Fortinet white logo
Fortinet white logo

Administration Guide

SNMP

SNMP

Simple Network Management Protocol (SNMP) enables you to monitor hardware on your network. You can configure the hardware, such as the FortiAuthenticator SNMP agent, to report system information and send traps (alarms or event messages) to SNMP managers. An SNMP manager, or host, is typically a computer running an application that can read the incoming trap and event messages from the agent, and send out SNMP queries to the SNMP agents.

By using an SNMP manager, you can access SNMP traps and data from any FortiAuthenticator interface configured for SNMP management access. Part of configuring an SNMP manager is listing it as a host in a community on the FortiAuthenticator device it will be monitoring. Otherwise, the SNMP monitor will not receive any traps from that device, or be able to query that device.

The FortiAuthenticator SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP managers have read-only access to system information through queries and can receive trap messages from FortiAuthenticator.

To monitor FortiAuthenticator system information and receive FortiAuthenticator traps, your SNMP manager needs the Fortinet and FortiAuthenticator Management Information Base (MIB) files. A MIB is a text file that lists the SNMP data objects that apply to the monitored device. These MIBs provide information that the SNMP manager needs to interpret the SNMP trap, event, and query messages sent by FortiAuthenticator SNMP agent.

The Fortinet implementation of SNMP includes support for most of RFC 2665 (Ethernet‑like MIB) and most of RFC 1213 (MIB II). RFC support for SNMP v3 includes Architecture for SNMP Frameworks (RFC 3411), and partial support of User-based Security Model (RFC 3414).

SNMP traps alert you to important events that occur, such as overuse of memory or a high rate of authentication failures.

SNMP fields contain information about FortiAuthenticator, such as CPU usage percentage or the number of sessions. This information is useful for monitoring the condition of the unit on an ongoing basis and to provide more information when a trap occurs.

Configuring SNMP

Before a remote SNMP manager can connect to the Fortinet agent, you must configure one or more interfaces to accept SNMP connections by going to System > Network > Interfaces. Edit the interface, and under Admin access, enable SNMP. See Network.

You can also set the thresholds that trigger various SNMP traps. Note that a setting of zero disables the trap.

To configure SNMP settings:
  1. Go to System > Administration > SNMP and select the Settings icon.
  2. Enter the following information:
    SNMP ContactEnter the contact information for the person responsible for this FortiAuthenticator unit.
    SNMP DescriptionEnter descriptive information about FortiAuthenticator.
    SNMP LocationEnter the physical location of FortiAuthenticator.
    User Table Nearly Full Trap ThresholdThe user table is nearly full. The threshold is a percentage of the maximum permitted number of users.
    User Group Table Nearly Full Trap ThresholdThe user group table is nearly full. The threshold is a percentage of the maximum permitted number of user groups.
    RADIUS Authentication Client Table Nearly Full Trap ThresholdThe RADIUS authenticated client table is nearly full. The threshold is a percentage of the maximum permitted number of RADIUS clients.

    TACACS+ Authentication Client Table Nearly Full Trap Threshold (%)

    The TACACS+ authentication client table is nearly full. The threshold is a percentage of the maximum permitted number of TACACS+ clients.

    Authentication Event Rate Over Limit Trap ThresholdHigh authentication load. The threshold is the number of authentication events over a five minute period.
    Authentication Failure Rate Over Limit Trap ThresholdHigh rate of authentication failure. The threshold is the number of authentication failures over a five minute period.
    CPU Utilization Trap Threshold (%)High load on CPU. The default is set to 90%.
    Disk Utilization Trap Threshold (%)Disk usage is high. The default is set to 80%.
    Memory Utilization Trap Threshold (%)Too much memory used. The default is set to 90%.
  3. Select Save to apply the changes.
To create a new SNMP community:
  1. Go to System > Administration > SNMP.
  2. Select Create New under SNMP v1/v2c. The Create New SNMP V1/v2c window opens.
  3. Enter the following information in the SNMPv1/v2c section:
    Community nameThe name of the SNMP community.
    Events

    Select the events for which traps are enabled. Options include:

    • CPU usage is high
    • Memory is low
    • Interface IP is changed
    • Auth users threshold exceeded
    • Auth group threshold exceeded
    • Radius NAS threshold exceeded
    • TACACS+ NAS threshold exceeded
    • Auth event rate threshold exceeded
    • Auth failure rate threshold exceeded
    • User lockout detected
    • HA status is changed
    • Power Supply Unit failure
      Note

      The Power Supply Unit failure event is available with hardware units that support the Power Supply Monitor widget. See Power supply monitor widget.

    • Disk usage is high
    • HA sync activity is low
    • RAID status changed
  4. In SNMP Hosts, select Add another SNMP Host and enter the following information:
    IP/NetmaskEnter the IP address and netmask of the host.
    QueriesSelect if this host uses queries.
    TrapsSelect if this host uses traps.
    DeleteSelect to delete the host.
  5. Select Save to create the new SNMP community.
To create a new SNMP user:
  1. Go to System > Administration > SNMP.
  2. Select Create New under SNMP v3. The Create New SNMP V3 window opens.
  3. Enter the following information in the General section:
    UsernameThe name of the SNMP user.
    Security level

    Select the security level from the dropdown menu:

    • None: No authentication or encryption.
    • Authentication only: Select the Authentication method then enter the authentication key in the Authentication key field.
    • Encryption and authentication: Select the Authentication method, enter the authentication key in the Authentication key field, then select the Encryption method and enter the encryption key in the Encryption key field. This option is set by default.
    EventsSelect the events for which traps are enabled. See Events.
  4. In SNMP Notification Hosts, select Add another SNMP Notification Host and enter the following information:
    IP/NetmaskEnter the IP address and netmask of the notification host.
    DeleteSelect to delete the notification host.
  5. Select Save to create the new SNMP V3 user.
To download MIB files:
  1. Go to System > Administration > SNMP and select Settings.
  2. Under FortiAuthenticator SNMP MIB, select the MIB file you need to download, options include the FortiAuthenticator MIB and Fortinet Core MIB files.

SNMP

SNMP

Simple Network Management Protocol (SNMP) enables you to monitor hardware on your network. You can configure the hardware, such as the FortiAuthenticator SNMP agent, to report system information and send traps (alarms or event messages) to SNMP managers. An SNMP manager, or host, is typically a computer running an application that can read the incoming trap and event messages from the agent, and send out SNMP queries to the SNMP agents.

By using an SNMP manager, you can access SNMP traps and data from any FortiAuthenticator interface configured for SNMP management access. Part of configuring an SNMP manager is listing it as a host in a community on the FortiAuthenticator device it will be monitoring. Otherwise, the SNMP monitor will not receive any traps from that device, or be able to query that device.

The FortiAuthenticator SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP managers have read-only access to system information through queries and can receive trap messages from FortiAuthenticator.

To monitor FortiAuthenticator system information and receive FortiAuthenticator traps, your SNMP manager needs the Fortinet and FortiAuthenticator Management Information Base (MIB) files. A MIB is a text file that lists the SNMP data objects that apply to the monitored device. These MIBs provide information that the SNMP manager needs to interpret the SNMP trap, event, and query messages sent by FortiAuthenticator SNMP agent.

The Fortinet implementation of SNMP includes support for most of RFC 2665 (Ethernet‑like MIB) and most of RFC 1213 (MIB II). RFC support for SNMP v3 includes Architecture for SNMP Frameworks (RFC 3411), and partial support of User-based Security Model (RFC 3414).

SNMP traps alert you to important events that occur, such as overuse of memory or a high rate of authentication failures.

SNMP fields contain information about FortiAuthenticator, such as CPU usage percentage or the number of sessions. This information is useful for monitoring the condition of the unit on an ongoing basis and to provide more information when a trap occurs.

Configuring SNMP

Before a remote SNMP manager can connect to the Fortinet agent, you must configure one or more interfaces to accept SNMP connections by going to System > Network > Interfaces. Edit the interface, and under Admin access, enable SNMP. See Network.

You can also set the thresholds that trigger various SNMP traps. Note that a setting of zero disables the trap.

To configure SNMP settings:
  1. Go to System > Administration > SNMP and select the Settings icon.
  2. Enter the following information:
    SNMP ContactEnter the contact information for the person responsible for this FortiAuthenticator unit.
    SNMP DescriptionEnter descriptive information about FortiAuthenticator.
    SNMP LocationEnter the physical location of FortiAuthenticator.
    User Table Nearly Full Trap ThresholdThe user table is nearly full. The threshold is a percentage of the maximum permitted number of users.
    User Group Table Nearly Full Trap ThresholdThe user group table is nearly full. The threshold is a percentage of the maximum permitted number of user groups.
    RADIUS Authentication Client Table Nearly Full Trap ThresholdThe RADIUS authenticated client table is nearly full. The threshold is a percentage of the maximum permitted number of RADIUS clients.

    TACACS+ Authentication Client Table Nearly Full Trap Threshold (%)

    The TACACS+ authentication client table is nearly full. The threshold is a percentage of the maximum permitted number of TACACS+ clients.

    Authentication Event Rate Over Limit Trap ThresholdHigh authentication load. The threshold is the number of authentication events over a five minute period.
    Authentication Failure Rate Over Limit Trap ThresholdHigh rate of authentication failure. The threshold is the number of authentication failures over a five minute period.
    CPU Utilization Trap Threshold (%)High load on CPU. The default is set to 90%.
    Disk Utilization Trap Threshold (%)Disk usage is high. The default is set to 80%.
    Memory Utilization Trap Threshold (%)Too much memory used. The default is set to 90%.
  3. Select Save to apply the changes.
To create a new SNMP community:
  1. Go to System > Administration > SNMP.
  2. Select Create New under SNMP v1/v2c. The Create New SNMP V1/v2c window opens.
  3. Enter the following information in the SNMPv1/v2c section:
    Community nameThe name of the SNMP community.
    Events

    Select the events for which traps are enabled. Options include:

    • CPU usage is high
    • Memory is low
    • Interface IP is changed
    • Auth users threshold exceeded
    • Auth group threshold exceeded
    • Radius NAS threshold exceeded
    • TACACS+ NAS threshold exceeded
    • Auth event rate threshold exceeded
    • Auth failure rate threshold exceeded
    • User lockout detected
    • HA status is changed
    • Power Supply Unit failure
      Note

      The Power Supply Unit failure event is available with hardware units that support the Power Supply Monitor widget. See Power supply monitor widget.

    • Disk usage is high
    • HA sync activity is low
    • RAID status changed
  4. In SNMP Hosts, select Add another SNMP Host and enter the following information:
    IP/NetmaskEnter the IP address and netmask of the host.
    QueriesSelect if this host uses queries.
    TrapsSelect if this host uses traps.
    DeleteSelect to delete the host.
  5. Select Save to create the new SNMP community.
To create a new SNMP user:
  1. Go to System > Administration > SNMP.
  2. Select Create New under SNMP v3. The Create New SNMP V3 window opens.
  3. Enter the following information in the General section:
    UsernameThe name of the SNMP user.
    Security level

    Select the security level from the dropdown menu:

    • None: No authentication or encryption.
    • Authentication only: Select the Authentication method then enter the authentication key in the Authentication key field.
    • Encryption and authentication: Select the Authentication method, enter the authentication key in the Authentication key field, then select the Encryption method and enter the encryption key in the Encryption key field. This option is set by default.
    EventsSelect the events for which traps are enabled. See Events.
  4. In SNMP Notification Hosts, select Add another SNMP Notification Host and enter the following information:
    IP/NetmaskEnter the IP address and netmask of the notification host.
    DeleteSelect to delete the notification host.
  5. Select Save to create the new SNMP V3 user.
To download MIB files:
  1. Go to System > Administration > SNMP and select Settings.
  2. Under FortiAuthenticator SNMP MIB, select the MIB file you need to download, options include the FortiAuthenticator MIB and Fortinet Core MIB files.