Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Devices Managed by FortiOS

Configuring SNMP

Simple Network Management Protocol (SNMP) enables you to monitor hardware on your network.

The managed FortiSwitch SNMP implementation is read-only. SNMP v1-compliant and v2c-compliant SNMP managers have read-only access to FortiSwitch system information through queries and can receive trap messages from the managed FortiSwitch unit.

To monitor FortiSwitch system information and receive FortiSwitch traps, you must first compile the Fortinet and FortiSwitch management information base (MIB) files. A MIB is a text file that describes a list of SNMP data objects that are used by the SNMP manager. These MIBs provide information that the SNMP manager needs to interpret the SNMP trap, event, and query messages sent by the FortiSwitch SNMP agent.

FortiSwitch core MIB files are available for download by going to System > Config > SNMP > Settings and selecting the FortiSwitch MIB File download link.

You configure SNMP on a global level so that all managed FortiSwitch units use the same settings. If you want one of the FortiSwitch units to use different settings from the global settings, configure SNMP locally.

This section covers the following topics:

Configuring SNMP globally

To configure SNMP globally:
  1. Add SNMP access on the switch-management interface.
  2. Configure the SNMP system information.
  3. Configure the SNMP community.
  4. Configure the SNMP trap threshold values.
  5. Configure the SNMP user.
To add SNMP access on the switch-management interface:

config switch-controller security-policy local-access

edit "{default | <policy_name>}"

set mgmt-allowaccess <options> snmp

set internal-allowaccess <options>

next

end

To configure the SNMP system information globally:

config switch-controller snmp-sysinfo

set status enable

set engine-id <local_SNMP_engine_ID (the maximum is 24 characters)>

set description <system_description>

set contact-info <contact_information>

set location <FortiGate_location>

end

NOTE: Each SNMP engine maintains a value, snmpEngineID, which uniquely identifies the SNMP engine. This value is included in each message sent to or from the SNMP engine. The engine-id is part of the snmpEngineID but does not include the Fortinet prefix 0x8000304404.

To configure the SNMP community globally:

config switch-controller snmp-community

edit <SNMP_community_entry_identifier>

set name <SNMP_community_name>

set status enable

set query-v1-status enable

set query-v1-port <0-65535; the default is 161>

set query-v2c-status enable

set query-v2c-port <0-65535; the default is 161>

set trap-v1-status enable

set trap-v1-lport <0-65535; the default is 162>

set trap-v1-rport <0-65535; the default is 162>

set trap-v2c-status enable

set trap-v2c-lport <0-65535; the default is 162>

set trap-v2c-rport <0-65535; the default is 162>

set events {cpu-high mem-low log-full intf-ip ent-conf-change}

config hosts

edit <host_entry_ID>

set ip <IPv4_address_of_the_SNMP_manager>

end

next

end

To configure the SNMP trap threshold values globally:

config switch-controller snmp-trap-threshold

set trap-high-cpu-threshold <percentage_value; the default is 80>

set trap-low-memory-threshold <percentage_value; the default is 80>

set trap-log-full-threshold <percentage_value; the default is 90>

end

To configure the SNMP user globally:

config switch-controller snmp-user

edit <SNMP_user_name>

set queries enable

set query-port <0-65535; the default is 161>

set security-level {auth-priv | auth-no-priv | no-auth-no-priv}

set auth-proto {md5 | sha}

set auth-pwd <password_for_authentication_protocol>

set priv-proto {aes | des}

set priv-pwd <password_for_encryption_protocol>

end

Configuring SNMP locally

To configure SNMP for a specific FortiSwitch unit:
  1. Configure the SNMP system information.
  2. Configure the SNMP community.
  3. Configure the SNMP trap threshold values.
  4. Configure the SNMP user.
To configure the SNMP system information locally:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

set override-snmp-sysinfo enable

config snmp-sysinfo

set status enable

set engine-id <local_SNMP_engine_ID (the maximum is 24 characters)>

set description <system_description>

set contact-info <contact_information>

set location <FortiGate_location>

end

next

end

NOTE: Each SNMP engine maintains a value, snmpEngineID, which uniquely identifies the SNMP engine. This value is included in each message sent to or from the SNMP engine. The engine-id is part of the snmpEngineID but does not include the Fortinet prefix 0x8000304404.

To configure the SNMP community locally:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

set override-snmp-community enable

config snmp-community

edit <SNMP_community_entry_identifier>

set name <SNMP_community_name>

set status enable

set query-v1-status enable

set query-v1-port <0-65535; the default is 161>

set query-v2c-status enable

set query-v2c-port <0-65535; the default is 161>

set trap-v1-status enable

set trap-v1-lport <0-65535; the default is 162>

set trap-v1-rport <0-65535; the default is 162>

set trap-v2c-status enable

set trap-v2c-lport <0-65535; the default is 162>

set trap-v2c-rport <0-65535; the default is 162>

set events {cpu-high mem-low log-full intf-ip ent-conf-change}

config hosts

edit <host_entry_ID>

set ip <IPv4_address_of_the_SNMP_manager>

end

next

end

To configure the SNMP trap threshold values locally:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

set override-snmp-trap-threshold enable

config snmp-trap-threshold

set trap-high-cpu-threshold <percentage_value; the default is 80>

set trap-low-memory-threshold <percentage_value; the default is 80>

set trap-log-full-threshold <percentage_value; the default is 90>

end

next

end

To configure the SNMP user locally:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

set override-snmp-user enable

config snmp-user

edit <SNMP_user_name>

set queries enable

set query-port <0-65535; the default is 161>

set security-level {auth-priv | auth-no-priv | no-auth-no-priv}

set auth-proto {md5 | sha}

set auth-pwd <password_for_authentication_protocol>

set priv-proto {aes | des}

set priv-pwd <password_for_encryption_protocol>

end

next

end

Configuring SNMP

Simple Network Management Protocol (SNMP) enables you to monitor hardware on your network.

The managed FortiSwitch SNMP implementation is read-only. SNMP v1-compliant and v2c-compliant SNMP managers have read-only access to FortiSwitch system information through queries and can receive trap messages from the managed FortiSwitch unit.

To monitor FortiSwitch system information and receive FortiSwitch traps, you must first compile the Fortinet and FortiSwitch management information base (MIB) files. A MIB is a text file that describes a list of SNMP data objects that are used by the SNMP manager. These MIBs provide information that the SNMP manager needs to interpret the SNMP trap, event, and query messages sent by the FortiSwitch SNMP agent.

FortiSwitch core MIB files are available for download by going to System > Config > SNMP > Settings and selecting the FortiSwitch MIB File download link.

You configure SNMP on a global level so that all managed FortiSwitch units use the same settings. If you want one of the FortiSwitch units to use different settings from the global settings, configure SNMP locally.

This section covers the following topics:

Configuring SNMP globally

To configure SNMP globally:
  1. Add SNMP access on the switch-management interface.
  2. Configure the SNMP system information.
  3. Configure the SNMP community.
  4. Configure the SNMP trap threshold values.
  5. Configure the SNMP user.
To add SNMP access on the switch-management interface:

config switch-controller security-policy local-access

edit "{default | <policy_name>}"

set mgmt-allowaccess <options> snmp

set internal-allowaccess <options>

next

end

To configure the SNMP system information globally:

config switch-controller snmp-sysinfo

set status enable

set engine-id <local_SNMP_engine_ID (the maximum is 24 characters)>

set description <system_description>

set contact-info <contact_information>

set location <FortiGate_location>

end

NOTE: Each SNMP engine maintains a value, snmpEngineID, which uniquely identifies the SNMP engine. This value is included in each message sent to or from the SNMP engine. The engine-id is part of the snmpEngineID but does not include the Fortinet prefix 0x8000304404.

To configure the SNMP community globally:

config switch-controller snmp-community

edit <SNMP_community_entry_identifier>

set name <SNMP_community_name>

set status enable

set query-v1-status enable

set query-v1-port <0-65535; the default is 161>

set query-v2c-status enable

set query-v2c-port <0-65535; the default is 161>

set trap-v1-status enable

set trap-v1-lport <0-65535; the default is 162>

set trap-v1-rport <0-65535; the default is 162>

set trap-v2c-status enable

set trap-v2c-lport <0-65535; the default is 162>

set trap-v2c-rport <0-65535; the default is 162>

set events {cpu-high mem-low log-full intf-ip ent-conf-change}

config hosts

edit <host_entry_ID>

set ip <IPv4_address_of_the_SNMP_manager>

end

next

end

To configure the SNMP trap threshold values globally:

config switch-controller snmp-trap-threshold

set trap-high-cpu-threshold <percentage_value; the default is 80>

set trap-low-memory-threshold <percentage_value; the default is 80>

set trap-log-full-threshold <percentage_value; the default is 90>

end

To configure the SNMP user globally:

config switch-controller snmp-user

edit <SNMP_user_name>

set queries enable

set query-port <0-65535; the default is 161>

set security-level {auth-priv | auth-no-priv | no-auth-no-priv}

set auth-proto {md5 | sha}

set auth-pwd <password_for_authentication_protocol>

set priv-proto {aes | des}

set priv-pwd <password_for_encryption_protocol>

end

Configuring SNMP locally

To configure SNMP for a specific FortiSwitch unit:
  1. Configure the SNMP system information.
  2. Configure the SNMP community.
  3. Configure the SNMP trap threshold values.
  4. Configure the SNMP user.
To configure the SNMP system information locally:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

set override-snmp-sysinfo enable

config snmp-sysinfo

set status enable

set engine-id <local_SNMP_engine_ID (the maximum is 24 characters)>

set description <system_description>

set contact-info <contact_information>

set location <FortiGate_location>

end

next

end

NOTE: Each SNMP engine maintains a value, snmpEngineID, which uniquely identifies the SNMP engine. This value is included in each message sent to or from the SNMP engine. The engine-id is part of the snmpEngineID but does not include the Fortinet prefix 0x8000304404.

To configure the SNMP community locally:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

set override-snmp-community enable

config snmp-community

edit <SNMP_community_entry_identifier>

set name <SNMP_community_name>

set status enable

set query-v1-status enable

set query-v1-port <0-65535; the default is 161>

set query-v2c-status enable

set query-v2c-port <0-65535; the default is 161>

set trap-v1-status enable

set trap-v1-lport <0-65535; the default is 162>

set trap-v1-rport <0-65535; the default is 162>

set trap-v2c-status enable

set trap-v2c-lport <0-65535; the default is 162>

set trap-v2c-rport <0-65535; the default is 162>

set events {cpu-high mem-low log-full intf-ip ent-conf-change}

config hosts

edit <host_entry_ID>

set ip <IPv4_address_of_the_SNMP_manager>

end

next

end

To configure the SNMP trap threshold values locally:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

set override-snmp-trap-threshold enable

config snmp-trap-threshold

set trap-high-cpu-threshold <percentage_value; the default is 80>

set trap-low-memory-threshold <percentage_value; the default is 80>

set trap-log-full-threshold <percentage_value; the default is 90>

end

next

end

To configure the SNMP user locally:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

set override-snmp-user enable

config snmp-user

edit <SNMP_user_name>

set queries enable

set query-port <0-65535; the default is 161>

set security-level {auth-priv | auth-no-priv | no-auth-no-priv}

set auth-proto {md5 | sha}

set auth-pwd <password_for_authentication_protocol>

set priv-proto {aes | des}

set priv-pwd <password_for_encryption_protocol>

end

next

end