Fortinet black logo

Administration Guide

SNMP

Copy Link
Copy Doc ID 2d1d802e-71d2-11ed-8e6d-fa163e15d75b:261585
Download PDF

SNMP

Simple Network Management Protocol (SNMP) enables you to monitor hardware on your network.

The FortiSwitch SNMP implementation is read-only. SNMP v1-compliant and v2c-compliant SNMP managers have read-only access to FortiSwitch system information through queries and can receive trap messages from the FortiSwitch unit.

To monitor FortiSwitch system information and receive FortiSwitch traps, you must first compile the Fortinet and FortiSwitch management information base (MIB) files. A MIB is a text file that describes a list of SNMP data objects that are used by the SNMP manager. These MIBs provide information that the SNMP manager needs to interpret the SNMP trap, event, and query messages sent by the FortiSwitch SNMP agent.

FortiSwitch core MIB files are available for download by going to System > Config > SNMP > Settings and selecting the FortiSwitch MIB File download link.

note icon When you use the dot1dTpFdbTable table, the index provided does not contain the dot1dTpFdbAddress as defined by the standard. Instead, the index is an increasing numerical value.

SNMP access

Ensure that the management VLAN has SNMP added to the access-profiles.

Using the GUI:
  1. Go to System > Network > Interface > Physical.
  2. Select Edit for the mgmt interface.
  3. Select SNMP in the access section.
  4. Select Update.
Using the CLI:

config system interface

edit <name>

set allowaccess <access_types>

end

end

NOTE: Re-enter the existing allowed access types and add snmp to the list.

SNMP agent

Create the SNMP agent.

Using the GUI:
  1. Go to System > Config > SNMP > Settings.
  2. Select Agent Enabled.
  3. Enter a descriptive name for the agent.
  4. Enter the location of the FortiSwitch unit.
  5. Enter a contact or administrator for the SNMP agent or FortiSwitch unit.
  6. Select Apply.
Using the CLI:

config system snmp sysinfo

set status enable

set contact-info <contact_information>

set description <description_of_FortiSwitch>

set location <FortiSwitch_location>

end

SNMP community

An SNMP community is a grouping of devices for network administration purposes. Within that SNMP community, devices can communicate by sending and receiving traps and other information. One device can belong to multiple communities, such as one administrator terminal monitoring both a FortiGate SNMP and a FortiSwitch SNMP community.

Add SNMP communities to your FortiSwitch unit so that SNMP managers can connect to view system information and receive SNMP traps.

You can add up to three SNMP communities. Each community can have a different configuration for SNMP queries and traps. Each community can be configured to monitor the FortiSwitch unit for a different set of events. You can also add the IP addresses of up to eight SNMP managers for each community.

Starting in FortiSwitchOS 7.0.0, you can set up one or more SNMP v3 notifications (traps) in the CLI. The following notifications are supported:

  • The CPU usage is too high.
  • The configuration of an entity was changed.
  • The IP address for an interface was changed.
  • The available log space is low.
  • The available memory is low.

Starting in FortiSwitchOS 7.0.2, you can configure an SNMP trap so that you receive a message when the MAC learning limit is exceeded.

Starting in FortiSwitchOS 7.2.0, you can configure an SNMP trap so that you receive a message when a layer-2 MAC address has been added, deleted, or moved. This SNMP trap applies only to dynamic MAC addresses learned on the port.

Starting in FortiSwitchOS 7.2.1, you can configure SNMP traps for the following:

  • The fan was detected, not detected, resumed, or failed.
  • There is a conflict between IP addresses.
  • The status of the power supply unit has changed.
  • The sensor triggered an alarm.
  • The sensor is faulty.
  • The trunk memberʼs heart beat is unsynchronized.

By default, all SNMP notifications are enabled, except for l2mac. Notifications are sent to one or more IP addresses.

Adding an SNMP v1/v2c community

Using the GUI:
  1. Go to System > Config > SNMP > Communities.
  2. Select Add Community.
  3. Enter a community name and identifier.
  4. Select Add Host and enter the identifier, IP address and netmask, and interface for each host.
  5. Select V1, V2C, or both and enter the port number that the SNMP managers in this community use for SNMP v1 and SNMP v2c queries to receive configuration information from the FortiSwitch unit.
  6. Select V1, V2C, or both and enter the local and remote port numbers that the FortiSwitch unit uses to send SNMP v1 and SNMP v2c traps to the SNMP managers in this community.
  7. Select which events to report.
  8. Select Add.
Using the CLI:

config system snmp community

edit <index_number>

set events <cpu-high | ent-conf-change | fan-detect | intf-ip | ip-conflict | l2mac | llv | log-full | mem-low | psu-status | sensor-alarm | sensor-fault | tkmem-hb-oo-sync>

set name <community_name>

set query-v1-port <port_number>

set query-v1-status {enable | disable}

set query-v2c-port <port_number>

set query-v2c-status {enable | disable}

set status {enable | disable}

set trap-v1-lport <port_number>

set trap-v1-rport <port_number>

set trap-v1-status {enable | disable}

set trap-v2c-lport <port_number>

set trap-v2c-rport <port_number>

set trap-v2c-status {enable | disable}

next

end

Adding an SNMP v3 user

Using the GUI:
  1. Go to System > Config > SNMP > Users.
  2. Select Add User.
  3. Enter a user name.
  4. Select a security level to specify the authentication and privacy settings.
  5. Enter the port number that the SNMP managers in this community use to receive configuration information from the FortiSwitch unit.
  6. Make certain that Enable Queries is enabled.
  7. Select Add.
Using the CLI:

config system snmp user

edit <index_number>

set queries enable

set query-port <port_number>

set security-level [auth-priv | auth-no-priv | no-auth-no-priv}

set auth-proto {md5 | sha1 | sha224 | sha256 | sha384 | sha512}

set events {cpu-high | ent-conf-change | fan-detect | intf-ip | ip-conflict | l2mac | llv | log-full | mem-low | psu-status | sensor-alarm | sensor-fault | tkmem-hb-oo-sync}

set notify-hosts <IP_address>

set auth-pwd <password>

set priv-proto {aes128 | aes192 | aes192c | aes256 | aes256c | des}

set priv-pwd <password>

end

SNMP

Simple Network Management Protocol (SNMP) enables you to monitor hardware on your network.

The FortiSwitch SNMP implementation is read-only. SNMP v1-compliant and v2c-compliant SNMP managers have read-only access to FortiSwitch system information through queries and can receive trap messages from the FortiSwitch unit.

To monitor FortiSwitch system information and receive FortiSwitch traps, you must first compile the Fortinet and FortiSwitch management information base (MIB) files. A MIB is a text file that describes a list of SNMP data objects that are used by the SNMP manager. These MIBs provide information that the SNMP manager needs to interpret the SNMP trap, event, and query messages sent by the FortiSwitch SNMP agent.

FortiSwitch core MIB files are available for download by going to System > Config > SNMP > Settings and selecting the FortiSwitch MIB File download link.

note icon When you use the dot1dTpFdbTable table, the index provided does not contain the dot1dTpFdbAddress as defined by the standard. Instead, the index is an increasing numerical value.

SNMP access

Ensure that the management VLAN has SNMP added to the access-profiles.

Using the GUI:
  1. Go to System > Network > Interface > Physical.
  2. Select Edit for the mgmt interface.
  3. Select SNMP in the access section.
  4. Select Update.
Using the CLI:

config system interface

edit <name>

set allowaccess <access_types>

end

end

NOTE: Re-enter the existing allowed access types and add snmp to the list.

SNMP agent

Create the SNMP agent.

Using the GUI:
  1. Go to System > Config > SNMP > Settings.
  2. Select Agent Enabled.
  3. Enter a descriptive name for the agent.
  4. Enter the location of the FortiSwitch unit.
  5. Enter a contact or administrator for the SNMP agent or FortiSwitch unit.
  6. Select Apply.
Using the CLI:

config system snmp sysinfo

set status enable

set contact-info <contact_information>

set description <description_of_FortiSwitch>

set location <FortiSwitch_location>

end

SNMP community

An SNMP community is a grouping of devices for network administration purposes. Within that SNMP community, devices can communicate by sending and receiving traps and other information. One device can belong to multiple communities, such as one administrator terminal monitoring both a FortiGate SNMP and a FortiSwitch SNMP community.

Add SNMP communities to your FortiSwitch unit so that SNMP managers can connect to view system information and receive SNMP traps.

You can add up to three SNMP communities. Each community can have a different configuration for SNMP queries and traps. Each community can be configured to monitor the FortiSwitch unit for a different set of events. You can also add the IP addresses of up to eight SNMP managers for each community.

Starting in FortiSwitchOS 7.0.0, you can set up one or more SNMP v3 notifications (traps) in the CLI. The following notifications are supported:

  • The CPU usage is too high.
  • The configuration of an entity was changed.
  • The IP address for an interface was changed.
  • The available log space is low.
  • The available memory is low.

Starting in FortiSwitchOS 7.0.2, you can configure an SNMP trap so that you receive a message when the MAC learning limit is exceeded.

Starting in FortiSwitchOS 7.2.0, you can configure an SNMP trap so that you receive a message when a layer-2 MAC address has been added, deleted, or moved. This SNMP trap applies only to dynamic MAC addresses learned on the port.

Starting in FortiSwitchOS 7.2.1, you can configure SNMP traps for the following:

  • The fan was detected, not detected, resumed, or failed.
  • There is a conflict between IP addresses.
  • The status of the power supply unit has changed.
  • The sensor triggered an alarm.
  • The sensor is faulty.
  • The trunk memberʼs heart beat is unsynchronized.

By default, all SNMP notifications are enabled, except for l2mac. Notifications are sent to one or more IP addresses.

Adding an SNMP v1/v2c community

Using the GUI:
  1. Go to System > Config > SNMP > Communities.
  2. Select Add Community.
  3. Enter a community name and identifier.
  4. Select Add Host and enter the identifier, IP address and netmask, and interface for each host.
  5. Select V1, V2C, or both and enter the port number that the SNMP managers in this community use for SNMP v1 and SNMP v2c queries to receive configuration information from the FortiSwitch unit.
  6. Select V1, V2C, or both and enter the local and remote port numbers that the FortiSwitch unit uses to send SNMP v1 and SNMP v2c traps to the SNMP managers in this community.
  7. Select which events to report.
  8. Select Add.
Using the CLI:

config system snmp community

edit <index_number>

set events <cpu-high | ent-conf-change | fan-detect | intf-ip | ip-conflict | l2mac | llv | log-full | mem-low | psu-status | sensor-alarm | sensor-fault | tkmem-hb-oo-sync>

set name <community_name>

set query-v1-port <port_number>

set query-v1-status {enable | disable}

set query-v2c-port <port_number>

set query-v2c-status {enable | disable}

set status {enable | disable}

set trap-v1-lport <port_number>

set trap-v1-rport <port_number>

set trap-v1-status {enable | disable}

set trap-v2c-lport <port_number>

set trap-v2c-rport <port_number>

set trap-v2c-status {enable | disable}

next

end

Adding an SNMP v3 user

Using the GUI:
  1. Go to System > Config > SNMP > Users.
  2. Select Add User.
  3. Enter a user name.
  4. Select a security level to specify the authentication and privacy settings.
  5. Enter the port number that the SNMP managers in this community use to receive configuration information from the FortiSwitch unit.
  6. Make certain that Enable Queries is enabled.
  7. Select Add.
Using the CLI:

config system snmp user

edit <index_number>

set queries enable

set query-port <port_number>

set security-level [auth-priv | auth-no-priv | no-auth-no-priv}

set auth-proto {md5 | sha1 | sha224 | sha256 | sha384 | sha512}

set events {cpu-high | ent-conf-change | fan-detect | intf-ip | ip-conflict | l2mac | llv | log-full | mem-low | psu-status | sensor-alarm | sensor-fault | tkmem-hb-oo-sync}

set notify-hosts <IP_address>

set auth-pwd <password>

set priv-proto {aes128 | aes192 | aes192c | aes256 | aes256c | des}

set priv-pwd <password>

end