Configuring SNMP
Simple Network Management Protocol (SNMP) enables you to monitor hardware on your network.
The managed FortiSwitch SNMP implementation is read-only. SNMP v1-compliant and v2c-compliant SNMP managers have read-only access to FortiSwitch system information through queries and can receive trap messages from the managed FortiSwitch unit.
To monitor FortiSwitch system information and receive FortiSwitch traps, you must first compile the Fortinet and FortiSwitch management information base (MIB) files. A MIB is a text file that describes a list of SNMP data objects that are used by the SNMP manager. These MIBs provide information that the SNMP manager needs to interpret the SNMP trap, event, and query messages sent by the FortiSwitch SNMP agent.
FortiSwitch core MIB files are available for download by going to System > Config > SNMP > Settings and selecting the FortiSwitch MIB File download link.
You configure SNMP on a global level so that all managed FortiSwitch units use the same settings. If you want one of the FortiSwitch units to use different settings from the global settings, configure SNMP locally.
|
The maximum number of hosts for SNMP traps on a FortiSwitch unit is 8. |
This section covers the following topics:
Configuring SNMP globally
To configure SNMP globally:
- Configure a firewall policy on the FortiGate device managing the FortiSwitch unit to allow the SNMP server to use the FortiLink interface for SNMP polling.
For SNMP traps on the managed FortiSwitch unit, you need to configure a firewall policy to allow the managed FortiSwitch unit to communicate with the SNMP server through the FortiLink interface.
- Add SNMP access on the managed FortiSwitch unit.
Add SNMP access to the
internal-allowaccesssetting. If you are using FortiLink mode over a layer-3 network with out-of-band management, add SNMP access to themgmt-allowaccesssetting. - Configure the SNMP system information.
- Configure the SNMP community.
- Configure the SNMP trap threshold values.
- Configure the SNMP user.
To configure a firewall policy for SNMP polling:
config firewall policy
edit <policy_ID>
set name <policy_name>
set srcintf <FortiGate port that communicates with the SNMP server>
set dstintf <FortiLink port that communicates with the managed FortiSwitch unit>
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service {"SNMP" | <port_used_for_SNMP_polling>}
set ssl-ssh-profile "certificate-inspection"
set logtraffic all
next
end
To add SNMP access on the managed FortiSwitch unit:
config switch-controller security-policy local-access
edit "{default | <policy_name>}"
set mgmt-allowaccess <options> snmp
set internal-allowaccess <options> snmp
next
end
To configure the SNMP system information globally:
config switch-controller snmp-sysinfo
set status enable
set engine-id <local_SNMP_engine_ID (the maximum is 24 characters)>
set description <system_description>
set contact-info <contact_information>
set location <FortiGate_location>
end
NOTE: Each SNMP engine maintains a value, snmpEngineID, which uniquely identifies the SNMP engine. This value is included in each message sent to or from the SNMP engine. The engine-id is part of the snmpEngineID but does not include the Fortinet prefix 0x8000304404.
To configure the SNMP community globally:
config switch-controller snmp-community
edit <SNMP_community_entry_identifier>
set name <SNMP_community_name>
set status enable
set query-v1-status enable
set query-v1-port <0-65535; the default is 161>
set query-v2c-status enable
set query-v2c-port <0-65535; the default is 161>
set trap-v1-status enable
set trap-v1-lport <0-65535; the default is 162>
set trap-v1-rport <0-65535; the default is 162>
set trap-v2c-status enable
set trap-v2c-lport <0-65535; the default is 162>
set trap-v2c-rport <0-65535; the default is 162>
set events {cpu-high mem-low log-full intf-ip ent-conf-change}
config hosts
edit <host_entry_ID>
set ip <IPv4_address_of_the_SNMP_manager>
end
next
end
To configure the SNMP trap threshold values globally:
config switch-controller snmp-trap-threshold
set trap-high-cpu-threshold <percentage_value; the default is 80>
set trap-low-memory-threshold <percentage_value; the default is 80>
set trap-log-full-threshold <percentage_value; the default is 90>
end
To configure the SNMP user globally:
config switch-controller snmp-user
edit <SNMP_user_name>
set queries enable
set query-port <0-65535; the default is 161>
set security-level {auth-priv | auth-no-priv | no-auth-no-priv}
set auth-proto {md5 | sha1 | sha224 | sha256 | sha384 | sha512}
set auth-pwd <password_for_authentication_protocol>
set priv-proto {aes128 | aes192 | aes192c | aes256 | aes256c | des}}
set priv-pwd <password_for_encryption_protocol>
end
Configuring SNMP locally
To configure SNMP for a specific FortiSwitch unit:
- Configure the SNMP system information.
- Configure the SNMP community.
- Configure the SNMP trap threshold values.
- Configure the SNMP user.
Starting in FortiSwitchOS 7.0.0, you can set up one or more SNMP v3 notifications (traps) in the CLI. The following notifications are supported:
- The CPU usage is too high.
- The configuration of an entity was changed.
- The IP address for an interface was changed.
- The available log space is low.
- The available memory is low.
By default, all SNMP notifications are enabled. Notifications are sent to one or more IP addresses.
To configure the SNMP system information locally:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
set override-snmp-sysinfo enable
config snmp-sysinfo
set status enable
set engine-id <local_SNMP_engine_ID (the maximum is 24 characters)>
set description <system_description>
set contact-info <contact_information>
set location <FortiGate_location>
end
next
end
NOTE: Each SNMP engine maintains a value, snmpEngineID, which uniquely identifies the SNMP engine. This value is included in each message sent to or from the SNMP engine. The engine-id is part of the snmpEngineID but does not include the Fortinet prefix 0x8000304404.
To configure the SNMP community locally:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
set override-snmp-community enable
config snmp-community
edit <SNMP_community_entry_identifier>
set name <SNMP_community_name>
set status enable
set query-v1-status enable
set query-v1-port <0-65535; the default is 161>
set query-v2c-status enable
set query-v2c-port <0-65535; the default is 161>
set trap-v1-status enable
set trap-v1-lport <0-65535; the default is 162>
set trap-v1-rport <0-65535; the default is 162>
set trap-v2c-status enable
set trap-v2c-lport <0-65535; the default is 162>
set trap-v2c-rport <0-65535; the default is 162>
set events {cpu-high mem-low log-full intf-ip ent-conf-change}
config hosts
edit <host_entry_ID>
set ip <IPv4_address_of_the_SNMP_manager>
end
next
end
To configure the SNMP trap threshold values locally:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
set override-snmp-trap-threshold enable
config snmp-trap-threshold
set trap-high-cpu-threshold <percentage_value; the default is 80>
set trap-low-memory-threshold <percentage_value; the default is 80>
set trap-log-full-threshold <percentage_value; the default is 90>
end
next
end
To configure the SNMP user locally:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
set override-snmp-user enable
config snmp-user
edit <SNMP_user_name>
set queries enable
set query-port <0-65535; the default is 161>
set security-level {auth-priv | auth-no-priv | no-auth-no-priv}
set auth-proto {md5 | sha1 | sha224 | sha256 | sha384 | sha512}
set auth-pwd <password_for_authentication_protocol>
set priv-proto {aes128 | aes192 | aes192c | aes256 | aes256c | des}
set priv-pwd <password_for_encryption_protocol>
end
next
end
SNMP OIDs
Three SNMP OIDs have been added to the FortiOS enterprise MIB 2 tables in FortiOS 7.0.1. They report the FortiSwitch port status and FortiSwitch CPU and memory statistics.
|
SNMP OID |
Description |
|---|---|
|
fgSwDeviceInfo.fgSwDeviceTable.fgSwDeviceEntry.fgSwDeviceEntry.fgSwCpu 1.3.6.1.4.1.12356.101.24.1.1.1.11 |
Percentage of the CPU being used. |
|
fgSwDeviceInfo.fgSwDeviceTable.fgSwDeviceEntry.fgSwDeviceEntry.fgSwMemory 1.3.6.1.4.1.12356.101.24.1.1.1.12 |
Percentage of memory being used. |
|
fgSwPortInfo.fgSwPortTable.fgSwPortEntry.fgSwPortStatus 1.3.6.1.4.1.12356.101.24.2.1.1.6 |
Whether a managed FortiSwitch port is up or down. |
These OIDs require FortiSwitchOS 7.0.0 or higher. FortiLink and SNMP must be configured on the FortiGate device.
FortiSwitch units update the CPU and memory statistics every 30 seconds. This interval cannot be changed.
FortiOS versions 6.4.2 through 7.0.0 show the port status in the configuration management database (CMDB) for managed ports; FortiOS 7.0.1 and higher show the link status that has been retrieved from the switch port as the port status for managed ports.
Sample queries
To find out how much CPU is being used on a FortiSwitch 1024D with the serial number FS1D243Z17000032:
root@PC05:~# snmpwalk -v2c -Cc -c REGR-SYS 172.16.200.1 1.3.6.1.4.1.12356.101.24.1.1.1.11.2.8.17000032
To find out how much memory is being used on a FortiSwitch 1024D with the serial number FS1D243Z17000032:
root@PC05:~# snmpwalk -v2c -Cc -c REGR-SYS 172.16.200.1 1.3.6.1.4.1.12356.101.24.1.1.1.12.2.8.17000032
To find out the status of port1 of a FortiSwitch 1024D with the serial number FS1D243Z17000032:
root@PC05:~# snmpwalk -v2c -Cc -c REGR-SYS 172.16.200.1 1.3.6.1.4.1.12356.101.24.2.1.1.6.2.8.17000032.1