For more information, see SNMP v3 users on page 208.

  Edit Edit the selected SNMP user.
  Delete Delete the selected SNMP user or users.
  User Name The user name for the SNMPv3 user.
  Security Level The security level assigned to the SNMPv3 user.
  Notification Hosts The notification host or hosts assigned to the SNMPv3 user.
  Queries The status of SNMP queries for each SNMP user. The enabled icon indicates queries are enabled. The disabled icon indicates they are disabled.

SNMP v1/v2c communities

An SNMP community is a grouping of equipment for network administration purposes. You must configure your FortiAnalyzer to belong to at least one SNMP community so that community’s SNMP managers can query the FortiAnalyzer system information and receive SNMP traps from it.

Each community can have a different configuration for SNMP traps and can be configured to monitor different events. You can add the IP addresses of up to eight hosts to each community. Hosts can receive SNMP device traps and information.

To create a new SNMP community:

  1. Go to System Settings > Advanced > SNMP and ensure the SNMP agent is enabled.
  2. In the SNMP v1/v2c section, click Create New in the toolbar. The New SNMP Community pane opens.
  3. Configure the following options, then click OK to create the community.
Name   Enter a name to identify the SNMP community. This name cannot be edited later.
Hosts   The list of hosts that can use the settings in this SNMP community to monitor the FortiAnalyzer system.

When you create a new SNMP community, there are no host entries. Select Add to create a new entry that broadcasts the SNMP traps and information to the network connected to the specified interface.

  IP

Address/Netmask

Enter the IP address and netmask of an SNMP manager.

By default, the IP address is 0.0.0.0 so that any SNMP manager can use this SNMP community.

  Interface Select the interface that connects to the network where this SNMP manager is located from the dropdown list. This must be done if the SNMP manager is on the Internet or behind a router.
  Delete Click the delete icon to remove this SNMP manager entry.
Add Select to add another entry to the Hosts list. Up to eight SNMP manager entries can be added for a single community.
Queries Enter the port number (161 by default) the FortiAnalyzer system uses to send v1 and v2c queries to the FortiAnalyzer in this community. Enable queries for each SNMP version that the FortiAnalyzer system uses.
Traps Enter the Remote port number (162 by default) the FortiAnalyzer system uses to send v1 and v2c traps to the FortiAnalyzer in this community. Enable traps for each SNMP version that the FortiAnalyzer system uses.
SNMP Event Enable the events that will cause SNMP traps to be sent to the community.

l     Interface IP changed l Log disk space low l CPU Overuse l Memory Low l System Restart

l     CPU usage exclude NICE threshold

l     RAID Event (only available for devices that support RAID) l PowerSupply Failed (only available on supported hardware devices) l Fan Speed Out of Range

l     Temperature Out of Range l Voltage Out of Range

l     High licensed device quota l High licensed log GB/day l Log Alert l Log Rate l Data Rate

FortiAnalyzer feature set SNMP events:

To edit an SNMP community:

  1. Go to System Settings > Advanced > SNMP.
  2. In the SNMP v1/v2c section, double-click on a community, right-click on a community then select Edit, or select a community then click Edit in the toolbar. The Edit SNMP Community pane opens.
  3. Edit the settings as required, then click OK to apply your changes.

To delete an SNMP community or communities:

  1. Go to System Settings > Advanced > SNMP.
  2. In the SNMP v1/v2c section, select the community or communities you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation dialog box to delete the selected community or communities.

SNMP v3 users

The FortiAnalyzer SNMP v3 implementation includes support for queries, traps, authentication, and privacy. SNMP v3 users can be created, edited, and deleted as required.

To create a new SNMP user:

  1. Go to System Settings > Advanced > SNMP and ensure the SNMP agent is enabled.
  2. In the SNMP v3 section, click Create New in the toolbar. The New SNMP User pane opens.
  3. Configure the following options, then click OK to create the community.
User Name   The name of the SNMP v3 user.
Security Level   The security level of the user. Select one of the following:

No Authentication, No Privacy l Authentication, No Privacy: Select the Authentication Algorithm (SHA1, MD5) and enter the password.

Authentication, Privacy: Select the Authentication Algorithm (SHA1, MD5), the Private Algorithm (AES, DES), and enter the passwords.

Queries   Select to enable queries then enter the port number. The default port is 161.
Notification Hosts   The IP address or addresses of the host. Click the add icon to add multiple IP addresses.
SNMP Event Enable the events that will cause SNMP traps to be sent to the SNMP manager.

l     Interface IP changed l Log disk space low l CPU Overuse l Memory Low l System Restart

l     CPU usage exclude NICE threshold

l     RAID Event (only available for devices that support RAID) l PowerSupply Failed (only available on supported hardware devices) l High licensed device quota l High licensed log GB/day l Log Alert l Log Rate l Data Rate l Fan Speed Out of Range l Temperature Out of Range l Voltage Out of Range

FortiAnalyzer feature set SNMP events:

To edit an SNMP user:

  1. Go to System Settings > Advanced > SNMP.
  2. In the SNMP v3 section, double-click on a user, right-click on a user then select Edit, or select a user then click Edit in the toolbar. The Edit SNMP User pane opens.
  3. Edit the settings as required, then click OK to apply your changes.

To delete an SNMP user or users:

  1. Go to System Settings > Advanced > SNMP.
  2. In the SNMP v3 section, select the user or users you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation dialog box to delete the selected user or users.

SNMP MIBs

The Fortinet and FortiAnalyzer MIBs, along with the two RFC MIBs, can be obtained from Customer Service & Support

(https://support.fortinet.com). You can download the FORTINET-FORTIMANAGER-FORTIANALYZER-MIB.mib

MIB file in the firmware image file folder. The FORTINET-CORE-MIB.mib file is located in the main FortiAnalyzer 5.00 file folder.

RFC support for SNMP v3 includes Architecture for SNMP Frameworks (RFC 3411), and partial support of User-based Security Model (RFC 3414).

To be able to communicate with the SNMP agent, you must include all of these MIBs into your SNMP manager.

Generally your SNMP manager will be an application on your local computer. Your SNMP manager might already

include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet and FortiAnalyzer proprietary MIBs to this database.

MIB file name or RFC Description
FORTINET-CORE-MIB.mib The proprietary Fortinet MIB includes all system configuration information and trap information that is common to all Fortinet products.

Your SNMP manager requires this information to monitor Fortinet unit configuration settings and receive traps from the Fortinet SNMP agent.

FORTINET-FORTIMANAGERMIB.mib The proprietary FortiAnalyzer MIB includes system information and trap information for FortiAnalyzer units.
RFC-1213 (MIB II) The Fortinet SNMP agent supports MIB II groups with the following exceptions.

l  No support for the EGP group from MIB II (RFC 1213, section 3.11 and

6.10).

l  Protocol statistics returned for MIB II groups (IP/ICMP/TCP/UDP/etc.) do not accurately capture all Fortinet traffic activity. More accurate information can be obtained from the information reported by the Fortinet MIB.

RFC-2665 (Ethernet-like MIB) The Fortinet SNMP agent supports Ethernet-like MIB information with the following exception.

No support for the dot3Tests and dot3Errors groups.

SNMP traps

Fortinet devices share SNMP traps, but each type of device also has traps specific to that device type. For example FortiAnalyzer units have FortiAnalyzer specific SNMP traps. To receive Fortinet device SNMP traps, you must load and compile the FORTINET-CORE-MIB into your SNMP manager.

Traps sent include the trap message as well as the unit serial number (fnSysSerial) and host name (sysName). The Trap Message column includes the message that is included with the trap, as well as the SNMP MIB field name to help locate the information about the trap.

Trap message Description
ColdStart, WarmStart, LinkUp, LinkDown Standard traps as described in RFC 1215.
CPU usage high

(fnTrapCpuThreshold)

CPU usage exceeds the set percent. This threshold can be set in the CLI using the following commands:

config system snmp sysinfo set trap-high-cpu-threshold <percentage value> end

CPU usage excluding NICE processes

(fmSysCpuUsageExcludedNice)

CPU usage excluding NICE processes exceeds the set percentage. This threshold can be set in the CLI using the following commands:

config system snmp sysinfo set trap-cpu-high-exclude-nice-threshold <percentage value> end

Trap message Description
Memory low

(fnTrapMemThreshold)

Memory usage exceeds 90 percent. This threshold can be set in the CLI using the following commands:

config system snmp sysinfo set trap-low-memory-threshold <percentage value> end

Log disk too full

(fnTrapLogDiskThreshold)

Log disk usage has exceeded the configured threshold. Only available on devices with log disks.
Temperature too high

(fnTrapTempHigh)

A temperature sensor on the device has exceeded its threshold. Not all devices have thermal sensors. See manual for specifications.
Voltage outside acceptable range

(fnTrapVoltageOutOfRange)

Power levels have fluctuated outside of normal levels. Not all devices have voltage monitoring instrumentation.
Power supply failure

(fnTrapPowerSupplyFailure)

Power supply failure detected. Available on some devices that support redundant power supplies.
Interface IP change

(fnTrapIpChange)

The IP address for an interface has changed. The trap message includes the name of the interface, the new IP address and the serial number of the Fortinet unit. You can use this trap to track interface IP address changes for interfaces with dynamic IP addresses set using DHCP or PPPoE.
Log rate too high

(fmTrapLogRateThreshold)

The incoming log rate has exceeded the peak log rate threshold.

To determine the peak log rate, use the following CLI command: get system loglimits

Data rate too high

(fmTrapLogDataRateThreshold)

The incoming data rate has exceeded the peak data rate threshold.

The peak data rate is calculated using the peak log rate x 512 bytes (average log size).

Fortinet & FortiAnalyzer MIB fields

The Fortinet MIB contains fields reporting current Fortinet unit status information. The below tables list the names of the MIB fields and describe the status information available for each one. You can view more details about the information available from all Fortinet MIB fields by compiling the fortinet.3.00.mib file into your SNMP manager and browsing the Fortinet MIB fields.

System MIB fields:

MIB field Description
fnSysSerial Fortinet unit serial number.

Administrator accounts:

MIB field Description
fnAdminNumber The number of administrators on the Fortinet unit.
fnAdminTable Table of administrators.  
fnAdminIndex Administrator account index number.
fnAdminName The user name of the administrator account.
fnAdminAddr An address of a trusted host or subnet from which this administrator account can be used.
fnAdminMask The netmask for fnAdminAddr.

Custom messages:

MIB field Description
fnMessages The number of custom messages on the Fortinet unit.
MIB fields and traps  
MIB field Description
fmModel A table of all FortiAnalyzer models.
This entry was posted in Administration Guides, FortiAnalyzer, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “SNMP – FortiAnalyzer – FortiOS 6.2.3

  1. Edgar Rivera

    Can SNMP Agent send traps inform. That is, wait for a confirmation of receipt of the trap, otherwise retry n times or throw an error.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.