Take the following steps to enable FortiSIEM to receive SNMP V3 traps, which require credentials.
Configure the external device (e.g. FortiGate Firewall) to send SNMP V3 traps to the desired FortiSIEM node (typically a Collector). Note down the Authentication and Encryption protocols and passwords. This information is needed for FortiSIEM configuration in step 5. Make sure the external device is sending traps to the FortiSIEM node.
SSH as root to the FortiSIEM node that is going to receive the SNMP V3 trap.
phParserprocess, by running the following command.
phtools --stop phParser
Get the external device's SNMP engine ID, by taking the following steps:
Run the following command.
snmptrapd -f -Dlcd_set_enginetime -Lo
Grab the engine ID from the output. The following example shows that the engine ID is 0x800030440430313530 (in hex format).
[root@FSM-MYCENTOS8 ~]# snmptrapd -f -Dlcd_set_enginetime -Lo
registered debug token lcd_set_enginetime, 1
Log handling defined - disabling stderr
lcd_set_enginetime: engineID 80 00 30 44 04 30 31 35 30 : boots=0, time=0
lcd_set_enginetime: engineID 80 00 30 44 04 30 31 35 30 : boots=1612992361, time=28525184
createUser -e <engineId> <user> <authProto> <snmpv3authPwd> <encryptProto> <snmpv3encryptPwd>
createUser -e 0x800030440430313530 trapuser SHA snmpv3authpass AES snmpv3encryptpass
Note: You can have multiple entries, but keep in mind that you must have one for each engine ID if multiple devices are sending traps to this FortiSIEM node.
phParserprocess by running the following command.
phtools --start phParser
phstatusto make sure all processes are up.
You should now be receiving SNMP3 V3 Traps. You can go to ANALYTICS and run historical searches for the external device’s reporting IP.