Fortinet white logo
Fortinet white logo

CLI Reference

snmp

snmp

Use the following commands to configure SNMP related settings.

snmp community

Use this command to configure SNMP communities on your FortiManager unit.

You add SNMP communities so that SNMP managers, typically applications running on computers to monitor SNMP status information, can connect to the FortiManager unit (the SNMP agent) to view system information and receive SNMP traps. SNMP traps are triggered when system events happen such as when there is a system restart, or when the log disk is almost full.

You can add up to three SNMP communities, and each community can have a different configuration for SNMP queries and traps. Each community can be configured to monitor the FortiManager unit for a different set of events.

Hosts are the SNMP managers that make up this SNMP community. Host information includes the IPv4 address and interface that connects it to the FortiManager unit.

For more information on SNMP traps and variables, see the Fortinet Document Library.

Part of configuring an SNMP manager is to list it as a host in a community on the FortiManager unit that it will be monitoring. Otherwise that SNMP manager will not receive any traps or events from the FortiManager unit, and will be unable to query the FortiAnalyzer unit as well.

Syntax

config system snmp community

edit <index_number>

set events <events_list>

set name <community_name>

set query-v1-port <integer>

set query-v1-status {enable | disable}

set query-v2c-port <integer>

set query-v2c-status {enable | disable}

set status {enable | disable}

set trap-v1-rport <integer>

set trap-v1-status {enable | disable}

set trap-v2c-rport <integer>

set trap-v2c-status {enable | disable}

config hosts

edit <host_number>

set interface <interface_name>

set ip <ipv4_address>

next

config hosts6

edit <host_number>

set interface <interface_name>

set ip <ipv6_address>

end

end

Variable

Description

<index_number>

Enter the index number of the community in the SNMP communities table. Enter an unused index number to create a new SNMP community.

events <events_list>

Enable the events for which the FortiManager unit should send traps to the SNMP managers in this community (default = All events enabled). The raid_changed event is only available for devices that support RAID.

  • cpu-high-exclude-nice: CPU usage exclude NICE threshold.
  • cpu_high: CPU usage too high.
  • disk_low: Disk usage too high.
  • ha_switch: HA switch.
  • intf_ip_chg: Interface IP address changed.
  • lic-dev-quota: High licensed device quota detected.
  • lic-gbday: High licensed log GB/day detected.
  • log-alert: Log base alert message.
  • log-data-rate: High incoming log data rate detected.
  • log-rate: High incoming log rate detected.
  • mem_low: Available memory is low.
  • raid_changed: RAID status changed.
  • sys_reboot: System reboot.

name <community_name>

Enter the name of the SNMP community. Names can be used to distinguish between the roles of the hosts in the groups.

For example the Logging and Reporting group would be interested in the disk_low events, but likely not the other events.

The name is included in SNMPv2c trap packets to the SNMP manager, and is also present in query packets from, the SNMP manager.

query-v1-port <integer>

Enter the SNMPv1 query port number used when SNMP managers query the FortiManager unit (1 - 65535, default = 161).

query-v1-status {enable | disable}

Enable/disable SNMPv1 queries for this SNMP community (default = enable).

query-v2c-port <integer>

Enter the SNMP v2c query port number used when SNMP managers query the FortiManager unit. SNMP v2c queries will include the name of the community (1 - 65535, default = 161).

query-v2c-status {enable | disable}

Enable/disable SNMPv2c queries for this SNMP community (default = enable).

status {enable | disable}

Enable/disable this SNMP community (default = enable).

trap-v1-rport <integer>

Enter the SNMPv1 remote port number used for sending traps to the SNMP managers (1 - 65535, default = 162).

trap-v1-status {enable | disable}

Enable/disable SNMPv1 traps for this SNMP community (default = enable).

trap-v2c-rport <integer>

Enter the SNMPv2c remote port number used for sending traps to the SNMP managers (1 - 65535, default = 162).

trap-v2c-status {enable | disable}

Enable/disable SNMPv2c traps for this SNMP community. SNMP v2c traps sent out to SNMP managers include the community name (default = enable).

Variables for config hosts subcommand:

<host_number>

Enter the index number of the host in the table. Enter an unused index number to create a new host.

interface <interface_name>

Enter the name of the FortiManager unit that connects to the SNMP manager (default = any).

ip <ipv4_address>

Enter the IPv4 address of the SNMP manager.

Variables for config hosts6 subcommand:

<host_number>

Enter the index number of the host in the table. Enter an unused index number to create a new host.

interface <interface_name>

Enter the name of the FortiManager unit that connects to the SNMP manager (default = any).

ip <ipv6_address>

Enter the IPv6 address of the SNMP manager.

Example

This example shows how to add a new SNMP community named SNMP_Com1. The default configuration can be used in most cases with only a few modifications. In the example below the community is added, given a name, and then because this community is for an SNMP manager that is SNMP v1 compatible, all v2c functionality is disabled. After the community is configured the SNMP manager, or host, is added. The SNMP manager IPv4 address is 192.168.20.34 and it connects to the FortiManager unit internal interface.

config system snmp community

edit 1

set name SNMP_Com1

set query-v2c-status disable

set trap-v2c-status disable

config hosts

edit 1

set interface internal

set ip 192.168.10.34/24

end

end

snmp sysinfo

Use this command to enable the FortiManager SNMP agent and to enter basic system information used by the SNMP agent. Enter information about the FortiManager unit to identify it. When your SNMP manager receives traps from the FortiManager unit, you will know which unit sent the information. Some SNMP traps indicate high CPU usage, log full, or low memory.

For more information on SNMP traps and variables, see the Fortinet Document Library.

Syntax

config system snmp sysinfo

set contact-info <string>

set description <description>

set engine-id <string>

set location <location>

set status {enable | disable}

set trap-high-cpu-threshold <percentage>

set trap-low-memory-threshold <percentage>

set trap-cpu-high-exclude-nice-threshold <percentage>

end

Variable

Description

contact-info <string>

Add the contact information for the person responsible for this FortiManager unit (character limit = 255).

description <description>

Add a name or description of the FortiManager unit (character limit = 255).

engine-id <string>

Local SNMP engine ID string (character limit = 24).

location <location>

Describe the physical location of the FortiManager unit (character limit = 255).

status {enable | disable}

Enable/disable the FortiManager SNMP agent (default = disable).

trap-cpu-high-exclude-nice-threshold <percentage>

SNMP trap for CPU usage threshold (excluding NICE processes), in percent (default = 80).

trap-high-cpu-threshold <percentage>

SNMP trap for CPU usage threshold, in percent (default = 80).

trap-low-memory-threshold <percentage>

SNMP trap for memory usage threshold, in percent (default = 80).

Example

This example shows how to enable the FortiManager SNMP agent and add basic SNMP information.

config system snmp sysinfo

set status enable

set contact-info 'System Admin ext 245'

set description 'Internal network unit'

set location 'Server Room A121'

end

snmp user

Use this command to configure SNMPv3 users on your FortiManager unit. To use SNMPv3, you will first need to enable the FortiManager SNMP agent. For more information, see snmp sysinfo. There should be a corresponding configuration on the SNMP server in order to query to or receive traps from FortiManager.

For more information on SNMP traps and variables, see the Fortinet Document Library.

Syntax

config system snmp user

edit <name>

set auth-proto {md5 | sha | sha224 | sha256 | sha384 | sha512}

set auth-pwd <passwd>

set events <events_list>

set notify-hosts <ipv4_address>

set notify-hosts6 <ipv6_address>

set priv-proto {aes | aes256 | aes256cisco | des}

set priv-pwd <passwd>

set queries {enable | disable}

set query-port <integer>

set security-level {auth-no-priv | auth-priv | no-auth-no-priv}

end

end

Variable

Description

<name>

Enter a SNMPv3 user name to add, edit, or delete.

auth-proto {md5 | sha | sha224 | sha256 | sha384 | sha512}

Authentication protocol. The security level must be set to auth-no-priv or auth-priv to use this variable:

  • md5: HMAC-MD5-96 authentication protocol.

  • sha: HMAC-SHA-96 authentication protocol (default).

  • sha224: HMAC-SHA224 authentication protocol.

  • sha256: HMAC-SHA256 authentication protocol.

  • sha384: HMAC-SHA384 authentication protocol.

  • sha512: HMAC-SHA512 authentication protocol.

auth-pwd <passwd>

Password for the authentication protocol. The security level must be set to auth-no-priv or auth-priv to use this variable.

events <events_list>

Enable the events for which the FortiManager unit should send traps to the SNMPv3 managers in this community (default = All events enabled). The raid_changed event is only available for devices which support RAID.

  • cpu-high-exclude-nice: CPU usage exclude nice threshold.
  • cpu_high: The CPU usage is too high.
  • disk_low: The log disk is getting close to being full.
  • ha_switch: A new unit has become the primary HA.
  • intf_ip_chg: An interface IP address has changed.
  • lic-dev-quota: High licensed device quota detected.
  • lic-gbday: High licensed log GB/Day detected.
  • log-alert: Log base alert message.
  • log-data-rate: High incoming log data rate detected.
  • log-rate: High incoming log rate detected.
  • mem_low: The available memory is low.
  • raid_changed: RAID status changed.
  • sys_reboot: The FortiManager unit has rebooted.

notify-hosts <ipv4_address>

Hosts to send notifications (traps) to.

notify-hosts6 <ipv6_address>

Hosts to send notifications (traps) to.

priv-proto {aes | aes256 | aes256cisco | des}

Privacy (encryption) protocol. The security level must be set to auth-priv to use this variable:

  • aes: CFB128-AES-128 symmetric encryption protocol (default).

  • aes256: CBC-AES-256 symmetric encryption protocol.

  • aes256cisco: CBC-AES-256 symmetric encryption protocol compatible with CISCO.

  • des: CBC-DES symmetric encryption protocol.

priv-pwd <passwd>

Password for the privacy (encryption) protocol. The security level must be set to auth-priv to use this variable.

queries {enable | disable}

Enable/disable queries for this user (default = enable)

query-port <integer>

SNMPv3 query port (1 - 65535, default = 161).

security-level {auth-no-priv | auth-priv | no-auth-no-priv}

Security level for message authentication and encryption:

  • auth-no-priv: Message with authentication but no privacy (encryption).
  • auth-priv: Message with authentication and privacy (encryption).
  • no-auth-no-priv: Message with no authentication and no privacy (encryption) (default).

snmp

snmp

Use the following commands to configure SNMP related settings.

snmp community

Use this command to configure SNMP communities on your FortiManager unit.

You add SNMP communities so that SNMP managers, typically applications running on computers to monitor SNMP status information, can connect to the FortiManager unit (the SNMP agent) to view system information and receive SNMP traps. SNMP traps are triggered when system events happen such as when there is a system restart, or when the log disk is almost full.

You can add up to three SNMP communities, and each community can have a different configuration for SNMP queries and traps. Each community can be configured to monitor the FortiManager unit for a different set of events.

Hosts are the SNMP managers that make up this SNMP community. Host information includes the IPv4 address and interface that connects it to the FortiManager unit.

For more information on SNMP traps and variables, see the Fortinet Document Library.

Part of configuring an SNMP manager is to list it as a host in a community on the FortiManager unit that it will be monitoring. Otherwise that SNMP manager will not receive any traps or events from the FortiManager unit, and will be unable to query the FortiAnalyzer unit as well.

Syntax

config system snmp community

edit <index_number>

set events <events_list>

set name <community_name>

set query-v1-port <integer>

set query-v1-status {enable | disable}

set query-v2c-port <integer>

set query-v2c-status {enable | disable}

set status {enable | disable}

set trap-v1-rport <integer>

set trap-v1-status {enable | disable}

set trap-v2c-rport <integer>

set trap-v2c-status {enable | disable}

config hosts

edit <host_number>

set interface <interface_name>

set ip <ipv4_address>

next

config hosts6

edit <host_number>

set interface <interface_name>

set ip <ipv6_address>

end

end

Variable

Description

<index_number>

Enter the index number of the community in the SNMP communities table. Enter an unused index number to create a new SNMP community.

events <events_list>

Enable the events for which the FortiManager unit should send traps to the SNMP managers in this community (default = All events enabled). The raid_changed event is only available for devices that support RAID.

  • cpu-high-exclude-nice: CPU usage exclude NICE threshold.
  • cpu_high: CPU usage too high.
  • disk_low: Disk usage too high.
  • ha_switch: HA switch.
  • intf_ip_chg: Interface IP address changed.
  • lic-dev-quota: High licensed device quota detected.
  • lic-gbday: High licensed log GB/day detected.
  • log-alert: Log base alert message.
  • log-data-rate: High incoming log data rate detected.
  • log-rate: High incoming log rate detected.
  • mem_low: Available memory is low.
  • raid_changed: RAID status changed.
  • sys_reboot: System reboot.

name <community_name>

Enter the name of the SNMP community. Names can be used to distinguish between the roles of the hosts in the groups.

For example the Logging and Reporting group would be interested in the disk_low events, but likely not the other events.

The name is included in SNMPv2c trap packets to the SNMP manager, and is also present in query packets from, the SNMP manager.

query-v1-port <integer>

Enter the SNMPv1 query port number used when SNMP managers query the FortiManager unit (1 - 65535, default = 161).

query-v1-status {enable | disable}

Enable/disable SNMPv1 queries for this SNMP community (default = enable).

query-v2c-port <integer>

Enter the SNMP v2c query port number used when SNMP managers query the FortiManager unit. SNMP v2c queries will include the name of the community (1 - 65535, default = 161).

query-v2c-status {enable | disable}

Enable/disable SNMPv2c queries for this SNMP community (default = enable).

status {enable | disable}

Enable/disable this SNMP community (default = enable).

trap-v1-rport <integer>

Enter the SNMPv1 remote port number used for sending traps to the SNMP managers (1 - 65535, default = 162).

trap-v1-status {enable | disable}

Enable/disable SNMPv1 traps for this SNMP community (default = enable).

trap-v2c-rport <integer>

Enter the SNMPv2c remote port number used for sending traps to the SNMP managers (1 - 65535, default = 162).

trap-v2c-status {enable | disable}

Enable/disable SNMPv2c traps for this SNMP community. SNMP v2c traps sent out to SNMP managers include the community name (default = enable).

Variables for config hosts subcommand:

<host_number>

Enter the index number of the host in the table. Enter an unused index number to create a new host.

interface <interface_name>

Enter the name of the FortiManager unit that connects to the SNMP manager (default = any).

ip <ipv4_address>

Enter the IPv4 address of the SNMP manager.

Variables for config hosts6 subcommand:

<host_number>

Enter the index number of the host in the table. Enter an unused index number to create a new host.

interface <interface_name>

Enter the name of the FortiManager unit that connects to the SNMP manager (default = any).

ip <ipv6_address>

Enter the IPv6 address of the SNMP manager.

Example

This example shows how to add a new SNMP community named SNMP_Com1. The default configuration can be used in most cases with only a few modifications. In the example below the community is added, given a name, and then because this community is for an SNMP manager that is SNMP v1 compatible, all v2c functionality is disabled. After the community is configured the SNMP manager, or host, is added. The SNMP manager IPv4 address is 192.168.20.34 and it connects to the FortiManager unit internal interface.

config system snmp community

edit 1

set name SNMP_Com1

set query-v2c-status disable

set trap-v2c-status disable

config hosts

edit 1

set interface internal

set ip 192.168.10.34/24

end

end

snmp sysinfo

Use this command to enable the FortiManager SNMP agent and to enter basic system information used by the SNMP agent. Enter information about the FortiManager unit to identify it. When your SNMP manager receives traps from the FortiManager unit, you will know which unit sent the information. Some SNMP traps indicate high CPU usage, log full, or low memory.

For more information on SNMP traps and variables, see the Fortinet Document Library.

Syntax

config system snmp sysinfo

set contact-info <string>

set description <description>

set engine-id <string>

set location <location>

set status {enable | disable}

set trap-high-cpu-threshold <percentage>

set trap-low-memory-threshold <percentage>

set trap-cpu-high-exclude-nice-threshold <percentage>

end

Variable

Description

contact-info <string>

Add the contact information for the person responsible for this FortiManager unit (character limit = 255).

description <description>

Add a name or description of the FortiManager unit (character limit = 255).

engine-id <string>

Local SNMP engine ID string (character limit = 24).

location <location>

Describe the physical location of the FortiManager unit (character limit = 255).

status {enable | disable}

Enable/disable the FortiManager SNMP agent (default = disable).

trap-cpu-high-exclude-nice-threshold <percentage>

SNMP trap for CPU usage threshold (excluding NICE processes), in percent (default = 80).

trap-high-cpu-threshold <percentage>

SNMP trap for CPU usage threshold, in percent (default = 80).

trap-low-memory-threshold <percentage>

SNMP trap for memory usage threshold, in percent (default = 80).

Example

This example shows how to enable the FortiManager SNMP agent and add basic SNMP information.

config system snmp sysinfo

set status enable

set contact-info 'System Admin ext 245'

set description 'Internal network unit'

set location 'Server Room A121'

end

snmp user

Use this command to configure SNMPv3 users on your FortiManager unit. To use SNMPv3, you will first need to enable the FortiManager SNMP agent. For more information, see snmp sysinfo. There should be a corresponding configuration on the SNMP server in order to query to or receive traps from FortiManager.

For more information on SNMP traps and variables, see the Fortinet Document Library.

Syntax

config system snmp user

edit <name>

set auth-proto {md5 | sha | sha224 | sha256 | sha384 | sha512}

set auth-pwd <passwd>

set events <events_list>

set notify-hosts <ipv4_address>

set notify-hosts6 <ipv6_address>

set priv-proto {aes | aes256 | aes256cisco | des}

set priv-pwd <passwd>

set queries {enable | disable}

set query-port <integer>

set security-level {auth-no-priv | auth-priv | no-auth-no-priv}

end

end

Variable

Description

<name>

Enter a SNMPv3 user name to add, edit, or delete.

auth-proto {md5 | sha | sha224 | sha256 | sha384 | sha512}

Authentication protocol. The security level must be set to auth-no-priv or auth-priv to use this variable:

  • md5: HMAC-MD5-96 authentication protocol.

  • sha: HMAC-SHA-96 authentication protocol (default).

  • sha224: HMAC-SHA224 authentication protocol.

  • sha256: HMAC-SHA256 authentication protocol.

  • sha384: HMAC-SHA384 authentication protocol.

  • sha512: HMAC-SHA512 authentication protocol.

auth-pwd <passwd>

Password for the authentication protocol. The security level must be set to auth-no-priv or auth-priv to use this variable.

events <events_list>

Enable the events for which the FortiManager unit should send traps to the SNMPv3 managers in this community (default = All events enabled). The raid_changed event is only available for devices which support RAID.

  • cpu-high-exclude-nice: CPU usage exclude nice threshold.
  • cpu_high: The CPU usage is too high.
  • disk_low: The log disk is getting close to being full.
  • ha_switch: A new unit has become the primary HA.
  • intf_ip_chg: An interface IP address has changed.
  • lic-dev-quota: High licensed device quota detected.
  • lic-gbday: High licensed log GB/Day detected.
  • log-alert: Log base alert message.
  • log-data-rate: High incoming log data rate detected.
  • log-rate: High incoming log rate detected.
  • mem_low: The available memory is low.
  • raid_changed: RAID status changed.
  • sys_reboot: The FortiManager unit has rebooted.

notify-hosts <ipv4_address>

Hosts to send notifications (traps) to.

notify-hosts6 <ipv6_address>

Hosts to send notifications (traps) to.

priv-proto {aes | aes256 | aes256cisco | des}

Privacy (encryption) protocol. The security level must be set to auth-priv to use this variable:

  • aes: CFB128-AES-128 symmetric encryption protocol (default).

  • aes256: CBC-AES-256 symmetric encryption protocol.

  • aes256cisco: CBC-AES-256 symmetric encryption protocol compatible with CISCO.

  • des: CBC-DES symmetric encryption protocol.

priv-pwd <passwd>

Password for the privacy (encryption) protocol. The security level must be set to auth-priv to use this variable.

queries {enable | disable}

Enable/disable queries for this user (default = enable)

query-port <integer>

SNMPv3 query port (1 - 65535, default = 161).

security-level {auth-no-priv | auth-priv | no-auth-no-priv}

Security level for message authentication and encryption:

  • auth-no-priv: Message with authentication but no privacy (encryption).
  • auth-priv: Message with authentication and privacy (encryption).
  • no-auth-no-priv: Message with no authentication and no privacy (encryption) (default).