SNMP V3 Traps

There are two ways to configure SNMP V3 Traps

• Manual File Configuration

• Configuration via Discover

Manual File Configuration

To manually configure your file, take the following steps to enable FortiSIEM to receive SNMP V3 traps, which require credentials.

1. Configure the external device (e.g. FortiGate Firewall) to send SNMP V3 traps to the desired FortiSIEM node (typically a Collector). Note down the Authentication and Encryption protocols and passwords. This information is needed for FortiSIEM configuration in step 5. Make sure the external device is sending traps to the FortiSIEM node.

2. SSH as root to the FortiSIEM node that is going to receive the SNMP V3 trap.

3. Stop phParser process, by running the following command.
   phtools --stop phParser
   

4. Get the external device's SNMP engine ID, by taking the following steps:

   1. Run the following command.
      

      snmptrapd -f -Dlcd_set_enginetime -Lo

   2. Grab the engine ID from the output. The following example shows that the engine ID is 0x800030440430313530 (in hex format).
      

      [root@FSM-MYCENTOS8 ~]# snmptrapd -f -Dlcd_set_enginetime -Lo
registered debug token lcd_set_enginetime, 1
Log handling defined - disabling stderr
lcd_set_enginetime: engineID 80 00 30 44 04 30 31 35 30 : boots=0, time=0
lcd_set_enginetime: engineID 80 00 30 44 04 30 31 35 30 : boots=1612992361, time=28525184
      

5. Update the /etc/snmp/snmptrapd.conf file by adding the authentication and encryption credentials for the external device's engine ID in hex format.
   Note: You can have multiple entries, but keep in mind that you must have one for each engine ID if multiple devices are sending traps to this FortiSIEM node.
   

   createUser -e <engineId> <username> <authprotocol> <authpassphrase> <privprotocol> <privpassphrase>
   

   Setting	Description
   engineId	The external device's SNMP engine ID.
   username	The user name.
   authprotocol	The authentication protocol for SNMPv3. This can be MD5, SHA, SHA-224, SHA-256, SHA-384, or SHA-512. See the Security Level table for requirements.
   authpassphrase	The authentication password phrase.
   privprotocol	The privacy protocol. This can be DES, AES, AES-192, or AES-256. See the Security Level table for requirements.
   privpassphrase	The privacy password phrase.

   Security Level	Description	secName	authProtocol	authPassword	privProtocol	privPassword
   noAuthNoPriv	No authentication and no encryption required.	Required	Not Required	Not Required	Not Required	Not Required
   authNoPriv	Messages are authenticated but not encrypted.	Required	Required	Required	Not Required	Not Required
   authPriv	Messages are authenticated and encrypted.	Required	Required	Required	Required	Required

   Here are three examples:

   with authPriv

   createUser -e 0x8000304404313530 trapuser SHA snmpv3pass AES snmpv3pass

   
   with authNoPriv

   createUser -e 0x8000304404313530 trapuser1 SHA snmpv3pass

   
   with noauthNoPriv
   createUser -e 0x8000304404313530 trapuser2

   
   

6. Start phParser process by running the following command.
   

   phtools --start phParser

7. Run phstatus to make sure all processes are up.

   You should now be receiving SNMP3 V3 Traps. You can go to ANALYTICS and run historical searches for the external device’s reporting IP.

Configuration via Discover

To configure via the Discover feature, a destination device needs to be configured with SNMP v3 to forward Trap event to FortiSIEM. Take the following steps.

1. Go to the ADMIN > Setup > Credentials tab.
2. In Step 1: Enter Credentials, click New to create a new credential.
   1. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.
   2. Enter these settings in the Access Method Definition dialog box and click Save:

      Settings	Description
      Name	Enter a name for the credential
      Device Type	Generic
      Access Protocol	SNMP v3
      Port	161
      Security Level	Select the Security Level: noAuthNoPriv, authNoPriv, or authPriv
      Security Name	Enter the security name.
      Auth Protocol	Select the Auth Protocol. Note: Only needed if Security Level is authPriv or authNoPriv.
      Auth Password	Enter the authentication password. Note: Only needed if Security Level is authPriv or authNoPriv.
      Confirm Auth Password	Re-enter the authentication password. Note: Only needed if Security Level is authPriv or authNoPriv.
      Priv Protocol	Select the Priv Protocol. Note: Only needed if Security Level is authPriv.
      Priv Password	Enter the Priv Password. Note: Only needed if Security Level is authPriv.
      Confirm Priv Password	Re-enter the Priv Password. Note: Only needed if Security Level is authPriv.

3. In Step 2: Enter IP Range to Credential Associations, click New to create a mapping.
   1. Enter a host name, an IP, or an IP range in the IP/Host Name field.
   2. Select the name of your SNMP v3 credential from the Credentials drop-down list.
   3. Click Save.
4. Click the Test drop-down list and select Test Connectivity to test the connection to the external device.
5. Navigate to ADMIN > Setup > Discovery.
6. Click New to create a SNMP v3 discovery definition.
7. In the Discovery Definition dialog box, take the following steps:
   1. In the Name field, enter a name for the Discovery Definition.
   2. From the Discovery Type drop-down list, select Range Scan.
   3. In the Include field, enter the IP address range.
   4. Fill in the other fields as necessary.
   5. When done, click Save.
8. Click Discover.
9. After the discovery is 100% complete, click the Jobs/Errors icon (upper right). Under the Jobs column, an entry of "Update SNMP Traps" should appear. Events can be queried from the ANALYTICS page. Also, in CMDB > Devices, in the Summary tab, the engine ID is displayed. It will also be in the configuration file.