Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

SNMP V3 Traps

There are two ways to configure SNMP V3 Traps

Manual File Configuration

To manually configure your file, take the following steps to enable FortiSIEM to receive SNMP V3 traps, which require credentials.

  1. Configure the external device (e.g. FortiGate Firewall) to send SNMP V3 traps to the desired FortiSIEM node (typically a Collector). Note down the Authentication and Encryption protocols and passwords. This information is needed for FortiSIEM configuration in step 5. Make sure the external device is sending traps to the FortiSIEM node.

  2. SSH as root to the FortiSIEM node that is going to receive the SNMP V3 trap.

  3. Stop phParser process, by running the following command.
    phtools --stop phParser

  4. Get the external device's SNMP engine ID, by taking the following steps:

    1. Run the following command.

      snmptrapd -f -Dlcd_set_enginetime -Lo

    2. Grab the engine ID from the output. The following example shows that the engine ID is 0x800030440430313530 (in hex format).

      [root@FSM-MYCENTOS8 ~]# snmptrapd -f -Dlcd_set_enginetime -Lo
      registered debug token lcd_set_enginetime, 1
      Log handling defined - disabling stderr
      lcd_set_enginetime: engineID 80 00 30 44 04 30 31 35 30 : boots=0, time=0
      lcd_set_enginetime: engineID 80 00 30 44 04 30 31 35 30 : boots=1612992361, time=28525184

  5. Update the /etc/snmp/snmptrapd.conf file by adding the authentication and encryption credentials for the external device's engine ID in hex format.
    Note: You can have multiple entries, but keep in mind that you must have one for each engine ID if multiple devices are sending traps to this FortiSIEM node.

    createUser -e <engineId> <username> <authprotocol> <authpassphrase> <privprotocol> <privpassphrase>

     

    Setting

    Description

    engineId The external device's SNMP engine ID.
    username The user name.
    authprotocol The authentication protocol for SNMPv3. This can be MD5, SHA, SHA-224, SHA-256, SHA-384, or SHA-512. See the Security Level table for requirements.
    authpassphrase The authentication password phrase.
    privprotocol The privacy protocol. This can be DES, AES, AES-192, or AES-256. See the Security Level table for requirements.
    privpassphrase The privacy password phrase.

     

    Security Level

    Description

    secName

    authProtocol

    authPassword

    privProtocol

    privPassword

    noAuthNoPriv No authentication and no encryption required. Required Not Required Not Required Not Required Not Required
    authNoPriv Messages are authenticated but not encrypted. Required Required Required Not Required Not Required
    authPriv Messages are authenticated and encrypted. Required Required Required Required Required

     

    Here are three examples:

    with authPriv

    createUser -e 0x8000304404313530 trapuser SHA snmpv3pass AES snmpv3pass


    with authNoPriv

    createUser -e 0x8000304404313530 trapuser1 SHA snmpv3pass


    with noauthNoPriv
    createUser -e 0x8000304404313530 trapuser2


  6. Start phParser process by running the following command.

    phtools --start phParser

  7. Run phstatus to make sure all processes are up.

    You should now be receiving SNMP3 V3 Traps. You can go to ANALYTICS and run historical searches for the external device’s reporting IP.

Configuration via Discover

To configure via the Discover feature, a destination device needs to be configured with SNMP v3 to forward Trap event to FortiSIEM. Take the following steps.

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials, click New to create a new credential.
    1. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box and click Save:

      Settings Description
      Name Enter a name for the credential
      Device Type Generic
      Access Protocol SNMP v3

      Port

      161

      Security Level

      Select the Security Level: noAuthNoPriv, authNoPriv, or authPriv

      Security Name

      Enter the security name.

      Auth Protocol

      Select the Auth Protocol.
      Note: Only needed if Security Level is authPriv or authNoPriv.

      Auth Password

      Enter the authentication password.

      Note: Only needed if Security Level is authPriv or authNoPriv.

      Confirm Auth Password

      Re-enter the authentication password.

      Note: Only needed if Security Level is authPriv or authNoPriv.

      Priv Protocol

      Select the Priv Protocol.

      Note: Only needed if Security Level is authPriv.

      Priv Password

      Enter the Priv Password.
      Note: Only needed if Security Level is authPriv.

      Confirm Priv Password

      Re-enter the Priv Password.

      Note: Only needed if Security Level is authPriv.

  3. In Step 2: Enter IP Range to Credential Associations, click New to create a mapping.
    1. Enter a host name, an IP, or an IP range in the IP/Host Name field.
    2. Select the name of your SNMP v3 credential from the Credentials drop-down list.
    3. Click Save.
  4. Click the Test drop-down list and select Test Connectivity to test the connection to the external device.
  5. Navigate to ADMIN > Setup > Discovery.
  6. Click New to create a SNMP v3 discovery definition.
  7. In the Discovery Definition dialog box, take the following steps:
    1. In the Name field, enter a name for the Discovery Definition.
    2. From the Discovery Type drop-down list, select Range Scan.
    3. In the Include field, enter the IP address range.
    4. Fill in the other fields as necessary.
    5. When done, click Save.
  8. Click Discover.
  9. After the discovery is 100% complete, click the Jobs/Errors icon (upper right). Under the Jobs column, an entry of "Update SNMP Trapd" should appear. Events can be queried from the ANALYTICS page. Also, in CMDB > Devices, in the Summary tab, the engine ID is displayed. It will also be in the configuration file.

SNMP V3 Traps

There are two ways to configure SNMP V3 Traps

Manual File Configuration

To manually configure your file, take the following steps to enable FortiSIEM to receive SNMP V3 traps, which require credentials.

  1. Configure the external device (e.g. FortiGate Firewall) to send SNMP V3 traps to the desired FortiSIEM node (typically a Collector). Note down the Authentication and Encryption protocols and passwords. This information is needed for FortiSIEM configuration in step 5. Make sure the external device is sending traps to the FortiSIEM node.

  2. SSH as root to the FortiSIEM node that is going to receive the SNMP V3 trap.

  3. Stop phParser process, by running the following command.
    phtools --stop phParser

  4. Get the external device's SNMP engine ID, by taking the following steps:

    1. Run the following command.

      snmptrapd -f -Dlcd_set_enginetime -Lo

    2. Grab the engine ID from the output. The following example shows that the engine ID is 0x800030440430313530 (in hex format).

      [root@FSM-MYCENTOS8 ~]# snmptrapd -f -Dlcd_set_enginetime -Lo
      registered debug token lcd_set_enginetime, 1
      Log handling defined - disabling stderr
      lcd_set_enginetime: engineID 80 00 30 44 04 30 31 35 30 : boots=0, time=0
      lcd_set_enginetime: engineID 80 00 30 44 04 30 31 35 30 : boots=1612992361, time=28525184

  5. Update the /etc/snmp/snmptrapd.conf file by adding the authentication and encryption credentials for the external device's engine ID in hex format.
    Note: You can have multiple entries, but keep in mind that you must have one for each engine ID if multiple devices are sending traps to this FortiSIEM node.

    createUser -e <engineId> <username> <authprotocol> <authpassphrase> <privprotocol> <privpassphrase>

     

    Setting

    Description

    engineId The external device's SNMP engine ID.
    username The user name.
    authprotocol The authentication protocol for SNMPv3. This can be MD5, SHA, SHA-224, SHA-256, SHA-384, or SHA-512. See the Security Level table for requirements.
    authpassphrase The authentication password phrase.
    privprotocol The privacy protocol. This can be DES, AES, AES-192, or AES-256. See the Security Level table for requirements.
    privpassphrase The privacy password phrase.

     

    Security Level

    Description

    secName

    authProtocol

    authPassword

    privProtocol

    privPassword

    noAuthNoPriv No authentication and no encryption required. Required Not Required Not Required Not Required Not Required
    authNoPriv Messages are authenticated but not encrypted. Required Required Required Not Required Not Required
    authPriv Messages are authenticated and encrypted. Required Required Required Required Required

     

    Here are three examples:

    with authPriv

    createUser -e 0x8000304404313530 trapuser SHA snmpv3pass AES snmpv3pass


    with authNoPriv

    createUser -e 0x8000304404313530 trapuser1 SHA snmpv3pass


    with noauthNoPriv
    createUser -e 0x8000304404313530 trapuser2


  6. Start phParser process by running the following command.

    phtools --start phParser

  7. Run phstatus to make sure all processes are up.

    You should now be receiving SNMP3 V3 Traps. You can go to ANALYTICS and run historical searches for the external device’s reporting IP.

Configuration via Discover

To configure via the Discover feature, a destination device needs to be configured with SNMP v3 to forward Trap event to FortiSIEM. Take the following steps.

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials, click New to create a new credential.
    1. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box and click Save:

      Settings Description
      Name Enter a name for the credential
      Device Type Generic
      Access Protocol SNMP v3

      Port

      161

      Security Level

      Select the Security Level: noAuthNoPriv, authNoPriv, or authPriv

      Security Name

      Enter the security name.

      Auth Protocol

      Select the Auth Protocol.
      Note: Only needed if Security Level is authPriv or authNoPriv.

      Auth Password

      Enter the authentication password.

      Note: Only needed if Security Level is authPriv or authNoPriv.

      Confirm Auth Password

      Re-enter the authentication password.

      Note: Only needed if Security Level is authPriv or authNoPriv.

      Priv Protocol

      Select the Priv Protocol.

      Note: Only needed if Security Level is authPriv.

      Priv Password

      Enter the Priv Password.
      Note: Only needed if Security Level is authPriv.

      Confirm Priv Password

      Re-enter the Priv Password.

      Note: Only needed if Security Level is authPriv.

  3. In Step 2: Enter IP Range to Credential Associations, click New to create a mapping.
    1. Enter a host name, an IP, or an IP range in the IP/Host Name field.
    2. Select the name of your SNMP v3 credential from the Credentials drop-down list.
    3. Click Save.
  4. Click the Test drop-down list and select Test Connectivity to test the connection to the external device.
  5. Navigate to ADMIN > Setup > Discovery.
  6. Click New to create a SNMP v3 discovery definition.
  7. In the Discovery Definition dialog box, take the following steps:
    1. In the Name field, enter a name for the Discovery Definition.
    2. From the Discovery Type drop-down list, select Range Scan.
    3. In the Include field, enter the IP address range.
    4. Fill in the other fields as necessary.
    5. When done, click Save.
  8. Click Discover.
  9. After the discovery is 100% complete, click the Jobs/Errors icon (upper right). Under the Jobs column, an entry of "Update SNMP Trapd" should appear. Events can be queried from the ANALYTICS page. Also, in CMDB > Devices, in the Summary tab, the engine ID is displayed. It will also be in the configuration file.