Fortinet white logo
Fortinet white logo

CLI Reference

system snmp user

system snmp user

Use this command to configure the FortiWeb appliance’s SNMP agent to belong to an SNMP version 3 community, and to select which events cause the FortiWeb appliance to generate SNMP traps.

To configure the SNMP agent as a member of a SNMP version version 1 or 2c community and for more information on the SNMP agent, see system snmp community.

To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

Syntax

config system snmp user

edit name "<user_str>"

set status {enable | disable}

set security-level { noauthnopriv | authnopriv | authpriv >

set auth-proto {sha1 | md5}

set auth-pwd "<auth-password_str>"

set priv-proto {aes | des}

set priv-pwd "<priv-password_str>"

set query-status {enable | disable}

set query-port <port_int>

set trap-status {enable | disable}

set trapport-local <port_int>

set trapport-remote <port_int>

set trapevent {cpu-high | intf-ip | log-full | mem-low | netlink-down-status | netlink-up-status | policy-start | policy-stop | pserver-failed | sys-ha-cluster-status-change | sys-ha-member-join | sys-ha-member-leave | sys-mode-change | waf-access-attack | waf-amethod-attack | waf-blogin-attack |waf-hidden-fields | waf-pvalid-attack | waf-signature-detection | waf-url-access-attack | waf-spage-attack}

set "<snmp-manager_index>"

config hosts

edit "<snmp-manager_index>"

set {"<manager_ipv4> | <manager_ipv6>"}

next

end

next

end

Variable Description Default

name "<user_str>"

Enter the name of the SNMP user to which the FortiWeb appliance and at least one SNMP manager belongs. The maximum length is 63 characters.

The FortiWeb appliance does not respond to SNMP managers whose query packets do not contain a matching community name. Similarly, trap packets from the FortiWeb appliance include the community name, and an SNMP manager may not accept the trap if its community name does not match.

No default.

status {enable | disable}

Enable to activate the community.

This setting takes effect only if the SNMP agent is enabled. For details, see system snmp sysinfo.

disable

security-level { noauthnopriv | authnopriv | authpriv >

Enter the security level.

  • noauthnopriv—No additional authentication or encryption compared to SNMP v1 and v2.
  • authnopriv—The SNMP manager needs to provide the password specified in this community configuration. Also specify auth-proto and auth-pwd.
  • authpriv—Adds both authentication and encryption. Also specify auth-proto, auth-pwd, priv-proto, and priv-pwd. Ensure that the SNMP manager and FortiWeb use the same protocols and passwords.
No default.

auth-proto {sha1 | md5}

If the security-level option includes authentication, specify the authentication protocol.

sha1

auth-pwd "<auth-password_str>"

If the security-level option includes authentication, specify the authentication password.

No default.

priv-proto {aes | des}

If the security-level option is authprivuser_name, specify the encryption protocol.

aes

priv-pwd "<priv-password_str>"

If the security-level option is authprivuser_name, specify the encryption password.

No default.

query-status {enable | disable}

Enable to respond to queries using the SNMP v3 version of the SNMP protocol. enable

query-port <port_int>

Enter the port number on which the FortiWeb appliance listens for SNMP v3 queries from the SNMP managers of the community. The valid range is 1–65,535. 161

trap-status {enable | disable}

Enable to send traps using the SNMP v3 version of the SNMP protocol. enable

trapport-local <port_int>

Enter the port number that is the source (also called local) port number for SNMP v3 trap packets. The valid range is 1–65,535. 162

trapport-remote <port_int>

Enter the port number that is the destination (also called remote) port number for SNMP v3 trap packets. The valid range is 1–65,535. 162

trapevent {cpu-high | intf-ip | log-full | mem-low | netlink-down-status | netlink-up-status | policy-start | policy-stop | pserver-failed | sys-ha-cluster-status-change | sys-ha-member-join | sys-ha-member-leave | sys-mode-change | waf-access-attack | waf-amethod-attack | waf-blogin-attack |waf-hidden-fields | waf-pvalid-attack | waf-signature-detection | waf-url-access-attack | waf-spage-attack}

Enter the name of one or more the SNMP events. When FortiWeb detects the specified events, it sends traps to the SNMP managers in this community. Also enable trap-status.

  • cpu-high—CPU usage has exceeded 80%.
  • intf-ip—A network interface’s IP address has changed. See system interface.
  • log-full—Local log disk space usage has exceeded 80%. If the space is consumed and a new log message is triggered, the FortiWeb appliance will either drop it or overwrite the oldest log message, depending on your configuration. For details, see log disk.
  • mem-low—Memory (RAM) usage has exceeded 80%.
  • netlink-down-status—A network interface has been brought down (disabled). This could be due to either an administrator changing the network interface’s settings, or due to HA executing a failover.
  • netlink-up-status—A network interface has been brought up (enabled). This could be due to either an administrator changing the network interface’s settings, or due to HA executing a failover.
  • policy-start—A policy was enabled. For details, see server-policy policy.
  • policy-stop—A policy was disabled. For details, see server-policy policy.
  • pserver-failed—A server health check has determined that a physical server that is a member of a server farm is now unavailable. For details, see server-policy policy.
  • sys-ha-cluster-status-change—HA cluster status was changed.
  • sys-ha-member-join—HA member has joined.
  • sys-ha-member-leave—HA member has left.
  • sys-mode-change—The operation mode was changed. For details, see system settings.
No default.

"<snmp-manager_index>"

Enter the index number of an SNMP manager for the community. The valid range is 1–9,999,999,999,999,999,999. No default.

{"<manager_ipv4> | <manager_ipv6>"}

Enter the IP address of the SNMP manager that can do the following when you enable traps, queries, or both in this community:

  • Receive traps from the FortiWeb appliance
  • Query the FortiWeb appliance

SNMP managers have read-only access.

To allow any IP address using this SNMP community name to query the FortiWeb appliance, enter 0.0.0.0 or ::.

Note: Entering 0.0.0.0 or :: effectively disables traps if there are no other host IP entries, because there is no specific destination for trap packets. If you do not want to disable traps, add at least one other entry that specifies the IP address of an SNMP manager.

No default.

Example

For an example, see system snmp sysinfo.

Related topics

system snmp user

system snmp user

Use this command to configure the FortiWeb appliance’s SNMP agent to belong to an SNMP version 3 community, and to select which events cause the FortiWeb appliance to generate SNMP traps.

To configure the SNMP agent as a member of a SNMP version version 1 or 2c community and for more information on the SNMP agent, see system snmp community.

To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

Syntax

config system snmp user

edit name "<user_str>"

set status {enable | disable}

set security-level { noauthnopriv | authnopriv | authpriv >

set auth-proto {sha1 | md5}

set auth-pwd "<auth-password_str>"

set priv-proto {aes | des}

set priv-pwd "<priv-password_str>"

set query-status {enable | disable}

set query-port <port_int>

set trap-status {enable | disable}

set trapport-local <port_int>

set trapport-remote <port_int>

set trapevent {cpu-high | intf-ip | log-full | mem-low | netlink-down-status | netlink-up-status | policy-start | policy-stop | pserver-failed | sys-ha-cluster-status-change | sys-ha-member-join | sys-ha-member-leave | sys-mode-change | waf-access-attack | waf-amethod-attack | waf-blogin-attack |waf-hidden-fields | waf-pvalid-attack | waf-signature-detection | waf-url-access-attack | waf-spage-attack}

set "<snmp-manager_index>"

config hosts

edit "<snmp-manager_index>"

set {"<manager_ipv4> | <manager_ipv6>"}

next

end

next

end

Variable Description Default

name "<user_str>"

Enter the name of the SNMP user to which the FortiWeb appliance and at least one SNMP manager belongs. The maximum length is 63 characters.

The FortiWeb appliance does not respond to SNMP managers whose query packets do not contain a matching community name. Similarly, trap packets from the FortiWeb appliance include the community name, and an SNMP manager may not accept the trap if its community name does not match.

No default.

status {enable | disable}

Enable to activate the community.

This setting takes effect only if the SNMP agent is enabled. For details, see system snmp sysinfo.

disable

security-level { noauthnopriv | authnopriv | authpriv >

Enter the security level.

  • noauthnopriv—No additional authentication or encryption compared to SNMP v1 and v2.
  • authnopriv—The SNMP manager needs to provide the password specified in this community configuration. Also specify auth-proto and auth-pwd.
  • authpriv—Adds both authentication and encryption. Also specify auth-proto, auth-pwd, priv-proto, and priv-pwd. Ensure that the SNMP manager and FortiWeb use the same protocols and passwords.
No default.

auth-proto {sha1 | md5}

If the security-level option includes authentication, specify the authentication protocol.

sha1

auth-pwd "<auth-password_str>"

If the security-level option includes authentication, specify the authentication password.

No default.

priv-proto {aes | des}

If the security-level option is authprivuser_name, specify the encryption protocol.

aes

priv-pwd "<priv-password_str>"

If the security-level option is authprivuser_name, specify the encryption password.

No default.

query-status {enable | disable}

Enable to respond to queries using the SNMP v3 version of the SNMP protocol. enable

query-port <port_int>

Enter the port number on which the FortiWeb appliance listens for SNMP v3 queries from the SNMP managers of the community. The valid range is 1–65,535. 161

trap-status {enable | disable}

Enable to send traps using the SNMP v3 version of the SNMP protocol. enable

trapport-local <port_int>

Enter the port number that is the source (also called local) port number for SNMP v3 trap packets. The valid range is 1–65,535. 162

trapport-remote <port_int>

Enter the port number that is the destination (also called remote) port number for SNMP v3 trap packets. The valid range is 1–65,535. 162

trapevent {cpu-high | intf-ip | log-full | mem-low | netlink-down-status | netlink-up-status | policy-start | policy-stop | pserver-failed | sys-ha-cluster-status-change | sys-ha-member-join | sys-ha-member-leave | sys-mode-change | waf-access-attack | waf-amethod-attack | waf-blogin-attack |waf-hidden-fields | waf-pvalid-attack | waf-signature-detection | waf-url-access-attack | waf-spage-attack}

Enter the name of one or more the SNMP events. When FortiWeb detects the specified events, it sends traps to the SNMP managers in this community. Also enable trap-status.

  • cpu-high—CPU usage has exceeded 80%.
  • intf-ip—A network interface’s IP address has changed. See system interface.
  • log-full—Local log disk space usage has exceeded 80%. If the space is consumed and a new log message is triggered, the FortiWeb appliance will either drop it or overwrite the oldest log message, depending on your configuration. For details, see log disk.
  • mem-low—Memory (RAM) usage has exceeded 80%.
  • netlink-down-status—A network interface has been brought down (disabled). This could be due to either an administrator changing the network interface’s settings, or due to HA executing a failover.
  • netlink-up-status—A network interface has been brought up (enabled). This could be due to either an administrator changing the network interface’s settings, or due to HA executing a failover.
  • policy-start—A policy was enabled. For details, see server-policy policy.
  • policy-stop—A policy was disabled. For details, see server-policy policy.
  • pserver-failed—A server health check has determined that a physical server that is a member of a server farm is now unavailable. For details, see server-policy policy.
  • sys-ha-cluster-status-change—HA cluster status was changed.
  • sys-ha-member-join—HA member has joined.
  • sys-ha-member-leave—HA member has left.
  • sys-mode-change—The operation mode was changed. For details, see system settings.
No default.

"<snmp-manager_index>"

Enter the index number of an SNMP manager for the community. The valid range is 1–9,999,999,999,999,999,999. No default.

{"<manager_ipv4> | <manager_ipv6>"}

Enter the IP address of the SNMP manager that can do the following when you enable traps, queries, or both in this community:

  • Receive traps from the FortiWeb appliance
  • Query the FortiWeb appliance

SNMP managers have read-only access.

To allow any IP address using this SNMP community name to query the FortiWeb appliance, enter 0.0.0.0 or ::.

Note: Entering 0.0.0.0 or :: effectively disables traps if there are no other host IP entries, because there is no specific destination for trap packets. If you do not want to disable traps, add at least one other entry that specifies the IP address of an SNMP manager.

No default.

Example

For an example, see system snmp sysinfo.

Related topics