Fortinet black logo

Administration Guide

Basic configuration

SNMP configuration has four steps that should be configured in order:

  1. Configure interface access

    Before a remote SNMP manager can connect to the FortiGate SNMP agent, you must configure one or more FortiGate interfaces to accept SNMP connections.

  2. Configure the SNMP agent

    The SNMP agent sends SNMP traps originating on the FortiGate to an external monitoring SNMP manager defined in an SNMP community. The SNMP manager can monitor the FortiGate system to determine if it is operating properly or if any critical events are occurring.

    The description, location, and contact information for this FortiGate system will be part of the information that the SNMP manager receives. This information is useful if the SNMP manager is monitoring many devices, and enables faster responses when the FortiGate system requires attention.

  3. Configure SNMP v1/v2c communities

    An SNMP community is a grouping of equipment for network administration purposes. A single device can belong to multiple communities. It is not mandatory if SNMP v3 is configured.

    You must add an SNMP community to the FortiGate so that the SNMP manager can receive traps and system information. Up to three communities can be added.

  4. Configure SNMP v3 users

    Authentication is used to ensure the identity of users. Privacy allows for the encryption of SNMP v3 messages to ensure the confidentiality of data. These protocols provide a higher level of security than is available in SNMP v1/v2c, which use community strings for security. Both authentication and privacy are optional.

To configure SNMP in the GUI:
  1. Configure interface access:

    1. Go to Network > Interfaces and edit an interface.

    2. In the Administrative Access options, enable SNMP.

    3. Click OK.

  2. Configure the SNMP agent:

    1. Go to System > SNMP.

    2. Enable SNMP Agent and configure the following:

      Description

      A description of the agent.

      Location

      The location of the FortiGate.

      Contact Info

      A contact or administrator for the SNMP agent or FortiGate.

    3. Click Apply.

  3. Configure an SNMP v1/v2c community:

    1. Go to System > SNMP.

    2. In the SNMP v1/v2c table, click Create New.

    3. Configure the following:

      Community Name

      The name of the community.

      Hosts

      Enter the IP Address and select the Host Type for each SNMP manager.

      Queries

      Enable or disable v1 and v2c queries, then enter the port numbers that the SNMP managers in this community use for them.

      Traps

      Enable or disable v1 and v2c traps, then enter the local and remote port numbers that the SNMP managers in this community use for them.

      SNMP Events

      Enable or disable the events that activate traps in this community.

    4. Click OK.

  4. Configure an SNMP v3 user:

    1. Go to System > SNMP.

    2. In the SNMP v3 table, click Create New.

    3. Configure the following:

      User Name

      The name of the user.

      Security Level

      Configure the security level:

      • No Authentication: No authentication or encryption.
      • Authentication: Select the authentication algorithm and password.
      • Authentication and Private: Select both the authentication and encryption algorithms and password.

      Hosts

      The IP Address for each SNMP manager.

      Queries

      Enable or disable queries, then enter the port number that the SNMP managers use for them.

      Traps

      Enable or disable traps, then enter the local and remote port numbers that the SNMP managers use for them

      SNMP Events

      Enable or disable the events that activate traps.

    4. Click OK.

To configure SNMP in the CLI:
  1. Configure the Interface access:

    config system interface
        edit <interface>
            append allowaccess snmp
            config ipv6
                append ip6-allowaccess snmp
            end
        next
    end
  2. Configure the SNMP agent:

    config system snmp sysinfo
        set status enable
        set description <string>
        set contact-info <string>
        set location <string>
    end
  3. Configure an SNMP v1/v2c community:

    config system snmp community
        edit <id>
            set name <string>
            set status {enable | disable}
            config hosts
                edit <host_id>
                    set ip <ip/mask>
                    set source-ip <class_ip>
                    set ha-direct {enable | disable}
                    set host-type {any | query | trap}
                next
            end
            set query-v1-port <port_number>
            set query-v1-status {enable | disable}
            set query-v2c-port <port_number>
            set query-v2c-status {enable | disable}
            set trap-v1-lport <port_number>
            set trap-v1-rport <port_number>
            set trap-v1-status {enable | disable}
            set trap-v2c-lport <port_number>
            set trap-v2c-rport <port_number>
            set trap-v2c-status {enable | disable}
            set events <events>
        next
    end
  4. Configure an SNMP v3 user:

    config system snmp user
        edit <user>
            set status {enable | disable}
            set trap-status {enable | disable}
            set trap-lport <port_number>
            set trap-rport <port_number>
            set queries {enable | disable}
            set query-port <port_number>
            set notify-hosts <class_ip> ... <class_ip>
            set source-ip <class_ip>
            set ha-direct {enable | disable}
            set events <events>
            set security-level {no-auth-no-priv | auth-no-priv | auth-priv}
            set auth-proto {md5 | sha | sha224 | sha256 | sha384 | sha512}
            set auth-pwd <password>
            set priv-proto {aes | des | aes256 | aes256cisco}
            set priv-pwd <password>
        next
    end

See SNMP examples for sample configurations.

SNMP configuration has four steps that should be configured in order:

  1. Configure interface access

    Before a remote SNMP manager can connect to the FortiGate SNMP agent, you must configure one or more FortiGate interfaces to accept SNMP connections.

  2. Configure the SNMP agent

    The SNMP agent sends SNMP traps originating on the FortiGate to an external monitoring SNMP manager defined in an SNMP community. The SNMP manager can monitor the FortiGate system to determine if it is operating properly or if any critical events are occurring.

    The description, location, and contact information for this FortiGate system will be part of the information that the SNMP manager receives. This information is useful if the SNMP manager is monitoring many devices, and enables faster responses when the FortiGate system requires attention.

  3. Configure SNMP v1/v2c communities

    An SNMP community is a grouping of equipment for network administration purposes. A single device can belong to multiple communities. It is not mandatory if SNMP v3 is configured.

    You must add an SNMP community to the FortiGate so that the SNMP manager can receive traps and system information. Up to three communities can be added.

  4. Configure SNMP v3 users

    Authentication is used to ensure the identity of users. Privacy allows for the encryption of SNMP v3 messages to ensure the confidentiality of data. These protocols provide a higher level of security than is available in SNMP v1/v2c, which use community strings for security. Both authentication and privacy are optional.

To configure SNMP in the GUI:
  1. Configure interface access:

    1. Go to Network > Interfaces and edit an interface.

    2. In the Administrative Access options, enable SNMP.

    3. Click OK.

  2. Configure the SNMP agent:

    1. Go to System > SNMP.

    2. Enable SNMP Agent and configure the following:

      Description

      A description of the agent.

      Location

      The location of the FortiGate.

      Contact Info

      A contact or administrator for the SNMP agent or FortiGate.

    3. Click Apply.

  3. Configure an SNMP v1/v2c community:

    1. Go to System > SNMP.

    2. In the SNMP v1/v2c table, click Create New.

    3. Configure the following:

      Community Name

      The name of the community.

      Hosts

      Enter the IP Address and select the Host Type for each SNMP manager.

      Queries

      Enable or disable v1 and v2c queries, then enter the port numbers that the SNMP managers in this community use for them.

      Traps

      Enable or disable v1 and v2c traps, then enter the local and remote port numbers that the SNMP managers in this community use for them.

      SNMP Events

      Enable or disable the events that activate traps in this community.

    4. Click OK.

  4. Configure an SNMP v3 user:

    1. Go to System > SNMP.

    2. In the SNMP v3 table, click Create New.

    3. Configure the following:

      User Name

      The name of the user.

      Security Level

      Configure the security level:

      • No Authentication: No authentication or encryption.
      • Authentication: Select the authentication algorithm and password.
      • Authentication and Private: Select both the authentication and encryption algorithms and password.

      Hosts

      The IP Address for each SNMP manager.

      Queries

      Enable or disable queries, then enter the port number that the SNMP managers use for them.

      Traps

      Enable or disable traps, then enter the local and remote port numbers that the SNMP managers use for them

      SNMP Events

      Enable or disable the events that activate traps.

    4. Click OK.

To configure SNMP in the CLI:
  1. Configure the Interface access:

    config system interface
        edit <interface>
            append allowaccess snmp
            config ipv6
                append ip6-allowaccess snmp
            end
        next
    end
  2. Configure the SNMP agent:

    config system snmp sysinfo
        set status enable
        set description <string>
        set contact-info <string>
        set location <string>
    end
  3. Configure an SNMP v1/v2c community:

    config system snmp community
        edit <id>
            set name <string>
            set status {enable | disable}
            config hosts
                edit <host_id>
                    set ip <ip/mask>
                    set source-ip <class_ip>
                    set ha-direct {enable | disable}
                    set host-type {any | query | trap}
                next
            end
            set query-v1-port <port_number>
            set query-v1-status {enable | disable}
            set query-v2c-port <port_number>
            set query-v2c-status {enable | disable}
            set trap-v1-lport <port_number>
            set trap-v1-rport <port_number>
            set trap-v1-status {enable | disable}
            set trap-v2c-lport <port_number>
            set trap-v2c-rport <port_number>
            set trap-v2c-status {enable | disable}
            set events <events>
        next
    end
  4. Configure an SNMP v3 user:

    config system snmp user
        edit <user>
            set status {enable | disable}
            set trap-status {enable | disable}
            set trap-lport <port_number>
            set trap-rport <port_number>
            set queries {enable | disable}
            set query-port <port_number>
            set notify-hosts <class_ip> ... <class_ip>
            set source-ip <class_ip>
            set ha-direct {enable | disable}
            set events <events>
            set security-level {no-auth-no-priv | auth-no-priv | auth-priv}
            set auth-proto {md5 | sha | sha224 | sha256 | sha384 | sha512}
            set auth-pwd <password>
            set priv-proto {aes | des | aes256 | aes256cisco}
            set priv-pwd <password>
        next
    end

See SNMP examples for sample configurations.