Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiNAC-F 7.2.0 Administration Guide
    7.2.0
    7.6.0
    7.4.0
    7.2.0

    SNMP

    SNMP

    Use the SNMP Properties view to select the SNMP protocol for devices that query FortiNAC for information. If SNMP is enabled, FortiNAC responds to SNMP communication from other devices, such as a Network Management system that might include the FortiNAC server in its own database.

    Note

    FortiNAC-OS Requirement: "snmp" option must be included in the "set allowaccess" command. See Open ports for details.

    Go to Settings > System Communication > SNMP.

    In addition, this view is also used to set the SNMP protocol to accept SNMPv3 traps that register hosts and users.

    Both types of communication pass through port 161. Settings here are global. Therefore, if you choose to use SNMPv3 traps sent from other network devices to register hosts and users, then ALL other devices that query FortiNAC for information must also communicate using SNMPv3. You must modify the configuration of those external devices to use SNMPv3.

    The SNMP protocols that are supported are SNMPv1/SNMPv2c and SNMPv3. SNMPv3 uses DES or AES encryption for the Privacy Password.

    Privacy protocols supported are:

    • DES
    • Triple-DES
    • AES-128

    SNMP MIBs used to communicate with FortiNAC are in: /bsc/campusMgr/ui/runTime/docs/mibs/

    Settings

    Field

    Description

    Enable SNMP Communication

    If SNMP is enabled, FortiNAC responds to SNMP requests from other servers.

    SNMP Protocol

    Select the SNMP protocol FortiNAC will be responding to:

    • SNMPv1/SNMPv2c
    • SNMPv3-AuthPriv (SNMPv3 with authentication and privacy)
    • SNMPv3 AuthNoPriv (SNMPv3 with authentication but no privacy.)

    SNMPv1/SNMPv2c

    Security String

    Enter the security string that FortiNAC will respond to when communicating with the server.

    SNMPv3

    User Name

    User Name for the SNMPv3 credentials.

    Authentication Protocol

    Specify the SNMPv3 authentication protocol.

    The available authentication protocols are:

    • MD5
    • SHA1

    Authentication
    Password

    Specify the authentication password required by FortiNAC when SNMPv3-AuthPriv or SNMPv3-AuthNoPriv queries are received.

    Privacy Protocols

    Specify the SNMPv3 privacy protocol.

    The available privacy protocols are:

    • DES
    • Triple-DES
    • AES-128

    Privacy Password

    Specify the privacy password required by FortiNAC when SNMPv3-AuthPriv queries are received.

    Management hosts

    IP addresses

    List of IP addresses of the devices that have communicated with FortiNAC through SNMP.
    Set up SNMP communication
    1. Click System > Settings.
    2. Expand the System Communication folder.
    3. Select SNMP from the tree.
    4. Click Enable and select an SNMP protocol.
    5. Enter the parameters as required for the selected protocol. See the table above for additional information.
    6. Click Save Settings.
    Disable SNMP communication
    1. Click System > Settings.
    2. Expand the System Communication folder.
    3. Select SNMP from the tree.
    4. Click Disable.
    5. Click Save Settings.
    Register hosts and users with SNMPv3 traps

    FortiNAC can use data sent in SNMPv3 traps from external devices to register hosts and users. This speeds up the process of adding hosts and users to your FortiNAC database by taking advantage of information that is readily available from another system. In addition, based on trap parameters hosts and users can be modified or removed from the database.

    FortiNAC requirements
    • FortiNAC must have an integration suite license. See Licenses.
    • The Trap Sender must be modeled in the Inventory as a pingable device. See Add or modify a pingable device.
    • You must enter SNMPv3 settings in System > Settings > System Communication > SNMP that match those of the device to which you are sending traps. Note that if you had previously entered SNMPv1/SNMPv2c settings for external devices querying FortiNAC for information, you must modify settings on those devices to use SNMPv3.
    • If you are running FortiNAC in a FortiNAC Manager environment, the Trap Sender must be modeled on each FortiNAC Server or Control Server that should receive this information. Note that if you have enabled any of the Copy Registered Host options on the FortiNAC Manager it may not be necessary to receive traps on more than one managed server.
    • When traps are received they can trigger the events listed below in the Event Log. These events can be mapped to Alarms. Make sure the events are enabled. See Event management. To map events to alarms see Add or modify alarm mapping.

    Event

    Definition

    Add/Modify/Remove Host

    Generated whenever a trap is received that adds, modifies or removes a host record in the database.

    Add/Modify/Remove User

    Generated when a trap is received that adds, modifies or removes a user record in the database.

    Trap sender requirements
    • Use the Management IP address (eth0/port1) of the FortiNAC Server or Control Server as the destination for the trap.
    • Send traps to port 161 on the FortiNAC Server or Control Server.
    • If you are running FortiNAC in a high availability environment, send traps to both the primary and the secondary FortiNAC Servers or Control Servers.
    • You must have snmptrap.exe and libsnmp.dll on the device sending the traps. Download the latest binaries for the appropriate operating system from www.net-snmp.org/download.html.
    • Configure the traps on the sending device. See the tables below for information on trap parameters.
    Hosts
    • If a trap is received for an existing host, the host's database record is updated with information from the trap.
    • When a trap is received for a host that matches a rogue in FortiNAC, the rogue is converted to a registered host if the trap contains user data. It is converted to a registered device if there is no associated user.
    • If a user is deleted based on a trap, associated hosts are not deleted and they become registered devices. To delete these hosts either send an additional trap that removes the host or you must go to the Host View and delete them manually. See Delete a host.
    • If the same host is added twice but with different MAC addresses for separate adapters, it is treated as two separate records in the FortiNAC database. The two adapters are not linked to each other in any way and are not considered siblings in FortiNAC.
    • Variables with spaces in the names should be in quotation marks, such as "Windows Vista".
    • Separators in MAC addresses must be colons, such as 90:21:55:EB:A3:87.

    OID

    Description

    Definition

    1.1.1.1

    Host Name

    Name of the host.

    1.1.1.2

    IP address

    IP address of the host.

    1.1.1.3

    MAC address

    Physical Address of the host.

    Required.

    1.1.1.4

    Host operating system

    Name of the operating system on the host.

    1.1.5

    Role

    Role assigned to the host. Roles are attributes of hosts used as filters in user/host profiles.

    1.1.6

    Action

    Indicates whether this trap is adding or removing a host from the database. Adding an existing host will modify that host's record in the database.

    1=Add

    2=Remove

    1.2.8

    Element

    Indicates that this trap is registering either a host or a host and its corresponding user.

    Example traps

    To add a host record for the PC with a hostname of Gateway-notebook, with an IP address of 160.87.100.117, a MAC address of 00:26:9E:E2:DD:DB, an OS of Windows, and a role of Guest:

    snmptrap -v3 -u <user**> -l authNoPriv -a MD5 -A <Passphase**> 160.87.9.10:161 '' 1.3.6.1.4.1.16856.1.2.8 .1.3.6.1.4.1.16856.1.1.1.1 s Gateway-notebook .1.3.6.1.4.1.16856.1.1.1.4 s Windows .1.3.6.1.4.1.16856.1.1.1.2 s 160.87.100.117 .1.3.6.1.4.1.16856.1.1.1.3 s 00:26:9E:E2:DD:DB .1.3.6.1.4.1.16856.1.1.5 s Guest .1.3.6.1.4.1.16856.1.1.6 integer 1

    To remove host record for the PC with a hostname of Gateway-notebook, with an IP address of 160.87.100.117, a MAC address of 00:26:9E:E2:DD:DB, an OS of Windows, and a role of Guest. Note that only MAC address is required to remove a host.

    snmptrap -v3 -u <user**> -l authNoPriv -a MD5 -A <Passphase**> 160.87.9.10:161 '' 1.3.6.1.4.1.16856.1.2.8 .1.3.6.1.4.1.16856.1.1.1.1 s Gateway-notebook .1.3.6.1.4.1.16856.1.1.1.4 s Windows .1.3.6.1.4.1.16856.1.1.1.2 s 160.87.100.117 .1.3.6.1.4.1.16856.1.1.1.3 s 00:26:9E:E2:DD:DB .1.3.6.1.4.1.16856.1.1.5 s Guest .1.3.6.1.4.1.16856.1.1.6 integer 2

    Users
    • If an LDAP directory is modeled in the Inventory, FortiNAC checks the directory for information about the user included in the trap. If the user exists in the directory, additional fields are populated for that user in the FortiNAC database. If the user does not exist in the directory, a user record is created in FortiNAC with only the data received in the trap.
    • If a trap is received for an existing user, the user's database record is updated with information from the trap.
    • If a trap is received for an existing user and the trap contains host information, the host is registered to the user. If the host already has a rogue record, the rogue is converted to a registered host and associated with the user.
    • If a user is deleted based on a trap, associated hosts are not deleted and they become registered devices. To delete these hosts you must go to the Host View and delete them manually. See Delete a host.
    • When FortiNAC resynchronizes with the directory, user data may be overwritten by data from the directory depending on the directory attribute mappings.
    • Variables with spaces in the names should be in quotation marks, such as "Mary Ann".
    Trap parameters

    OID

    Description

    Definition

    1.1.2.1

    User Name

    User Name stored in the directory. If the user is not in the directory, this record will still be added, modified or removed.

    Required.

    1.1.2.2

    User First Name

    1.1.2.3

    User Last Name

    1.1.2.4

    User Title

    1.1.2.5

    Email

    User's e-mail address.

    1.1.5

    Role

    Role assigned to the User. If this trap is adding both a user and a host, both are set to the same role.

    1.1.6

    Action

    Indicates whether this trap is adding or removing a user from the database. Adding an existing user will modify that user's record in the database.

    1=Add

    2=Remove

    1.2.9

    Element

    Indicates that this trap is only registering a user.

    Example traps

    To add testuser to the database:

    snmptrap -v3 -u <user**> -l authNoPriv -a MD5 -A <Passphase**> 160.87.9.10:161 '' 1.3.6.1.4.1.16856.1.2.9 .1.3.6.1.4.1.16856.1.1.2.1 s testuser .1.3.6.1.4.1.16856.1.1.2.2 s John.1.3.6.1.4.1.16856.1.1.2.3 s Doe .1.3.6.1.4.1.16856.1.1.2.4 s Mr .1.3.6.1.4.1.16856.1.1.2.5 s jdoe@megatech.com .1.3.6.1.4.1.16856.1.1.5 s Guest .1.3.6.1.4.1.16856.1.1.6 integer 1

    To delete user record for testuser from the database. Note that only User Name is required to remove a user.

    snmptrap -v3 -u <user**> -l authNoPriv -a MD5 -A <Passphase**> 160.87.9.10:161 '' 1.3.6.1.4.1.16856.1.2.9 .1.3.6.1.4.1.16856.1.1.2.1 s testuser .1.3.6.1.4.1.16856.1.1.2.2 s John.1.3.6.1.4.1.16856.1.1.2.3 s Doe .1.3.6.1.4.1.16856.1.1.2.4 s Mr .1.3.6.1.4.1.16856.1.1.2.5 s jdoe@megatech.com .1.3.6.1.4.1.16856.1.1.5 s Guest .1.3.6.1.4.1.16856.1.1.6 integer 2

    Previous
    Next

    SNMP

    SNMP

    Use the SNMP Properties view to select the SNMP protocol for devices that query FortiNAC for information. If SNMP is enabled, FortiNAC responds to SNMP communication from other devices, such as a Network Management system that might include the FortiNAC server in its own database.

    Note

    FortiNAC-OS Requirement: "snmp" option must be included in the "set allowaccess" command. See Open ports for details.

    Go to Settings > System Communication > SNMP.

    In addition, this view is also used to set the SNMP protocol to accept SNMPv3 traps that register hosts and users.

    Both types of communication pass through port 161. Settings here are global. Therefore, if you choose to use SNMPv3 traps sent from other network devices to register hosts and users, then ALL other devices that query FortiNAC for information must also communicate using SNMPv3. You must modify the configuration of those external devices to use SNMPv3.

    The SNMP protocols that are supported are SNMPv1/SNMPv2c and SNMPv3. SNMPv3 uses DES or AES encryption for the Privacy Password.

    Privacy protocols supported are:

    • DES
    • Triple-DES
    • AES-128

    SNMP MIBs used to communicate with FortiNAC are in: /bsc/campusMgr/ui/runTime/docs/mibs/

    Settings

    Field

    Description

    Enable SNMP Communication

    If SNMP is enabled, FortiNAC responds to SNMP requests from other servers.

    SNMP Protocol

    Select the SNMP protocol FortiNAC will be responding to:

    • SNMPv1/SNMPv2c
    • SNMPv3-AuthPriv (SNMPv3 with authentication and privacy)
    • SNMPv3 AuthNoPriv (SNMPv3 with authentication but no privacy.)

    SNMPv1/SNMPv2c

    Security String

    Enter the security string that FortiNAC will respond to when communicating with the server.

    SNMPv3

    User Name

    User Name for the SNMPv3 credentials.

    Authentication Protocol

    Specify the SNMPv3 authentication protocol.

    The available authentication protocols are:

    • MD5
    • SHA1

    Authentication
    Password

    Specify the authentication password required by FortiNAC when SNMPv3-AuthPriv or SNMPv3-AuthNoPriv queries are received.

    Privacy Protocols

    Specify the SNMPv3 privacy protocol.

    The available privacy protocols are:

    • DES
    • Triple-DES
    • AES-128

    Privacy Password

    Specify the privacy password required by FortiNAC when SNMPv3-AuthPriv queries are received.

    Management hosts

    IP addresses

    List of IP addresses of the devices that have communicated with FortiNAC through SNMP.
    Set up SNMP communication
    1. Click System > Settings.
    2. Expand the System Communication folder.
    3. Select SNMP from the tree.
    4. Click Enable and select an SNMP protocol.
    5. Enter the parameters as required for the selected protocol. See the table above for additional information.
    6. Click Save Settings.
    Disable SNMP communication
    1. Click System > Settings.
    2. Expand the System Communication folder.
    3. Select SNMP from the tree.
    4. Click Disable.
    5. Click Save Settings.
    Register hosts and users with SNMPv3 traps

    FortiNAC can use data sent in SNMPv3 traps from external devices to register hosts and users. This speeds up the process of adding hosts and users to your FortiNAC database by taking advantage of information that is readily available from another system. In addition, based on trap parameters hosts and users can be modified or removed from the database.

    FortiNAC requirements
    • FortiNAC must have an integration suite license. See Licenses.
    • The Trap Sender must be modeled in the Inventory as a pingable device. See Add or modify a pingable device.
    • You must enter SNMPv3 settings in System > Settings > System Communication > SNMP that match those of the device to which you are sending traps. Note that if you had previously entered SNMPv1/SNMPv2c settings for external devices querying FortiNAC for information, you must modify settings on those devices to use SNMPv3.
    • If you are running FortiNAC in a FortiNAC Manager environment, the Trap Sender must be modeled on each FortiNAC Server or Control Server that should receive this information. Note that if you have enabled any of the Copy Registered Host options on the FortiNAC Manager it may not be necessary to receive traps on more than one managed server.
    • When traps are received they can trigger the events listed below in the Event Log. These events can be mapped to Alarms. Make sure the events are enabled. See Event management. To map events to alarms see Add or modify alarm mapping.

    Event

    Definition

    Add/Modify/Remove Host

    Generated whenever a trap is received that adds, modifies or removes a host record in the database.

    Add/Modify/Remove User

    Generated when a trap is received that adds, modifies or removes a user record in the database.

    Trap sender requirements
    • Use the Management IP address (eth0/port1) of the FortiNAC Server or Control Server as the destination for the trap.
    • Send traps to port 161 on the FortiNAC Server or Control Server.
    • If you are running FortiNAC in a high availability environment, send traps to both the primary and the secondary FortiNAC Servers or Control Servers.
    • You must have snmptrap.exe and libsnmp.dll on the device sending the traps. Download the latest binaries for the appropriate operating system from www.net-snmp.org/download.html.
    • Configure the traps on the sending device. See the tables below for information on trap parameters.
    Hosts
    • If a trap is received for an existing host, the host's database record is updated with information from the trap.
    • When a trap is received for a host that matches a rogue in FortiNAC, the rogue is converted to a registered host if the trap contains user data. It is converted to a registered device if there is no associated user.
    • If a user is deleted based on a trap, associated hosts are not deleted and they become registered devices. To delete these hosts either send an additional trap that removes the host or you must go to the Host View and delete them manually. See Delete a host.
    • If the same host is added twice but with different MAC addresses for separate adapters, it is treated as two separate records in the FortiNAC database. The two adapters are not linked to each other in any way and are not considered siblings in FortiNAC.
    • Variables with spaces in the names should be in quotation marks, such as "Windows Vista".
    • Separators in MAC addresses must be colons, such as 90:21:55:EB:A3:87.

    OID

    Description

    Definition

    1.1.1.1

    Host Name

    Name of the host.

    1.1.1.2

    IP address

    IP address of the host.

    1.1.1.3

    MAC address

    Physical Address of the host.

    Required.

    1.1.1.4

    Host operating system

    Name of the operating system on the host.

    1.1.5

    Role

    Role assigned to the host. Roles are attributes of hosts used as filters in user/host profiles.

    1.1.6

    Action

    Indicates whether this trap is adding or removing a host from the database. Adding an existing host will modify that host's record in the database.

    1=Add

    2=Remove

    1.2.8

    Element

    Indicates that this trap is registering either a host or a host and its corresponding user.

    Example traps

    To add a host record for the PC with a hostname of Gateway-notebook, with an IP address of 160.87.100.117, a MAC address of 00:26:9E:E2:DD:DB, an OS of Windows, and a role of Guest:

    snmptrap -v3 -u <user**> -l authNoPriv -a MD5 -A <Passphase**> 160.87.9.10:161 '' 1.3.6.1.4.1.16856.1.2.8 .1.3.6.1.4.1.16856.1.1.1.1 s Gateway-notebook .1.3.6.1.4.1.16856.1.1.1.4 s Windows .1.3.6.1.4.1.16856.1.1.1.2 s 160.87.100.117 .1.3.6.1.4.1.16856.1.1.1.3 s 00:26:9E:E2:DD:DB .1.3.6.1.4.1.16856.1.1.5 s Guest .1.3.6.1.4.1.16856.1.1.6 integer 1

    To remove host record for the PC with a hostname of Gateway-notebook, with an IP address of 160.87.100.117, a MAC address of 00:26:9E:E2:DD:DB, an OS of Windows, and a role of Guest. Note that only MAC address is required to remove a host.

    snmptrap -v3 -u <user**> -l authNoPriv -a MD5 -A <Passphase**> 160.87.9.10:161 '' 1.3.6.1.4.1.16856.1.2.8 .1.3.6.1.4.1.16856.1.1.1.1 s Gateway-notebook .1.3.6.1.4.1.16856.1.1.1.4 s Windows .1.3.6.1.4.1.16856.1.1.1.2 s 160.87.100.117 .1.3.6.1.4.1.16856.1.1.1.3 s 00:26:9E:E2:DD:DB .1.3.6.1.4.1.16856.1.1.5 s Guest .1.3.6.1.4.1.16856.1.1.6 integer 2

    Users
    • If an LDAP directory is modeled in the Inventory, FortiNAC checks the directory for information about the user included in the trap. If the user exists in the directory, additional fields are populated for that user in the FortiNAC database. If the user does not exist in the directory, a user record is created in FortiNAC with only the data received in the trap.
    • If a trap is received for an existing user, the user's database record is updated with information from the trap.
    • If a trap is received for an existing user and the trap contains host information, the host is registered to the user. If the host already has a rogue record, the rogue is converted to a registered host and associated with the user.
    • If a user is deleted based on a trap, associated hosts are not deleted and they become registered devices. To delete these hosts you must go to the Host View and delete them manually. See Delete a host.
    • When FortiNAC resynchronizes with the directory, user data may be overwritten by data from the directory depending on the directory attribute mappings.
    • Variables with spaces in the names should be in quotation marks, such as "Mary Ann".
    Trap parameters

    OID

    Description

    Definition

    1.1.2.1

    User Name

    User Name stored in the directory. If the user is not in the directory, this record will still be added, modified or removed.

    Required.

    1.1.2.2

    User First Name

    1.1.2.3

    User Last Name

    1.1.2.4

    User Title

    1.1.2.5

    Email

    User's e-mail address.

    1.1.5

    Role

    Role assigned to the User. If this trap is adding both a user and a host, both are set to the same role.

    1.1.6

    Action

    Indicates whether this trap is adding or removing a user from the database. Adding an existing user will modify that user's record in the database.

    1=Add

    2=Remove

    1.2.9

    Element

    Indicates that this trap is only registering a user.

    Example traps

    To add testuser to the database:

    snmptrap -v3 -u <user**> -l authNoPriv -a MD5 -A <Passphase**> 160.87.9.10:161 '' 1.3.6.1.4.1.16856.1.2.9 .1.3.6.1.4.1.16856.1.1.2.1 s testuser .1.3.6.1.4.1.16856.1.1.2.2 s John.1.3.6.1.4.1.16856.1.1.2.3 s Doe .1.3.6.1.4.1.16856.1.1.2.4 s Mr .1.3.6.1.4.1.16856.1.1.2.5 s jdoe@megatech.com .1.3.6.1.4.1.16856.1.1.5 s Guest .1.3.6.1.4.1.16856.1.1.6 integer 1

    To delete user record for testuser from the database. Note that only User Name is required to remove a user.

    snmptrap -v3 -u <user**> -l authNoPriv -a MD5 -A <Passphase**> 160.87.9.10:161 '' 1.3.6.1.4.1.16856.1.2.9 .1.3.6.1.4.1.16856.1.1.2.1 s testuser .1.3.6.1.4.1.16856.1.1.2.2 s John.1.3.6.1.4.1.16856.1.1.2.3 s Doe .1.3.6.1.4.1.16856.1.1.2.4 s Mr .1.3.6.1.4.1.16856.1.1.2.5 s jdoe@megatech.com .1.3.6.1.4.1.16856.1.1.5 s Guest .1.3.6.1.4.1.16856.1.1.6 integer 2

    Previous
    Next