SNMP V3 Traps
There are two ways to configure SNMP V3 Traps
Manual File Configuration
To manually configure your file, take the following steps to enable FortiSIEM to receive SNMP V3 traps, which require credentials.
-
Configure the external device (e.g. FortiGate Firewall) to send SNMP V3 traps to the desired FortiSIEM node (typically a Collector). Note down the Authentication and Encryption protocols and passwords. This information is needed for FortiSIEM configuration in step 5. Make sure the external device is sending traps to the FortiSIEM node.
-
SSH as root to the FortiSIEM node that is going to receive the SNMP V3 trap.
-
Stop
phParser
process, by running the following command.phtools --stop phParser
-
Get the external device's SNMP engine ID, by taking the following steps:
-
Run the following command.
snmptrapd -f -Dlcd_set_enginetime -Lo
-
Grab the engine ID from the output. The following example shows that the engine ID is 0x800030440430313530 (in hex format).
[root@FSM-MYCENTOS8 ~]# snmptrapd -f -Dlcd_set_enginetime -Lo
registered debug token lcd_set_enginetime, 1
Log handling defined - disabling stderr
lcd_set_enginetime: engineID 80 00 30 44 04 30 31 35 30 : boots=0, time=0
lcd_set_enginetime: engineID 80 00 30 44 04 30 31 35 30 : boots=1612992361, time=28525184
-
-
Update the
/etc/snmp/snmptrapd.conf
file by adding the authentication and encryption credentials for the external device's engine ID in hex format.
Note: You can have multiple entries, but keep in mind that you must have one for each engine ID if multiple devices are sending traps to this FortiSIEM node.createUser -e <engineId> <username> <authprotocol> <authpassphrase> <privprotocol> <privpassphrase>
Setting
Description
engineId
The external device's SNMP engine ID. username
The user name. authprotocol
The authentication protocol for SNMPv3. This can be MD5, SHA, SHA-224, SHA-256, SHA-384, or SHA-512. See the Security Level table for requirements. authpassphrase
The authentication password phrase. privprotocol
The privacy protocol. This can be DES, AES, AES-192, or AES-256. See the Security Level table for requirements. privpassphrase
The privacy password phrase. Description
secName
authProtocol
authPassword
privProtocol
privPassword
noAuthNoPriv No authentication and no encryption required. Required Not Required Not Required Not Required Not Required authNoPriv Messages are authenticated but not encrypted. Required Required Required Not Required Not Required authPriv Messages are authenticated and encrypted. Required Required Required Required Required Here are three examples:
with authPriv
createUser -e 0x8000304404313530 trapuser SHA snmpv3pass AES snmpv3pass
with authNoPrivcreateUser -e 0x8000304404313530 trapuser1 SHA snmpv3pass
with noauthNoPrivcreateUser -e 0x8000304404313530 trapuser2
-
Start
phParser
process by running the following command.phtools --start phParser
-
Run
phstatus
to make sure all processes are up.You should now be receiving SNMP3 V3 Traps. You can go to ANALYTICS and run historical searches for the external device’s reporting IP.
Configuration via Discover
To configure via the Discover feature, a destination device needs to be configured with SNMP v3 to forward Trap event to FortiSIEM. Take the following steps.
- Go to the ADMIN > Setup > Credentials tab.
- In Step 1: Enter Credentials, click New to create a new credential.
- Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.
- Enter these settings in the Access Method Definition dialog box and click Save:
Settings Description Name Enter a name for the credential Device Type Generic Access Protocol SNMP v3 Port
161
Security Level
Select the Security Level: noAuthNoPriv, authNoPriv, or authPriv
Security Name
Enter the security name.
Auth Protocol
Select the Auth Protocol.
Note: Only needed if Security Level is authPriv or authNoPriv.Auth Password
Enter the authentication password.
Note: Only needed if Security Level is authPriv or authNoPriv.
Confirm Auth Password
Re-enter the authentication password.
Note: Only needed if Security Level is authPriv or authNoPriv.
Priv Protocol
Select the Priv Protocol.
Note: Only needed if Security Level is authPriv.
Priv Password
Enter the Priv Password.
Note: Only needed if Security Level is authPriv.Confirm Priv Password
Re-enter the Priv Password.
Note: Only needed if Security Level is authPriv.
- In Step 2: Enter IP Range to Credential Associations, click New to create a mapping.
- Enter a host name, an IP, or an IP range in the IP/Host Name field.
- Select the name of your SNMP v3 credential from the Credentials drop-down list.
- Click Save.
- Click the Test drop-down list and select Test Connectivity to test the connection to the external device.
- Navigate to ADMIN > Setup > Discovery.
- Click New to create a SNMP v3 discovery definition.
- In the Discovery Definition dialog box, take the following steps:
- In the Name field, enter a name for the Discovery Definition.
- From the Discovery Type drop-down list, select Range Scan.
- In the Include field, enter the IP address range.
- Fill in the other fields as necessary.
- When done, click Save.
- Click Discover.
- After the discovery is 100% complete, click the Jobs/Errors icon (upper right). Under the Jobs column, an entry of "Update SNMP Trapd" should appear. Events can be queried from the ANALYTICS page. Also, in CMDB > Devices, in the Summary tab, the engine ID is displayed. It will also be in the configuration file.