Fortinet white logo
Fortinet white logo

External Systems Configuration Guide

SNMP V3 Traps

SNMP V3 Traps

Take the following steps to enable FortiSIEM to receive SNMP V3 traps, which require credentials.

  1. Configure the external device (e.g. FortiGate Firewall) to send SNMP V3 traps to the desired FortiSIEM node (typically a Collector). Note down the Authentication and Encryption protocols and passwords. This information is needed for FortiSIEM configuration in step 5. Make sure the external device is sending traps to the FortiSIEM node.

  2. SSH as root to the FortiSIEM node that is going to receive the SNMP V3 trap.

  3. Stop phParser process, by running the following command.
    phtools --stop phParser

  4. Get the external device's SNMP engine ID, by taking the following steps:

    1. Run the following command.

      snmptrapd -f -Dlcd_set_enginetime -Lo

    2. Grab the engine ID from the output. The following example shows that the engine ID is 0x800030440430313530 (in hex format).

      [root@FSM-MYCENTOS8 ~]# snmptrapd -f -Dlcd_set_enginetime -Lo
      registered debug token lcd_set_enginetime, 1
      Log handling defined - disabling stderr
      lcd_set_enginetime: engineID 80 00 30 44 04 30 31 35 30 : boots=0, time=0
      lcd_set_enginetime: engineID 80 00 30 44 04 30 31 35 30 : boots=1612992361, time=28525184

  5. Update the /etc/snmp/snmptrapd.conf file by adding the authentication and encryption credentials for the external device's engine ID in hex format.

    createUser -e <engineId> <user> <authProto> <snmpv3authPwd> <encryptProto> <snmpv3encryptPwd>
    For example:

    createUser -e 0x800030440430313530 trapuser SHA snmpv3authpass AES snmpv3encryptpass

    Note: You can have multiple entries, but keep in mind that you must have one for each engine ID if multiple devices are sending traps to this FortiSIEM node.

  6. Start phParser process by running the following command.

    phtools --start phParser

  7. Run phstatus to make sure all processes are up.

    You should now be receiving SNMP3 V3 Traps. You can go to ANALYTICS and run historical searches for the external device’s reporting IP.

SNMP V3 Traps

SNMP V3 Traps

Take the following steps to enable FortiSIEM to receive SNMP V3 traps, which require credentials.

  1. Configure the external device (e.g. FortiGate Firewall) to send SNMP V3 traps to the desired FortiSIEM node (typically a Collector). Note down the Authentication and Encryption protocols and passwords. This information is needed for FortiSIEM configuration in step 5. Make sure the external device is sending traps to the FortiSIEM node.

  2. SSH as root to the FortiSIEM node that is going to receive the SNMP V3 trap.

  3. Stop phParser process, by running the following command.
    phtools --stop phParser

  4. Get the external device's SNMP engine ID, by taking the following steps:

    1. Run the following command.

      snmptrapd -f -Dlcd_set_enginetime -Lo

    2. Grab the engine ID from the output. The following example shows that the engine ID is 0x800030440430313530 (in hex format).

      [root@FSM-MYCENTOS8 ~]# snmptrapd -f -Dlcd_set_enginetime -Lo
      registered debug token lcd_set_enginetime, 1
      Log handling defined - disabling stderr
      lcd_set_enginetime: engineID 80 00 30 44 04 30 31 35 30 : boots=0, time=0
      lcd_set_enginetime: engineID 80 00 30 44 04 30 31 35 30 : boots=1612992361, time=28525184

  5. Update the /etc/snmp/snmptrapd.conf file by adding the authentication and encryption credentials for the external device's engine ID in hex format.

    createUser -e <engineId> <user> <authProto> <snmpv3authPwd> <encryptProto> <snmpv3encryptPwd>
    For example:

    createUser -e 0x800030440430313530 trapuser SHA snmpv3authpass AES snmpv3encryptpass

    Note: You can have multiple entries, but keep in mind that you must have one for each engine ID if multiple devices are sending traps to this FortiSIEM node.

  6. Start phParser process by running the following command.

    phtools --start phParser

  7. Run phstatus to make sure all processes are up.

    You should now be receiving SNMP3 V3 Traps. You can go to ANALYTICS and run historical searches for the external device’s reporting IP.