Fortinet black logo

Administration Guide

Home FortiRecorder 7.0.1 Administration Guide
7.0.1
7.2.0
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.0
6.0.0
2.7.2
2.7.1
2.7.0
2.6.0

Configuring SNMP traps and queries

Configuring SNMP traps and queries

You can configure the FortiRecorder appliance's simple network management protocol (SNMP) agent to allow queries for system information and to send traps (alarms or event messages) to the computer that you designate as its SNMP manager. In this way you can use an SNMP manager to monitor the FortiRecorder appliance.

Before you can use SNMP, you must activate the FortiRecorder appliance's SNMP agent and add it as a member of at least one community. You must also enable SNMP access on the network interface through which the SNMP manager connects. (See Access: SNMP.)

On the SNMP manager, you must also verify that the SNMP manager is a member of the community to which the FortiRecorder appliance belongs, and compile the necessary Fortinet-proprietary management information blocks (MIBs) and Fortinet-supported standard MIBs. For information on MIBs, see Configuring SNMP traps and queries.

Caution

Failure to configure the SNMP manager as a host in a community to which the FortiRecorder appliance belongs, or to supply it with required MIBs, will make the SNMP monitor unable to query or receive traps from the FortiRecorder appliance.

To configure the SNMP agent

  1. Add the MIBs to your SNMP manager so that you will be able to receive traps and perform queries. For instructions, see the documentation for your SNMP manager.
  2. Go to System > Configuration > SNMP.

  3. Configure the following settings:

    Setting Name

    Description

    SNMP agent enable

    Enable to activate the SNMP agent, so that the FortiRecorder appliance can send traps for the communities in which you enabled queries and traps. To receive queries, also SNMP on a network interface.

    Description

    Optional. Type a comment about the FortiRecorder appliance. The description can be up to 35 characters long, and can contain only letters (a-z, A-Z), numbers, hyphens ( - ) and underscores ( _ ).

    Location

    Type the physical location of the FortiRecorder appliance, such as floor2. The location can be up to 35 characters long, and can contain only letters (a-z, A-Z), numbers, hyphens ( - ) and underscores ( _ ).

    Contact

    Type the contact information for the administrator or other person responsible for this FortiRecorder appliance, such as a phone number (555-5555) or name (jdoe). The contact information can be up to 35 characters long, and can contain only letters (a-z, A-Z), numbers, hyphens ( - ) and underscores ( _ ).

  4. ClickApply.
  5. Create at least one SNMP community to define which hosts are allowed to query, and which hosts will receive traps. See Configuring an SNMP community.

Configuring an SNMP community

An SNMP community is a grouping of equipment for network administration purposes. You must configure your FortiRecorder appliance to belong to at least one SNMP community so that community's SNMP managers can query the FortiRecorder appliance's system information and receive SNMP traps from the FortiRecorder appliance.

On FortiRecorder, SNMP communities are also where you enable the traps that will be sent to that group of hosts.

You can add up to three SNMP communities. Each community can have a different configuration for queries and traps, and the set of events that trigger a trap. You can also add the IP addresses of up to 8 SNMP managers to each community to designate the destination of traps and which IP addresses are permitted to query the FortiRecorder appliance.

To add an SNMP community via the GUI

  1. Go to System > Configuration > SNMP.
  2. Configure the SNMP agent.
  3. Under Community, click New.

  4. Configure the following settings:

    Setting Name

    Description

    Name

    Type the name of the SNMP community to which the FortiRecorder appliance and at least one SNMP manager belongs, such as public.

    The FortiRecorder appliance will not respond to SNMP managers whose query packets do not contain a matching community name. Similarly, trap packets from the FortiRecorder appliance will include community name, and an SNMP manager may not accept the trap if its community name does not match.

    Caution: Fortinet strongly recommends that you do not add FortiRecorder to the community named public. This popular default name is well-known, and attackers that gain access to your network will often try this name first.

    Enable

    Enable this community entry.

    Community Hosts: IP Address

    Type the IP address of the SNMP manager that, if traps or queries are enabled in this community:

    will receive traps from the FortiRecorder appliance

    will be permitted to query the FortiRecorder appliance

    SNMP managers have read-only access. You can add up to 8.

    To allow any IP address using this SNMP community name to query the FortiRecorder appliance, enter 0.0.0.0. For security best practice reasons, however, this is not recommended.

    Caution: FortiRecorder sends security-sensitive traps, which should be sent only over a trusted network, and only to administrative equipment.

    Note: If there are no other host IP entries, entering only 0.0.0.0 effectively disables traps because there is no specific destination for trap packets. If you do not want to disable traps, you must add at least one other entry that specifies the IP address of an SNMP manager.

    Queries

    Type each port number (161 by default) on which the FortiRecorder appliance listens for SNMP queries from the SNMP managers in this community, then enable it. Port numbers vary by SNMP v1 and SNMP v2c.

    Traps

    Type each port number (162 by default) that will be the source (Local) port number and destination (Remote) port number for trap packets sent to SNMP managers in this community, then enable it. Port numbers vary by SNMP v1 and SNMP v2c.

    SNMP Event

    Enable the types of SNMP traps that you want the FortiRecorder appliance to send to the SNMP managers in this community.

    • System events (system reboot, system reload, system upgrade, log disk formatting, and video disk formatting)
    • Remote storage event
    • Interface IP change
    • Camera events (enabling, disabling, communication failure, recording failure, IP change, and camera reboot)

    While most trap events are described by their names, the following events occur when a threshold has been exceeded:

    • CPU Overusage
    • Memory Low
    • Log Disk Usage Threshold
    • Video Disk Usage Threshold

    To configure their thresholds, see Configuring SNMP traps and queries. For more information on supported traps and queries, see Configuring SNMP traps and queries.
  5. Click OK.
  6. To verify your SNMP configuration and network connectivity between your SNMP manager and your FortiRecorder appliance, test both traps and queries (assuming you have enabled both). Traps and queries typically occur on different port numbers, and therefore verifying one does not necessarily verify that the other is also functional. To test queries, from your SNMP manager, query the FortiRecorder appliance. To test traps, cause one of the events that should trigger a trap.

Configuring SNMP v3 users

If your SNMP manager supports SNMP v3, you can specify which of its user accounts is permitted to access information about your FortiRecorder appliance. This provides greater granularity of control over who can access potentially sensitive system information.

To specify access for an SNMP user

  1. Go to System > Configuration > SNMP.
  2. If you have not already configured the agent, do so before continuing. See Configuring SNMP traps and queries.
  3. Expand the User section and click New.

  4. Configure the following settings:

    Setting Name

    Description

    User name

    Enter the name of the SNMP user. This must match the name of the account as it is configured on your SNMP manager.

    You can add up to sixteen users.

    Enable

    Enable this user entry.

    Security level

    Choose one of the three security levels:

    • No authentication, no privacy — Causes SNMP v3 to behave similar to SNMP v1 and v2, which provides neither secrecy nor guarantees authenticity, and therefore is not secure. This option should only be used on private management networks.
    • Authentication, no privacy — Enables authentication only, guaranteeing the authenticity of the message, but not safeguarding it from eavesdropping. Also configure Authentication protocol.
    • Authentication, privacy — Enables both authentication and encryption, guaranteeing authenticity as well as secrecy. Also configure Privacy protocol.

    Authentication protocol

    Select either SHA-1 or MD5 hashes for authentication. Also configure a salt in Password. Both the protocols and passwords on the SNMP manager and FortiRecorder must match.

    Privacy protocol

    Select either AES or DES encryption algorithms. Also configure a salt in Password. Both the protocols and passwords on the SNMP manager and FortiRecorder must match.

  5. Similar to configuring the SNMP community, configure the other settings to specify the trap recipient IP, allowed query source IP addresses, and trap events (see Configuring SNMP v3 users).
  6. Click OK.
  7. To verify your SNMP configuration and network connectivity between your SNMP manager and your FortiRecorder appliance, test both traps and queries (assuming you have enabled both). Traps and queries typically occur on different port numbers, and therefore verifying one does not necessarily verify that the other is also functional. To test queries, from your SNMP manager, query the FortiRecorder appliance. To test traps, cause one of the events that should trigger a trap.

MIB support

The FortiRecorder SNMP agent supports the following management information blocks (MIBs):

MIB or RFC

Description

Fortinet Core MIB

This Fortinet-proprietary MIB enables your SNMP manager to query for system information and to receive traps that are common to multiple Fortinet devices.

FortiRecorder MIB

This Fortinet-proprietary MIB enables your SNMP manager to query for FortiRecorder-specific information and to receive FortiRecorder-specific traps.

RFC-1213 (MIB II)

The FortiRecorder SNMP agent supports MIB II groups, except:

  • There is no support for the EGP group from MIB II (RFC 1213, section 3.11 and 6.10).
  • Protocol statistics returned for MIB II groups (IP, ICMP, TCP, UDP, and so on.) do not accurately capture all FortiRecorder traffic activity. More accurate information can be obtained from the information reported by the FortiRecorder MIB.

RFC-2665 (Ethernet-like MIB)

The FortiRecorder SNMP agent supports Ethernet-like MIB information, except the dot3Tests and dot3Errors groups.

Download these MIB files from the Fortinet Support website

To communicate with your FortiRecorder appliance's SNMP agent, you must first compile these MIBs into your SNMP manager. If the standard MIBs used by the SNMP agent are already compiled into your SNMP manager, you do not have to compile them again.

To view a trap or query's name, object identifier (OID), and description, open its MIB file in a plain text editor.

All traps sent include the message, the FortiRecorder appliance's serial number, and host name.

Previous
Next

Configuring SNMP traps and queries

You can configure the FortiRecorder appliance's simple network management protocol (SNMP) agent to allow queries for system information and to send traps (alarms or event messages) to the computer that you designate as its SNMP manager. In this way you can use an SNMP manager to monitor the FortiRecorder appliance.

Before you can use SNMP, you must activate the FortiRecorder appliance's SNMP agent and add it as a member of at least one community. You must also enable SNMP access on the network interface through which the SNMP manager connects. (See Access: SNMP.)

On the SNMP manager, you must also verify that the SNMP manager is a member of the community to which the FortiRecorder appliance belongs, and compile the necessary Fortinet-proprietary management information blocks (MIBs) and Fortinet-supported standard MIBs. For information on MIBs, see Configuring SNMP traps and queries.

Caution

Failure to configure the SNMP manager as a host in a community to which the FortiRecorder appliance belongs, or to supply it with required MIBs, will make the SNMP monitor unable to query or receive traps from the FortiRecorder appliance.

To configure the SNMP agent

  1. Add the MIBs to your SNMP manager so that you will be able to receive traps and perform queries. For instructions, see the documentation for your SNMP manager.
  2. Go to System > Configuration > SNMP.

  3. Configure the following settings:

    Setting Name

    Description

    SNMP agent enable

    Enable to activate the SNMP agent, so that the FortiRecorder appliance can send traps for the communities in which you enabled queries and traps. To receive queries, also SNMP on a network interface.

    Description

    Optional. Type a comment about the FortiRecorder appliance. The description can be up to 35 characters long, and can contain only letters (a-z, A-Z), numbers, hyphens ( - ) and underscores ( _ ).

    Location

    Type the physical location of the FortiRecorder appliance, such as floor2. The location can be up to 35 characters long, and can contain only letters (a-z, A-Z), numbers, hyphens ( - ) and underscores ( _ ).

    Contact

    Type the contact information for the administrator or other person responsible for this FortiRecorder appliance, such as a phone number (555-5555) or name (jdoe). The contact information can be up to 35 characters long, and can contain only letters (a-z, A-Z), numbers, hyphens ( - ) and underscores ( _ ).

  4. ClickApply.
  5. Create at least one SNMP community to define which hosts are allowed to query, and which hosts will receive traps. See Configuring an SNMP community.

Configuring an SNMP community

An SNMP community is a grouping of equipment for network administration purposes. You must configure your FortiRecorder appliance to belong to at least one SNMP community so that community's SNMP managers can query the FortiRecorder appliance's system information and receive SNMP traps from the FortiRecorder appliance.

On FortiRecorder, SNMP communities are also where you enable the traps that will be sent to that group of hosts.

You can add up to three SNMP communities. Each community can have a different configuration for queries and traps, and the set of events that trigger a trap. You can also add the IP addresses of up to 8 SNMP managers to each community to designate the destination of traps and which IP addresses are permitted to query the FortiRecorder appliance.

To add an SNMP community via the GUI

  1. Go to System > Configuration > SNMP.
  2. Configure the SNMP agent.
  3. Under Community, click New.

  4. Configure the following settings:

    Setting Name

    Description

    Name

    Type the name of the SNMP community to which the FortiRecorder appliance and at least one SNMP manager belongs, such as public.

    The FortiRecorder appliance will not respond to SNMP managers whose query packets do not contain a matching community name. Similarly, trap packets from the FortiRecorder appliance will include community name, and an SNMP manager may not accept the trap if its community name does not match.

    Caution: Fortinet strongly recommends that you do not add FortiRecorder to the community named public. This popular default name is well-known, and attackers that gain access to your network will often try this name first.

    Enable

    Enable this community entry.

    Community Hosts: IP Address

    Type the IP address of the SNMP manager that, if traps or queries are enabled in this community:

    will receive traps from the FortiRecorder appliance

    will be permitted to query the FortiRecorder appliance

    SNMP managers have read-only access. You can add up to 8.

    To allow any IP address using this SNMP community name to query the FortiRecorder appliance, enter 0.0.0.0. For security best practice reasons, however, this is not recommended.

    Caution: FortiRecorder sends security-sensitive traps, which should be sent only over a trusted network, and only to administrative equipment.

    Note: If there are no other host IP entries, entering only 0.0.0.0 effectively disables traps because there is no specific destination for trap packets. If you do not want to disable traps, you must add at least one other entry that specifies the IP address of an SNMP manager.

    Queries

    Type each port number (161 by default) on which the FortiRecorder appliance listens for SNMP queries from the SNMP managers in this community, then enable it. Port numbers vary by SNMP v1 and SNMP v2c.

    Traps

    Type each port number (162 by default) that will be the source (Local) port number and destination (Remote) port number for trap packets sent to SNMP managers in this community, then enable it. Port numbers vary by SNMP v1 and SNMP v2c.

    SNMP Event

    Enable the types of SNMP traps that you want the FortiRecorder appliance to send to the SNMP managers in this community.

    • System events (system reboot, system reload, system upgrade, log disk formatting, and video disk formatting)
    • Remote storage event
    • Interface IP change
    • Camera events (enabling, disabling, communication failure, recording failure, IP change, and camera reboot)

    While most trap events are described by their names, the following events occur when a threshold has been exceeded:

    • CPU Overusage
    • Memory Low
    • Log Disk Usage Threshold
    • Video Disk Usage Threshold

    To configure their thresholds, see Configuring SNMP traps and queries. For more information on supported traps and queries, see Configuring SNMP traps and queries.
  5. Click OK.
  6. To verify your SNMP configuration and network connectivity between your SNMP manager and your FortiRecorder appliance, test both traps and queries (assuming you have enabled both). Traps and queries typically occur on different port numbers, and therefore verifying one does not necessarily verify that the other is also functional. To test queries, from your SNMP manager, query the FortiRecorder appliance. To test traps, cause one of the events that should trigger a trap.

Configuring SNMP v3 users

If your SNMP manager supports SNMP v3, you can specify which of its user accounts is permitted to access information about your FortiRecorder appliance. This provides greater granularity of control over who can access potentially sensitive system information.

To specify access for an SNMP user

  1. Go to System > Configuration > SNMP.
  2. If you have not already configured the agent, do so before continuing. See Configuring SNMP traps and queries.
  3. Expand the User section and click New.

  4. Configure the following settings:

    Setting Name

    Description

    User name

    Enter the name of the SNMP user. This must match the name of the account as it is configured on your SNMP manager.

    You can add up to sixteen users.

    Enable

    Enable this user entry.

    Security level

    Choose one of the three security levels:

    • No authentication, no privacy — Causes SNMP v3 to behave similar to SNMP v1 and v2, which provides neither secrecy nor guarantees authenticity, and therefore is not secure. This option should only be used on private management networks.
    • Authentication, no privacy — Enables authentication only, guaranteeing the authenticity of the message, but not safeguarding it from eavesdropping. Also configure Authentication protocol.
    • Authentication, privacy — Enables both authentication and encryption, guaranteeing authenticity as well as secrecy. Also configure Privacy protocol.

    Authentication protocol

    Select either SHA-1 or MD5 hashes for authentication. Also configure a salt in Password. Both the protocols and passwords on the SNMP manager and FortiRecorder must match.

    Privacy protocol

    Select either AES or DES encryption algorithms. Also configure a salt in Password. Both the protocols and passwords on the SNMP manager and FortiRecorder must match.

  5. Similar to configuring the SNMP community, configure the other settings to specify the trap recipient IP, allowed query source IP addresses, and trap events (see Configuring SNMP v3 users).
  6. Click OK.
  7. To verify your SNMP configuration and network connectivity between your SNMP manager and your FortiRecorder appliance, test both traps and queries (assuming you have enabled both). Traps and queries typically occur on different port numbers, and therefore verifying one does not necessarily verify that the other is also functional. To test queries, from your SNMP manager, query the FortiRecorder appliance. To test traps, cause one of the events that should trigger a trap.

MIB support

The FortiRecorder SNMP agent supports the following management information blocks (MIBs):

MIB or RFC

Description

Fortinet Core MIB

This Fortinet-proprietary MIB enables your SNMP manager to query for system information and to receive traps that are common to multiple Fortinet devices.

FortiRecorder MIB

This Fortinet-proprietary MIB enables your SNMP manager to query for FortiRecorder-specific information and to receive FortiRecorder-specific traps.

RFC-1213 (MIB II)

The FortiRecorder SNMP agent supports MIB II groups, except:

  • There is no support for the EGP group from MIB II (RFC 1213, section 3.11 and 6.10).
  • Protocol statistics returned for MIB II groups (IP, ICMP, TCP, UDP, and so on.) do not accurately capture all FortiRecorder traffic activity. More accurate information can be obtained from the information reported by the FortiRecorder MIB.

RFC-2665 (Ethernet-like MIB)

The FortiRecorder SNMP agent supports Ethernet-like MIB information, except the dot3Tests and dot3Errors groups.

Download these MIB files from the Fortinet Support website

To communicate with your FortiRecorder appliance's SNMP agent, you must first compile these MIBs into your SNMP manager. If the standard MIBs used by the SNMP agent are already compiled into your SNMP manager, you do not have to compile them again.

To view a trap or query's name, object identifier (OID), and description, open its MIB file in a plain text editor.

All traps sent include the message, the FortiRecorder appliance's serial number, and host name.

Previous
Next