Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiProxy 7.6.1 Administration Guide
    7.6.1
    7.6.1
    7.6.0
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.0
    7.0.19
    7.0.17
    7.0.0
    2.0.0
    1.2.0
    1.1.0
    1.0.0

    SNMP examples

    SNMP examples

    This topic includes examples that incorporate several SNMP settings:

    Example 1: SNMP traps for monitoring interface status using SNMP v3 user

    This configuration enables the SNMP manager (10.4.62.181) to receive notifications when a FortiProxy port either goes down or is brought up. The SNMP manager can also query the current status of the FortiProxy port.

    To configure SNMP for monitoring interface status in the GUI:

    1. Configure interface access:

      1. Go to Network > Interfaces and edit port4.

      2. In the Administrative Access options, enable SNMP.

      3. Click OK.

    2. Configure the SNMP agent:

      1. Go to System > SNMP.

      2. Enable SNMP Agent and enter the following:

        Description

        FPX

        Location

        Burnaby

        Contact Info

        FPXQA

      3. Click Apply.

    3. Configure an SNMP v3 user:

      1. Go to System > SNMP.

      2. In the SNMP v3 table, click Create New.

      3. Configure the following:

        User Name

        test

        Security Level

        Authentication

        Authentication Algorithm

        SHA1

        Password

        *******

        Hosts IP Address

        10.4.62.181

      4. Click OK.

    To configure SNMP for monitoring interface status in the CLI:

    1. Configure interface access:

      config system interface
    edit port4
        append allowaccess snmp
    next
end

    2. Configure the SNMP agent:

      config system snmp sysinfo
    set status enable
    set description FPX
    set contact-info FPXQA
    set location Burnaby
end

    3. Configure an SNMP v3 user:

      config system snmp user
    edit "test"
        set notify-hosts 10.4.62.181
        set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change fm-conf-change ha-member-up ha-member-down ent-conf-change av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open faz-disconnect faz load-balance-real-server-down device-new per-cpu-high dhcp pool-usage cert-expiry
        set security-level auth-no-priv
        set auth-pwd ENC  ********************
    next
end
    next
end
    Verification

    1. Start the packet capture on interface port4 with the filter set to port 162. See Diagnostics for more information.

    2. Turn off one of the FortiProxy interface statuses to down, in this case, port2.

    3. Save the packet capture.

      The SNMP v3 trap is transmitted from port4 to the SNMP manager. Note that msgAuthenticationParameters is configured, indicating that authentication is active. The absence of msgPrivacyParameters suggests that encryption is not configured. This is further confirmed by plaintext in msgData.

    4. Verify that the SNMP manager has received the trap. See Important SNMP traps for an example of a trap.

    5. Verify that the SNMP manager can successfully query and receive receive a response on the current status of the FortiProxy ports:

      $ snmpwalk -v3 -u test -l authNoPriv -a SHA -A xxxxxx 10.4.62.222 1.3.6.1.2.1.2.2.1.8
IF-MIB::ifOperStatus.1 = INTEGER: up(1)
IF-MIB::ifOperStatus.2 = INTEGER: up(1)
IF-MIB::ifOperStatus.3 = INTEGER: down(2)
IF-MIB::ifOperStatus.4 = INTEGER: up(1)
IF-MIB::ifOperStatus.5 = INTEGER: up(1)
IF-MIB::ifOperStatus.6 = INTEGER: up(1)

    Example 2: SNMP traps and query for monitoring DHCP pool using SNMP v3 user

    This configuration enables the SNMP manager (10.4.62.181) to receive DHCP-related notifications from FortiProxy.

    The SNMP DHCP event contains three traps and one query.

    Traps are sent when:

    • DHCP server IP pool usage reaches 90%

    • DHCP server detect an IP address that is already in use

    • DHCP client receives DHCP NAK

    SNMP queries are accepted for DHCP lease usage information (OID = 1.3.6.1.4.1.12356.101.23). The query result is based on the leased out percentage.

    To configure SNMP for monitoring DHCP pool in the GUI:

    1. Configure interface access:

      1. Go to Network > Interfaces and edit port4.

      2. In the Administrative Access options, enable SNMP.

      3. Click OK.

    2. Configure the SNMP agent:

      1. Go to System > SNMP.

      2. Enable SNMP Agent and enter the following:

        Description

        FPX

        Location

        Burnaby

        Contact Info

        FPXQA

      3. Click Apply.

    3. Configure an SNMP v3 user:

      1. Go to System > SNMP.

      2. In the SNMP v3 table, click Create New.

      3. Configure the following:

        User Name

        DHCP_Status

        Security Level

        Authentication

        Authentication Algorithm

        SHA384

        Password

        *******

        Private

        Enabled

        Encryption Algorithm

        AES256

        Password

        *******

        Hosts IP Address

        10.4.62.181

      4. Click OK.

    To configure SNMP for monitoring the DHCP pool in the CLI:

    1. Configure interface access:

      config system interface
    edit port4
        append allowaccess snmp
    next
end

    2. Configure the SNMP agent:

      config system snmp sysinfo
    set status enable
    set description FPX
    set contact-info FPXQA
    set location Burnaby
end

    3. Configure an SNMP v3 user:

      config system snmp user
    edit "DHCP_Status"
        set notify-hosts 10.4.62.181
        set security-level auth-priv
        set auth-proto sha384
        set auth-pwd ********************
        set priv-proto aes256
        set priv-pwd *********************
    next
end
    Verification

    1. Start the packet capture on interface port4 with the filter set to port 162. See Diagnostics for more information.

    2. Overload the DHCP server IP pool.

    3. Save the packet capture.

      The SNMP v3 trap is transmitted from port4 to the SNMP manager. Note that both msgAuthenticationParameters and msgPrivacyParameters are set up, indicating that authentication and encryption are active. This is further confirmed by encryptedPDU in msgData.

    4. Verify that the SNMP manager has received the trap. See Important SNMP traps for an example of a trap.

    5. Verify that the SNMP manager can successfully query and receive DHCP lease usage information for FortiProxy:

      $ snmpwalk -v3 -u DHCP_Status  -l authPriv -a SHA384 -A xxxxxx -x AES256 -X xxxxxx 10.4.62.222 1.3.6.1.4.1.12356.101.23
SNMPv2-SMI::enterprises.12356.101.23.1.1.0 = INTEGER: 1
SNMPv2-SMI::enterprises.12356.101.23.2.1.1.2.1.1 = INTEGER: 100
    Previous
    Next

    SNMP examples

    SNMP examples

    This topic includes examples that incorporate several SNMP settings:

    Example 1: SNMP traps for monitoring interface status using SNMP v3 user

    This configuration enables the SNMP manager (10.4.62.181) to receive notifications when a FortiProxy port either goes down or is brought up. The SNMP manager can also query the current status of the FortiProxy port.

    To configure SNMP for monitoring interface status in the GUI:

    1. Configure interface access:

      1. Go to Network > Interfaces and edit port4.

      2. In the Administrative Access options, enable SNMP.

      3. Click OK.

    2. Configure the SNMP agent:

      1. Go to System > SNMP.

      2. Enable SNMP Agent and enter the following:

        Description

        FPX

        Location

        Burnaby

        Contact Info

        FPXQA

      3. Click Apply.

    3. Configure an SNMP v3 user:

      1. Go to System > SNMP.

      2. In the SNMP v3 table, click Create New.

      3. Configure the following:

        User Name

        test

        Security Level

        Authentication

        Authentication Algorithm

        SHA1

        Password

        *******

        Hosts IP Address

        10.4.62.181

      4. Click OK.

    To configure SNMP for monitoring interface status in the CLI:

    1. Configure interface access:

      config system interface
    edit port4
        append allowaccess snmp
    next
end

    2. Configure the SNMP agent:

      config system snmp sysinfo
    set status enable
    set description FPX
    set contact-info FPXQA
    set location Burnaby
end

    3. Configure an SNMP v3 user:

      config system snmp user
    edit "test"
        set notify-hosts 10.4.62.181
        set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change fm-conf-change ha-member-up ha-member-down ent-conf-change av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open faz-disconnect faz load-balance-real-server-down device-new per-cpu-high dhcp pool-usage cert-expiry
        set security-level auth-no-priv
        set auth-pwd ENC  ********************
    next
end
    next
end
    Verification

    1. Start the packet capture on interface port4 with the filter set to port 162. See Diagnostics for more information.

    2. Turn off one of the FortiProxy interface statuses to down, in this case, port2.

    3. Save the packet capture.

      The SNMP v3 trap is transmitted from port4 to the SNMP manager. Note that msgAuthenticationParameters is configured, indicating that authentication is active. The absence of msgPrivacyParameters suggests that encryption is not configured. This is further confirmed by plaintext in msgData.

    4. Verify that the SNMP manager has received the trap. See Important SNMP traps for an example of a trap.

    5. Verify that the SNMP manager can successfully query and receive receive a response on the current status of the FortiProxy ports:

      $ snmpwalk -v3 -u test -l authNoPriv -a SHA -A xxxxxx 10.4.62.222 1.3.6.1.2.1.2.2.1.8
IF-MIB::ifOperStatus.1 = INTEGER: up(1)
IF-MIB::ifOperStatus.2 = INTEGER: up(1)
IF-MIB::ifOperStatus.3 = INTEGER: down(2)
IF-MIB::ifOperStatus.4 = INTEGER: up(1)
IF-MIB::ifOperStatus.5 = INTEGER: up(1)
IF-MIB::ifOperStatus.6 = INTEGER: up(1)

    Example 2: SNMP traps and query for monitoring DHCP pool using SNMP v3 user

    This configuration enables the SNMP manager (10.4.62.181) to receive DHCP-related notifications from FortiProxy.

    The SNMP DHCP event contains three traps and one query.

    Traps are sent when:

    • DHCP server IP pool usage reaches 90%

    • DHCP server detect an IP address that is already in use

    • DHCP client receives DHCP NAK

    SNMP queries are accepted for DHCP lease usage information (OID = 1.3.6.1.4.1.12356.101.23). The query result is based on the leased out percentage.

    To configure SNMP for monitoring DHCP pool in the GUI:

    1. Configure interface access:

      1. Go to Network > Interfaces and edit port4.

      2. In the Administrative Access options, enable SNMP.

      3. Click OK.

    2. Configure the SNMP agent:

      1. Go to System > SNMP.

      2. Enable SNMP Agent and enter the following:

        Description

        FPX

        Location

        Burnaby

        Contact Info

        FPXQA

      3. Click Apply.

    3. Configure an SNMP v3 user:

      1. Go to System > SNMP.

      2. In the SNMP v3 table, click Create New.

      3. Configure the following:

        User Name

        DHCP_Status

        Security Level

        Authentication

        Authentication Algorithm

        SHA384

        Password

        *******

        Private

        Enabled

        Encryption Algorithm

        AES256

        Password

        *******

        Hosts IP Address

        10.4.62.181

      4. Click OK.

    To configure SNMP for monitoring the DHCP pool in the CLI:

    1. Configure interface access:

      config system interface
    edit port4
        append allowaccess snmp
    next
end

    2. Configure the SNMP agent:

      config system snmp sysinfo
    set status enable
    set description FPX
    set contact-info FPXQA
    set location Burnaby
end

    3. Configure an SNMP v3 user:

      config system snmp user
    edit "DHCP_Status"
        set notify-hosts 10.4.62.181
        set security-level auth-priv
        set auth-proto sha384
        set auth-pwd ********************
        set priv-proto aes256
        set priv-pwd *********************
    next
end
    Verification

    1. Start the packet capture on interface port4 with the filter set to port 162. See Diagnostics for more information.

    2. Overload the DHCP server IP pool.

    3. Save the packet capture.

      The SNMP v3 trap is transmitted from port4 to the SNMP manager. Note that both msgAuthenticationParameters and msgPrivacyParameters are set up, indicating that authentication and encryption are active. This is further confirmed by encryptedPDU in msgData.

    4. Verify that the SNMP manager has received the trap. See Important SNMP traps for an example of a trap.

    5. Verify that the SNMP manager can successfully query and receive DHCP lease usage information for FortiProxy:

      $ snmpwalk -v3 -u DHCP_Status  -l authPriv -a SHA384 -A xxxxxx -x AES256 -X xxxxxx 10.4.62.222 1.3.6.1.4.1.12356.101.23
SNMPv2-SMI::enterprises.12356.101.23.1.1.0 = INTEGER: 1
SNMPv2-SMI::enterprises.12356.101.23.2.1.1.2.1.1 = INTEGER: 100
    Previous
    Next