Fortinet black logo

Administration Guide

SNMP

Copy Link
Copy Doc ID 825689eb-200d-11e9-b6f6-f8bc1258b856:28966
Download PDF

SNMP

Use the SNMP Properties view to select the SNMP protocol for devices that query FortiNAC for information. If SNMP is enabled, FortiNAC responds to SNMP communication from other devices, such as a Network Management system that might include the FortiNAC server in its own database.

Go to Settings > System Communication > SNMP.

In addition, this view is also used to set the SNMP protocol to accept SNMPv3 traps that register hosts and users.

Both types of communication pass through port 161. Settings here are global. Therefore, if you choose to use SNMPv3 traps sent from other network devices to register hosts and users, then ALL other devices that query FortiNAC for information must also communicate using SNMPv3. You must modify the configuration of those external devices to use SNMPv3.

The SNMP protocols that are supported are SNMPv1/SNMPv2c and SNMPv3. SNMPv3 uses DES or AES encryption for the Privacy Password.

Privacy protocols supported are:

  • DES
  • Triple-DES
  • AES-128

SNMP MIBs used to communicate with FortiNAC are in:

/bsc/campusMgr/ui/runTime/docs/mibs/

Settings

Field

Description

Enable SNMP Communication

If SNMP is enabled, FortiNAC responds to SNMP requests from other servers.

SNMP Protocol

Select the SNMP protocol FortiNAC will be responding to:

SNMPv1/SNMPv2c

SNMPv3-AuthPriv (SNMPv3 with Authentication and Privacy)

SNMPv3 AuthNoPriv (SNMPv3 with Authentication but no Privacy.)

SNMPv1/SNMPv2c

Security String

Enter the security string that FortiNAC will respond to when communicating with the server.

SNMPv3

User Name

User Name for the SNMPv3 credentials.

Authentication Protocol

Specify the SNMPv3 Authentication Protocol.

The available Authentication Protocols are

MD5

SHA1

Authentication
Password

Specify the Authentication Password required by FortiNAC when SNMPv3-AuthPriv or SNMPv3-AuthNoPriv queries are received.

Privacy Protocols

Specify the SNMPv3 Privacy Protocol.

The available privacy protocols are:

DES

Triple-DES

AES-128

Privacy Password

Specify the Privacy Password required by FortiNAC when SNMPv3-AuthPriv queries are received.

Management hosts

IP Addresses

List of IP addresses of the devices that have communicated with FortiNAC through SNMP.

Set up SNMP communication with FortiNAC

  1. Click System > Settings.
  2. Expand the System Communication folder.
  3. Select SNMP from the tree.
  4. Click Enable and select an SNMP protocol.
  5. Enter the parameters as required for the selected protocol. See the table above for additional information.
  6. Click Save Settings.

Disable SNMP Communication With FortiNAC

  1. Click System > Settings.
  2. Expand the System Communication folder.
  3. Select SNMP from the tree.
  4. Click Disable.
  5. Click Save Settings.

Register hosts and users with SNMPv3 traps

FortiNAC can use data sent in SNMPv3 traps from external devices to register hosts and users. This speeds up the process of adding hosts and users to your FortiNAC database by taking advantage of information that is readily available from another system. In addition, based on trap parameters hosts and users can be modified or removed from the database.

FortiNAC requirements
  • FortiNAC must have an Integration Suite license. See Licensing.
  • The Trap Sender must be modeled in the Topology View as a pingable device. See Add/modify a pingable device.
  • You must enter SNMPv3 settings in System > Settings > System Communication > SNMP that match those of the device to which you are sending traps. Note that if you had previously entered SNMPv1/SNMPv2c settings for external devices querying FortiNAC for information, you must modify settings on those devices to use SNMPv3. See SNMP.
  • If you are running FortiNAC in a FortiNAC Control Manager environment, the Trap Sender must be modeled on each FortiNAC Server or Control Server that should receive this information. Note that if you have enabled any of the Copy Registered Host options on the FortiNAC Control Manager it may not be necessary to receive traps on more than one managed server.
  • When traps are received they can trigger the events listed below in the Event Log. These events can be mapped to Alarms. Make sure the events are enabled. See Event management. To map events to alarms see Add or modify alarm mapping.

Event

Definition

Add/Modify/Remove Host

Generated whenever a trap is received that adds, modifies or removes a host record in the database.

Add/Modify/Remove User

Generated when a trap is received that adds, modifies or removes a user record in the database.

Trap sender requirements
  • Use the Management IP address (eth0) of the FortiNAC Server or Control Server as the destination for the trap.
  • Send traps to port 161 on the FortiNAC Server or Control Server.
  • If you are running FortiNAC in a High Availability environment, send traps to both the primary and the secondary FortiNAC Servers or Control Servers.
  • You must have snmptrap.exe and libsnmp.dll on the device sending the traps. Download the latest binaries for the appropriate operating system from www.net-snmp.org/download.html.
  • Configure the traps on the sending device. See the tables below for information on trap parameters.
Hosts
  • If a trap is received for an existing host, the host's database record is updated with information from the trap.
  • When a trap is received for a host that matches a rogue in FortiNAC, the rogue is converted to a registered host if the trap contains user data. It is converted to a registered device if there is no associated user.
  • If a user is deleted based on a trap, associated hosts are not deleted and they become registered devices. To delete these hosts either send an additional trap that removes the host or you must go to the Host View and delete them manually. See Delete a host.
  • If the same host is added twice but with different MAC addresses for separate adapters, it is treated as two separate records in the FortiNAC database. The two adapters are not linked to each other in any way and are not considered siblings in FortiNAC.
  • Variables with spaces in the names should be in quotation marks, such as, "Windows Vista".
  • Separators in MAC Addresses must be colons, such as, 90:21:55:EB:A3:87.

OID

Description

Definition

1.1.1.1

Host Name

Name of the host.

1.1.1.2

IP Address

IP address of the host.

1.1.1.3

MAC Address

Physical Address of the host.

Required.

1.1.1.4

Host Operating System

Name of the operating system on the host.

1.1.5

Role

Role assigned to the host. Roles are attributes of hosts used as filters in User/Host Profiles.

1.1.6

Action

Indicates whether this trap is adding or removing a host from the database. Adding an existing host will modify that host's record in the database.

1=Add

2=Remove

1.2.8

Element

Indicates that this trap is registering either a host or a host and its corresponding user.

Example traps

To add a host record for the PC with a hostname of Gateway-notebook, with an IP address of 160.87.100.117, a MAC address of 00:26:9E:E2:DD:DB, an OS of Windows, and a role of Guest:

snmptrap -v3 -u <user**> -l authNoPriv -a MD5 -A <Passphase**> 160.87.9.10:161 '' 1.3.6.1.4.1.16856.1.2.8 .1.3.6.1.4.1.16856.1.1.1.1 s Gateway-notebook .1.3.6.1.4.1.16856.1.1.1.4 s Windows .1.3.6.1.4.1.16856.1.1.1.2 s 160.87.100.117 .1.3.6.1.4.1.16856.1.1.1.3 s 00:26:9E:E2:DD:DB .1.3.6.1.4.1.16856.1.1.5 s Guest .1.3.6.1.4.1.16856.1.1.6 integer 1

To remove host record for the PC with a hostname of Gateway-notebook, with an IP address of 160.87.100.117, a MAC address of 00:26:9E:E2:DD:DB, an OS of Windows, and a role of Guest. Note that only MAC address is required to remove a host.

snmptrap -v3 -u <user**> -l authNoPriv -a MD5 -A <Passphase**> 160.87.9.10:161 '' 1.3.6.1.4.1.16856.1.2.8 .1.3.6.1.4.1.16856.1.1.1.1 s Gateway-notebook .1.3.6.1.4.1.16856.1.1.1.4 s Windows .1.3.6.1.4.1.16856.1.1.1.2 s 160.87.100.117 .1.3.6.1.4.1.16856.1.1.1.3 s 00:26:9E:E2:DD:DB .1.3.6.1.4.1.16856.1.1.5 s Guest .1.3.6.1.4.1.16856.1.1.6 integer 2

Users
  • If an LDAP directory is modeled in the Topology View, FortiNAC checks the directory for information about the user included in the trap. If the user exists in the directory, additional fields are populated for that user in the FortiNAC database. If the user does not exist in the directory, a user record is created in FortiNAC with only the data received in the trap.
  • If a trap is received for an existing user, the user's database record is updated with information from the trap.
  • If a trap is received for an existing user and the trap contains host information, the host is registered to the user. If the host already has a rogue record, the rogue is converted to a registered host and associated with the user.
  • If a user is deleted based on a trap, associated hosts are not deleted and they become registered devices. To delete these hosts you must go to the Host View and delete them manually. See Delete a host.
  • When FortiNAC resynchronizes with the directory, user data may be overwritten by data from the directory depending on the directory attribute mappings.
  • Variables with spaces in the names should be in quotation marks, such as, "Mary Ann".
Trap parameters

OID

Description

Definition

1.1.2.1

User Name

User Name stored in the directory. If the user is not in the directory, this record will still be added, modified or removed.

Required.

1.1.2.2

User First Name

1.1.2.3

User Last Name

1.1.2.4

User Title

1.1.2.5

Email

User's e-mail address.

1.1.5

Role

Role assigned to the User. If this trap is adding both a user and a host, both are set to the same role.

1.1.6

Action

Indicates whether this trap is adding or removing a user from the database. Adding an existing user will modify that user's record in the database.

1=Add

2=Remove

1.2.9

Element

Indicates that this trap is only registering a user.

Example traps

To add testuser to the database:

snmptrap -v3 -u <user**> -l authNoPriv -a MD5 -A <Passphase**> 160.87.9.10:161 '' 1.3.6.1.4.1.16856.1.2.9 .1.3.6.1.4.1.16856.1.1.2.1 s testuser .1.3.6.1.4.1.16856.1.1.2.2 s John.1.3.6.1.4.1.16856.1.1.2.3 s Doe .1.3.6.1.4.1.16856.1.1.2.4 s Mr .1.3.6.1.4.1.16856.1.1.2.5 s jdoe@megatech.com .1.3.6.1.4.1.16856.1.1.5 s Guest .1.3.6.1.4.1.16856.1.1.6 integer 1

To delete user record for testuser from the database. Note that only User Name is required to remove a user.

snmptrap -v3 -u <user**> -l authNoPriv -a MD5 -A <Passphase**> 160.87.9.10:161 '' 1.3.6.1.4.1.16856.1.2.9 .1.3.6.1.4.1.16856.1.1.2.1 s testuser .1.3.6.1.4.1.16856.1.1.2.2 s John.1.3.6.1.4.1.16856.1.1.2.3 s Doe .1.3.6.1.4.1.16856.1.1.2.4 s Mr .1.3.6.1.4.1.16856.1.1.2.5 s jdoe@megatech.com .1.3.6.1.4.1.16856.1.1.5 s Guest .1.3.6.1.4.1.16856.1.1.6 integer 2

SNMP

Use the SNMP Properties view to select the SNMP protocol for devices that query FortiNAC for information. If SNMP is enabled, FortiNAC responds to SNMP communication from other devices, such as a Network Management system that might include the FortiNAC server in its own database.

Go to Settings > System Communication > SNMP.

In addition, this view is also used to set the SNMP protocol to accept SNMPv3 traps that register hosts and users.

Both types of communication pass through port 161. Settings here are global. Therefore, if you choose to use SNMPv3 traps sent from other network devices to register hosts and users, then ALL other devices that query FortiNAC for information must also communicate using SNMPv3. You must modify the configuration of those external devices to use SNMPv3.

The SNMP protocols that are supported are SNMPv1/SNMPv2c and SNMPv3. SNMPv3 uses DES or AES encryption for the Privacy Password.

Privacy protocols supported are:

  • DES
  • Triple-DES
  • AES-128

SNMP MIBs used to communicate with FortiNAC are in:

/bsc/campusMgr/ui/runTime/docs/mibs/

Settings

Field

Description

Enable SNMP Communication

If SNMP is enabled, FortiNAC responds to SNMP requests from other servers.

SNMP Protocol

Select the SNMP protocol FortiNAC will be responding to:

SNMPv1/SNMPv2c

SNMPv3-AuthPriv (SNMPv3 with Authentication and Privacy)

SNMPv3 AuthNoPriv (SNMPv3 with Authentication but no Privacy.)

SNMPv1/SNMPv2c

Security String

Enter the security string that FortiNAC will respond to when communicating with the server.

SNMPv3

User Name

User Name for the SNMPv3 credentials.

Authentication Protocol

Specify the SNMPv3 Authentication Protocol.

The available Authentication Protocols are

MD5

SHA1

Authentication
Password

Specify the Authentication Password required by FortiNAC when SNMPv3-AuthPriv or SNMPv3-AuthNoPriv queries are received.

Privacy Protocols

Specify the SNMPv3 Privacy Protocol.

The available privacy protocols are:

DES

Triple-DES

AES-128

Privacy Password

Specify the Privacy Password required by FortiNAC when SNMPv3-AuthPriv queries are received.

Management hosts

IP Addresses

List of IP addresses of the devices that have communicated with FortiNAC through SNMP.

Set up SNMP communication with FortiNAC

  1. Click System > Settings.
  2. Expand the System Communication folder.
  3. Select SNMP from the tree.
  4. Click Enable and select an SNMP protocol.
  5. Enter the parameters as required for the selected protocol. See the table above for additional information.
  6. Click Save Settings.

Disable SNMP Communication With FortiNAC

  1. Click System > Settings.
  2. Expand the System Communication folder.
  3. Select SNMP from the tree.
  4. Click Disable.
  5. Click Save Settings.

Register hosts and users with SNMPv3 traps

FortiNAC can use data sent in SNMPv3 traps from external devices to register hosts and users. This speeds up the process of adding hosts and users to your FortiNAC database by taking advantage of information that is readily available from another system. In addition, based on trap parameters hosts and users can be modified or removed from the database.

FortiNAC requirements
  • FortiNAC must have an Integration Suite license. See Licensing.
  • The Trap Sender must be modeled in the Topology View as a pingable device. See Add/modify a pingable device.
  • You must enter SNMPv3 settings in System > Settings > System Communication > SNMP that match those of the device to which you are sending traps. Note that if you had previously entered SNMPv1/SNMPv2c settings for external devices querying FortiNAC for information, you must modify settings on those devices to use SNMPv3. See SNMP.
  • If you are running FortiNAC in a FortiNAC Control Manager environment, the Trap Sender must be modeled on each FortiNAC Server or Control Server that should receive this information. Note that if you have enabled any of the Copy Registered Host options on the FortiNAC Control Manager it may not be necessary to receive traps on more than one managed server.
  • When traps are received they can trigger the events listed below in the Event Log. These events can be mapped to Alarms. Make sure the events are enabled. See Event management. To map events to alarms see Add or modify alarm mapping.

Event

Definition

Add/Modify/Remove Host

Generated whenever a trap is received that adds, modifies or removes a host record in the database.

Add/Modify/Remove User

Generated when a trap is received that adds, modifies or removes a user record in the database.

Trap sender requirements
  • Use the Management IP address (eth0) of the FortiNAC Server or Control Server as the destination for the trap.
  • Send traps to port 161 on the FortiNAC Server or Control Server.
  • If you are running FortiNAC in a High Availability environment, send traps to both the primary and the secondary FortiNAC Servers or Control Servers.
  • You must have snmptrap.exe and libsnmp.dll on the device sending the traps. Download the latest binaries for the appropriate operating system from www.net-snmp.org/download.html.
  • Configure the traps on the sending device. See the tables below for information on trap parameters.
Hosts
  • If a trap is received for an existing host, the host's database record is updated with information from the trap.
  • When a trap is received for a host that matches a rogue in FortiNAC, the rogue is converted to a registered host if the trap contains user data. It is converted to a registered device if there is no associated user.
  • If a user is deleted based on a trap, associated hosts are not deleted and they become registered devices. To delete these hosts either send an additional trap that removes the host or you must go to the Host View and delete them manually. See Delete a host.
  • If the same host is added twice but with different MAC addresses for separate adapters, it is treated as two separate records in the FortiNAC database. The two adapters are not linked to each other in any way and are not considered siblings in FortiNAC.
  • Variables with spaces in the names should be in quotation marks, such as, "Windows Vista".
  • Separators in MAC Addresses must be colons, such as, 90:21:55:EB:A3:87.

OID

Description

Definition

1.1.1.1

Host Name

Name of the host.

1.1.1.2

IP Address

IP address of the host.

1.1.1.3

MAC Address

Physical Address of the host.

Required.

1.1.1.4

Host Operating System

Name of the operating system on the host.

1.1.5

Role

Role assigned to the host. Roles are attributes of hosts used as filters in User/Host Profiles.

1.1.6

Action

Indicates whether this trap is adding or removing a host from the database. Adding an existing host will modify that host's record in the database.

1=Add

2=Remove

1.2.8

Element

Indicates that this trap is registering either a host or a host and its corresponding user.

Example traps

To add a host record for the PC with a hostname of Gateway-notebook, with an IP address of 160.87.100.117, a MAC address of 00:26:9E:E2:DD:DB, an OS of Windows, and a role of Guest:

snmptrap -v3 -u <user**> -l authNoPriv -a MD5 -A <Passphase**> 160.87.9.10:161 '' 1.3.6.1.4.1.16856.1.2.8 .1.3.6.1.4.1.16856.1.1.1.1 s Gateway-notebook .1.3.6.1.4.1.16856.1.1.1.4 s Windows .1.3.6.1.4.1.16856.1.1.1.2 s 160.87.100.117 .1.3.6.1.4.1.16856.1.1.1.3 s 00:26:9E:E2:DD:DB .1.3.6.1.4.1.16856.1.1.5 s Guest .1.3.6.1.4.1.16856.1.1.6 integer 1

To remove host record for the PC with a hostname of Gateway-notebook, with an IP address of 160.87.100.117, a MAC address of 00:26:9E:E2:DD:DB, an OS of Windows, and a role of Guest. Note that only MAC address is required to remove a host.

snmptrap -v3 -u <user**> -l authNoPriv -a MD5 -A <Passphase**> 160.87.9.10:161 '' 1.3.6.1.4.1.16856.1.2.8 .1.3.6.1.4.1.16856.1.1.1.1 s Gateway-notebook .1.3.6.1.4.1.16856.1.1.1.4 s Windows .1.3.6.1.4.1.16856.1.1.1.2 s 160.87.100.117 .1.3.6.1.4.1.16856.1.1.1.3 s 00:26:9E:E2:DD:DB .1.3.6.1.4.1.16856.1.1.5 s Guest .1.3.6.1.4.1.16856.1.1.6 integer 2

Users
  • If an LDAP directory is modeled in the Topology View, FortiNAC checks the directory for information about the user included in the trap. If the user exists in the directory, additional fields are populated for that user in the FortiNAC database. If the user does not exist in the directory, a user record is created in FortiNAC with only the data received in the trap.
  • If a trap is received for an existing user, the user's database record is updated with information from the trap.
  • If a trap is received for an existing user and the trap contains host information, the host is registered to the user. If the host already has a rogue record, the rogue is converted to a registered host and associated with the user.
  • If a user is deleted based on a trap, associated hosts are not deleted and they become registered devices. To delete these hosts you must go to the Host View and delete them manually. See Delete a host.
  • When FortiNAC resynchronizes with the directory, user data may be overwritten by data from the directory depending on the directory attribute mappings.
  • Variables with spaces in the names should be in quotation marks, such as, "Mary Ann".
Trap parameters

OID

Description

Definition

1.1.2.1

User Name

User Name stored in the directory. If the user is not in the directory, this record will still be added, modified or removed.

Required.

1.1.2.2

User First Name

1.1.2.3

User Last Name

1.1.2.4

User Title

1.1.2.5

Email

User's e-mail address.

1.1.5

Role

Role assigned to the User. If this trap is adding both a user and a host, both are set to the same role.

1.1.6

Action

Indicates whether this trap is adding or removing a user from the database. Adding an existing user will modify that user's record in the database.

1=Add

2=Remove

1.2.9

Element

Indicates that this trap is only registering a user.

Example traps

To add testuser to the database:

snmptrap -v3 -u <user**> -l authNoPriv -a MD5 -A <Passphase**> 160.87.9.10:161 '' 1.3.6.1.4.1.16856.1.2.9 .1.3.6.1.4.1.16856.1.1.2.1 s testuser .1.3.6.1.4.1.16856.1.1.2.2 s John.1.3.6.1.4.1.16856.1.1.2.3 s Doe .1.3.6.1.4.1.16856.1.1.2.4 s Mr .1.3.6.1.4.1.16856.1.1.2.5 s jdoe@megatech.com .1.3.6.1.4.1.16856.1.1.5 s Guest .1.3.6.1.4.1.16856.1.1.6 integer 1

To delete user record for testuser from the database. Note that only User Name is required to remove a user.

snmptrap -v3 -u <user**> -l authNoPriv -a MD5 -A <Passphase**> 160.87.9.10:161 '' 1.3.6.1.4.1.16856.1.2.9 .1.3.6.1.4.1.16856.1.1.2.1 s testuser .1.3.6.1.4.1.16856.1.1.2.2 s John.1.3.6.1.4.1.16856.1.1.2.3 s Doe .1.3.6.1.4.1.16856.1.1.2.4 s Mr .1.3.6.1.4.1.16856.1.1.2.5 s jdoe@megatech.com .1.3.6.1.4.1.16856.1.1.5 s Guest .1.3.6.1.4.1.16856.1.1.6 integer 2