Fortinet black logo

Handbook

Configuring SNMP for remote alarm event trap reporting and MIB queries

Copy Link
Copy Doc ID 7b437c33-fcc7-11ec-bb32-fa163e15d75b:66273
Download PDF

Configuring SNMP for remote alarm event trap reporting and MIB queries

An SNMP community is a grouping of equipment for network monitoring purposes. The FortiDDoS-F SNMP agent does not respond to SNMP managers whose query packets do not contain a matching community name. Similarly, trap packets from the FortiDDoS-F agent include community name, and an SNMP manager might not accept the trap if its community name does not match.

Fortinet Technologies Inc. strongly recommends that you do not add FortiDDoS-F to the community named public. This popular default name is well-known, and attackers that gain access to your network will often try this name first.

This page describes setup of the FortiDDoS SNMP agent for SNMP MIB Queries and alarm Traps. Refer to the list of SNMP traps and conditions.

For setup of Attack Log traps, please refer to Configuring SNMP trap receivers for remote DDoS attack reporting.

Test both traps and queries (assuming you have enabled both). Traps and queries typically occur on different port numbers, and therefore verifying one does not necessarily verify that the other is also functional.

To test queries, from your SNMP manager, query the FortiDDoS appliance. To test traps, cause one of the events that should trigger a trap.

SNMP MIB Interface Statistics (IF-MIB)

The standard IF-MIB is suitable only for the Mgmt ports on FortiDDoS since the FortiDDoS traffic ports have no IP addresses.

If you wish to poll for status and traffic information on the traffic ports, import the FORTNET-FORTIDDOS-MIB and look for the fddPorts folder as shown in the image below.

This MIB also includes the full list of Attack trap information available.

Basic steps:
  1. Add the Fortinet and FortiDDoS MIBs to your SNMP manager.
    See Appendix C: Management Information Base (MIB).
    Note: Most users automatically use MIB II when looking for interface traffic statistics. FortiDDoS traffic ports do not support IP addresses so they do not conform to MIB II. Only the Management Ports can be polled by MIB II Queries. Use the FortiDDoS MIB for access to traffic port statistics.
  2. Go to System > SNMP and configure the SNMP agent and traps for system events.
Before you begin:
  • On the SNMP manager, you must verify that the SNMP manager is a member of the community to which the FortiDDoS-F system belongs, and compile the necessary Fortinet Technologies Inc.-proprietary management information blocks (MIBs) and Fortinet Technologies Inc.-supported standard MIBs.
  • In the FortiDDoS interface settings, you must enable SNMP access on the network interface through which the SNMP manager connects.
  • You must have Read-Write permission for System settings.
To configure SNMP system information:
  1. Go to System > SNMP > Config tab.
  2. Click Threshold.
  3. Complete the configuration as described in the following tables.
  4. Save the configuration.

SNMP Threshold settings for system event reporting

Settings Guidelines
CPU

The system records CPU utilization at the Sample Frequency (default, every 30 seconds) and creates an Alert if the Utilization is over the Trigger threshold (default, 80%) the number of times

determined by the Threshold (default, 3 times) within the Sample Period (default 600 seconds)

  • Trigger—The default is 80% utilization. Minimum = 1% / Maximum = 100%.
  • Threshold—The default is 3, meaning the event is reported when the condition has been triggered 3 times over the sampling period. Minimum = 1 / Maximum = 960.
  • Sample Period—The default is 600 seconds. Minimum = 30 seconds / Maximum = 28800 seconds.
  • Sample Frequency—The default is 30 seconds. Minimum = 30 seconds / Maximum = 100 seconds.

Note: CPU utilization is for the Management and Reporting Plane CPUs only. All Data Plane processing is done via the TP2 Security Processing Units. TP2 are designed to work to the maximum packet and data rates that can presented on 2x10GE links. The Capacity can be seen on the Dashboard > Data Path Resources table. There are currently no threshold traps for Data Path Resources. In the unlikely event of memory problems Out of Memory attack events will be seen in the Attack Logs.
Memory

The system records Memory utilization at the Sample Frequency (default, every 30 seconds) and creates an Alert if the Utilization is over the Trigger threshold (default, 80%) the number of times

determined by the Threshold (default, 3 times) within the Sample Period (default 600 seconds)

  • Trigger—The default is 80% utilization. Minimum = 1% / Maximum = 100%.
  • Threshold—The default is 3, meaning the event is reported when the condition has been triggered 3 times over the sampling period.
  • Sample Period—The default is 600 seconds. Minimum = 30 seconds / Maximum = 28800 seconds.
  • Sample Frequency—The default is 30 seconds. Minimum = 30 seconds / Maximum = 100 seconds.

Note: Memory utilization is for the Management and Reporting Plane only. All Data Plane memory is contained in the TP2 Security Processing Units. TP2 are designed to work to the maximum table sizes seen in the Dashboard > Data Path Resources table. There are currently no threshold traps for Data Path Resources. In the unlikely event of memory problems Out of Memory attack events will be seen in the Attack Logs.
Disk (Log disk usage)

The system records Log Disk utilization at the Sample Frequency (default, every 3600 seconds) and creates an Alert if the Utilization is over the Trigger threshold (default, 90%) the number of times

determined by the Threshold (default, once) within the Sample Period (default 3600 seconds)

  • Trigger—The default is 90% utilization. Minimum = 1% / Maximum = 100%.
  • Threshold—The default is 1, meaning the event is reported each time the condition is triggered. Minimum = 1 / Maximum = 8.
  • Sample Period—The default is 7200 seconds. Minimum = 3600 seconds / Maximum = 28800 seconds.
  • Sample Frequency—The default is 3600 seconds. Minimum = 3600 seconds / Maximum = 7200 seconds.
Use similar CLI commands to configure SNMP thresholds:

config system snmp threshold

set cpu 1 1 30 30

set mem 1 3 30 30

end

SNMPv1/v2x settings for system event reporting

Settings Guidelines
Name Name of the SNMP community to which the FortiDDoS-F system and at least one SNMP manager belongs, such as management.

You must configure the FortiDDoS-F system to belong to at least one SNMP community so that community’s SNMP managers can query system information and receive SNMP traps. You can add up to three SNMP communities. Each community can have a different configuration for queries and traps, and the set of events that trigger a trap. You can also add the IP addresses of up to eight SNMP managers to each community to designate the destination of traps and which IP addresses are permitted to query the FortiDDoS-F system.

Name can be up to 35 characters long and contain only letters (a-z, A-Z), numbers, hyphens ( - ) and underscores ( _ ).
Status Select to enable the configuration.

Restrict Hosts

Enable to allow restricted Hosts below.

Note: The initial configuration must be saved and reopened in order to add Hosts when this option is enabled.

Queries Port number on which the system listens for SNMP queries from the SNMP managers in this community. The default is 161.
Enable queries for SNMP v1, SNMP v2c, or both. SNMP v3 Query settings are available under User tab.
Traps Source (Local) port number and destination (Remote) port number for trap packets sent to SNMP managers in this community. The default is 162. SNMP v3 Trap settings are available under User tab.

Enable traps for SNMP v1, SNMP v2c, or both.
See SNMP traps and conditions.
SNMP Event Select to enable SNMP event reporting for the following thresholds:

  • CPU—CPU usage has exceeded the Threshold set above (default 80%).
  • Memory—Memory (RAM) usage has exceeded the Threshold set above.
  • Disk—Disk space usage for the log partition or disk has exceeded the Threshold set above.
Hosts IP address of the SNMP manager to receive traps and be permitted to query the FortiDDoS system. SNMP managers have read-only access. You can add up to 8 SNMP managers to each community.

Caution: The system sends security-sensitive traps, which should be sent only over a trusted network, and only to administrative equipment.

To configure SNMPv1/v2 with CLI:

config system snmp community

edit 1

set name public

set status enable

set queryv1-status enable

set trapv1-status enable

config host

edit 1

set ip <ip address>

next

edit 2

set ip <ip address>

next

end

next

end

SNMP v3 settings for system event reporting

Settings Guidelines
Name User name that the SNMP Manager uses to communicate with the SNMP Agent. After you initially save the configuration, you cannot edit the name.
Name can be up to 35 characters long and contain only letters (a-z, A-Z), numbers, hyphens ( - ) and underscores ( _ ).
Status Enable/disable the configuration.

Restrict Hosts

Enable to allow restricted Hosts below.

Note: The initial configuration must be saved and reopened in order to add Hosts when this option is enabled.

Security Level
  • No Auth And No Privacy—Do not require authentication or encryption.
  • Auth But No Privacy—Authentication based on MD5 or SHA algorithms. Select an algorithm and specify a password.
  • Auth And Privacy—Authentication based on MD5 or SHA algorithms, and encryption based on AES or DES algorithms. Select an Auth Algorithm and specify an Auth Password; and select a Private Algorithm and specify a Private Password.
Query Port number on which the system listens for SNMP v3 queries from the SNMP managers for this user. The default is 161. Enable queries for SNMP v3.
Traps Source (Local) port number and destination (Remote) port number for SNMP v3 trap packets sent to SNMP managers for this user. The default is 162. Enable traps for SNMP v3.
See SNMP traps and conditions.
Events Select to enable SNMP event reporting for the following thresholds:
  • CPU—CPU usage has exceeded the Threshold set above (default 80%).
  • Memory—Memory (RAM) usage has exceeded the Threshold set above.
  • Disk—Disk space usage for the log partition or disk has exceeded the Threshold set above.
Hosts IP Address—Subnet address for the SNMP manager to receive traps and be permitted to query the FortiDDoS system. SNMP managers have read-only access. You can add up to 8 SNMP managers to each community.

Caution: The system sends security-sensitive traps, which should be sent only over a trusted network, and only to administrative equipment.
Restrict Hosts Checkbox Host Configured Host SNMP Query Restrictions Trap Receivers Comments
Enabled No No restrictions (any host) None
Yes Restricted to configured hosts (up to 8) Sent to configured Hosts (up to 8) Managers and Trap receivers must be shared
Disabled No No restrictions None
Yes No restrictions Sent to configured Hosts (up to 8)

System SNMP traps and conditions

SNMP traps Conditions
Power supply failure In dual power supply systems, one supply has failed.
Cold restart System reboots due to power supply cycle.
Warm restart User reboots the system.
Link down Data port goes down.
Link UP Data port comes up.
IP change Management port IP is changed.
CPU usage CPU usage goes above the configured threshold. See SNMP Thresholds above.
Memory usage Memory usage goes above the configured threshold. See SNMP Thresholds above.
Disk usage Disk usage goes above the configured threshold. See SNMP Thresholds above.

Use similar CLI commands to configure SNMP user:

config system snmp user

edit 1

set name bob

set status enable

set security-level authnopriv

set auth-proto sha1

set auth-pwd <password>

set query-status enable

set trap-status enable

config host

edit 1

set ip <ip address>

next

edit 2

set ip <ip address>

next

end

next

end

Configuring SNMP for remote alarm event trap reporting and MIB queries

An SNMP community is a grouping of equipment for network monitoring purposes. The FortiDDoS-F SNMP agent does not respond to SNMP managers whose query packets do not contain a matching community name. Similarly, trap packets from the FortiDDoS-F agent include community name, and an SNMP manager might not accept the trap if its community name does not match.

Fortinet Technologies Inc. strongly recommends that you do not add FortiDDoS-F to the community named public. This popular default name is well-known, and attackers that gain access to your network will often try this name first.

This page describes setup of the FortiDDoS SNMP agent for SNMP MIB Queries and alarm Traps. Refer to the list of SNMP traps and conditions.

For setup of Attack Log traps, please refer to Configuring SNMP trap receivers for remote DDoS attack reporting.

Test both traps and queries (assuming you have enabled both). Traps and queries typically occur on different port numbers, and therefore verifying one does not necessarily verify that the other is also functional.

To test queries, from your SNMP manager, query the FortiDDoS appliance. To test traps, cause one of the events that should trigger a trap.

SNMP MIB Interface Statistics (IF-MIB)

The standard IF-MIB is suitable only for the Mgmt ports on FortiDDoS since the FortiDDoS traffic ports have no IP addresses.

If you wish to poll for status and traffic information on the traffic ports, import the FORTNET-FORTIDDOS-MIB and look for the fddPorts folder as shown in the image below.

This MIB also includes the full list of Attack trap information available.

Basic steps:
  1. Add the Fortinet and FortiDDoS MIBs to your SNMP manager.
    See Appendix C: Management Information Base (MIB).
    Note: Most users automatically use MIB II when looking for interface traffic statistics. FortiDDoS traffic ports do not support IP addresses so they do not conform to MIB II. Only the Management Ports can be polled by MIB II Queries. Use the FortiDDoS MIB for access to traffic port statistics.
  2. Go to System > SNMP and configure the SNMP agent and traps for system events.
Before you begin:
  • On the SNMP manager, you must verify that the SNMP manager is a member of the community to which the FortiDDoS-F system belongs, and compile the necessary Fortinet Technologies Inc.-proprietary management information blocks (MIBs) and Fortinet Technologies Inc.-supported standard MIBs.
  • In the FortiDDoS interface settings, you must enable SNMP access on the network interface through which the SNMP manager connects.
  • You must have Read-Write permission for System settings.
To configure SNMP system information:
  1. Go to System > SNMP > Config tab.
  2. Click Threshold.
  3. Complete the configuration as described in the following tables.
  4. Save the configuration.

SNMP Threshold settings for system event reporting

Settings Guidelines
CPU

The system records CPU utilization at the Sample Frequency (default, every 30 seconds) and creates an Alert if the Utilization is over the Trigger threshold (default, 80%) the number of times

determined by the Threshold (default, 3 times) within the Sample Period (default 600 seconds)

  • Trigger—The default is 80% utilization. Minimum = 1% / Maximum = 100%.
  • Threshold—The default is 3, meaning the event is reported when the condition has been triggered 3 times over the sampling period. Minimum = 1 / Maximum = 960.
  • Sample Period—The default is 600 seconds. Minimum = 30 seconds / Maximum = 28800 seconds.
  • Sample Frequency—The default is 30 seconds. Minimum = 30 seconds / Maximum = 100 seconds.

Note: CPU utilization is for the Management and Reporting Plane CPUs only. All Data Plane processing is done via the TP2 Security Processing Units. TP2 are designed to work to the maximum packet and data rates that can presented on 2x10GE links. The Capacity can be seen on the Dashboard > Data Path Resources table. There are currently no threshold traps for Data Path Resources. In the unlikely event of memory problems Out of Memory attack events will be seen in the Attack Logs.
Memory

The system records Memory utilization at the Sample Frequency (default, every 30 seconds) and creates an Alert if the Utilization is over the Trigger threshold (default, 80%) the number of times

determined by the Threshold (default, 3 times) within the Sample Period (default 600 seconds)

  • Trigger—The default is 80% utilization. Minimum = 1% / Maximum = 100%.
  • Threshold—The default is 3, meaning the event is reported when the condition has been triggered 3 times over the sampling period.
  • Sample Period—The default is 600 seconds. Minimum = 30 seconds / Maximum = 28800 seconds.
  • Sample Frequency—The default is 30 seconds. Minimum = 30 seconds / Maximum = 100 seconds.

Note: Memory utilization is for the Management and Reporting Plane only. All Data Plane memory is contained in the TP2 Security Processing Units. TP2 are designed to work to the maximum table sizes seen in the Dashboard > Data Path Resources table. There are currently no threshold traps for Data Path Resources. In the unlikely event of memory problems Out of Memory attack events will be seen in the Attack Logs.
Disk (Log disk usage)

The system records Log Disk utilization at the Sample Frequency (default, every 3600 seconds) and creates an Alert if the Utilization is over the Trigger threshold (default, 90%) the number of times

determined by the Threshold (default, once) within the Sample Period (default 3600 seconds)

  • Trigger—The default is 90% utilization. Minimum = 1% / Maximum = 100%.
  • Threshold—The default is 1, meaning the event is reported each time the condition is triggered. Minimum = 1 / Maximum = 8.
  • Sample Period—The default is 7200 seconds. Minimum = 3600 seconds / Maximum = 28800 seconds.
  • Sample Frequency—The default is 3600 seconds. Minimum = 3600 seconds / Maximum = 7200 seconds.
Use similar CLI commands to configure SNMP thresholds:

config system snmp threshold

set cpu 1 1 30 30

set mem 1 3 30 30

end

SNMPv1/v2x settings for system event reporting

Settings Guidelines
Name Name of the SNMP community to which the FortiDDoS-F system and at least one SNMP manager belongs, such as management.

You must configure the FortiDDoS-F system to belong to at least one SNMP community so that community’s SNMP managers can query system information and receive SNMP traps. You can add up to three SNMP communities. Each community can have a different configuration for queries and traps, and the set of events that trigger a trap. You can also add the IP addresses of up to eight SNMP managers to each community to designate the destination of traps and which IP addresses are permitted to query the FortiDDoS-F system.

Name can be up to 35 characters long and contain only letters (a-z, A-Z), numbers, hyphens ( - ) and underscores ( _ ).
Status Select to enable the configuration.

Restrict Hosts

Enable to allow restricted Hosts below.

Note: The initial configuration must be saved and reopened in order to add Hosts when this option is enabled.

Queries Port number on which the system listens for SNMP queries from the SNMP managers in this community. The default is 161.
Enable queries for SNMP v1, SNMP v2c, or both. SNMP v3 Query settings are available under User tab.
Traps Source (Local) port number and destination (Remote) port number for trap packets sent to SNMP managers in this community. The default is 162. SNMP v3 Trap settings are available under User tab.

Enable traps for SNMP v1, SNMP v2c, or both.
See SNMP traps and conditions.
SNMP Event Select to enable SNMP event reporting for the following thresholds:

  • CPU—CPU usage has exceeded the Threshold set above (default 80%).
  • Memory—Memory (RAM) usage has exceeded the Threshold set above.
  • Disk—Disk space usage for the log partition or disk has exceeded the Threshold set above.
Hosts IP address of the SNMP manager to receive traps and be permitted to query the FortiDDoS system. SNMP managers have read-only access. You can add up to 8 SNMP managers to each community.

Caution: The system sends security-sensitive traps, which should be sent only over a trusted network, and only to administrative equipment.

To configure SNMPv1/v2 with CLI:

config system snmp community

edit 1

set name public

set status enable

set queryv1-status enable

set trapv1-status enable

config host

edit 1

set ip <ip address>

next

edit 2

set ip <ip address>

next

end

next

end

SNMP v3 settings for system event reporting

Settings Guidelines
Name User name that the SNMP Manager uses to communicate with the SNMP Agent. After you initially save the configuration, you cannot edit the name.
Name can be up to 35 characters long and contain only letters (a-z, A-Z), numbers, hyphens ( - ) and underscores ( _ ).
Status Enable/disable the configuration.

Restrict Hosts

Enable to allow restricted Hosts below.

Note: The initial configuration must be saved and reopened in order to add Hosts when this option is enabled.

Security Level
  • No Auth And No Privacy—Do not require authentication or encryption.
  • Auth But No Privacy—Authentication based on MD5 or SHA algorithms. Select an algorithm and specify a password.
  • Auth And Privacy—Authentication based on MD5 or SHA algorithms, and encryption based on AES or DES algorithms. Select an Auth Algorithm and specify an Auth Password; and select a Private Algorithm and specify a Private Password.
Query Port number on which the system listens for SNMP v3 queries from the SNMP managers for this user. The default is 161. Enable queries for SNMP v3.
Traps Source (Local) port number and destination (Remote) port number for SNMP v3 trap packets sent to SNMP managers for this user. The default is 162. Enable traps for SNMP v3.
See SNMP traps and conditions.
Events Select to enable SNMP event reporting for the following thresholds:
  • CPU—CPU usage has exceeded the Threshold set above (default 80%).
  • Memory—Memory (RAM) usage has exceeded the Threshold set above.
  • Disk—Disk space usage for the log partition or disk has exceeded the Threshold set above.
Hosts IP Address—Subnet address for the SNMP manager to receive traps and be permitted to query the FortiDDoS system. SNMP managers have read-only access. You can add up to 8 SNMP managers to each community.

Caution: The system sends security-sensitive traps, which should be sent only over a trusted network, and only to administrative equipment.
Restrict Hosts Checkbox Host Configured Host SNMP Query Restrictions Trap Receivers Comments
Enabled No No restrictions (any host) None
Yes Restricted to configured hosts (up to 8) Sent to configured Hosts (up to 8) Managers and Trap receivers must be shared
Disabled No No restrictions None
Yes No restrictions Sent to configured Hosts (up to 8)

System SNMP traps and conditions

SNMP traps Conditions
Power supply failure In dual power supply systems, one supply has failed.
Cold restart System reboots due to power supply cycle.
Warm restart User reboots the system.
Link down Data port goes down.
Link UP Data port comes up.
IP change Management port IP is changed.
CPU usage CPU usage goes above the configured threshold. See SNMP Thresholds above.
Memory usage Memory usage goes above the configured threshold. See SNMP Thresholds above.
Disk usage Disk usage goes above the configured threshold. See SNMP Thresholds above.

Use similar CLI commands to configure SNMP user:

config system snmp user

edit 1

set name bob

set status enable

set security-level authnopriv

set auth-proto sha1

set auth-pwd <password>

set query-status enable

set trap-status enable

config host

edit 1

set ip <ip address>

next

edit 2

set ip <ip address>

next

end

next

end