Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

system snmp community

Use this command to configure the FortiWeb appliance’s SNMP agent to belong to an SNMP version 1 or 2c community, and to select which events cause the FortiWeb appliance to generate SNMP traps.

To configure the SNMP agent as a member of a SNMP version 3 community, see system snmp user.

The FortiWeb appliance’s simple network management protocol (SNMP) agent allows queries for system information can send traps (alarms or event messages) to the computer that you designate as its SNMP manager. In this way you can use an SNMP manager to monitor the FortiWeb appliance. You can add the IP addresses of up to eight SNMP managers to each community, which designate the destination of traps and which IP addresses are permitted to query the FortiWeb appliance.

An SNMP community is a grouping of equipment for network administration purposes. You must configure your FortiWeb appliance to belong to at least one SNMP community so that community’s SNMP managers can query the FortiWeb appliance’s system information and receive SNMP traps from the FortiWeb appliance.

You can add up to three SNMP communities. Each community can have a different configuration for queries and traps, and the set of events which trigger a trap. Use SNMP traps to notify the SNMP manager of a wide variety of types of events. Event types range from basic system events, such as high usage of resources, to when an attack type is detected or a specific rule is enforced by a policy.

Before you can use SNMP, you must activate the FortiWeb appliance’s SNMP agent and add it as a member of at least one community. For details, see system snmp sysinfo. You must also enable SNMP access on the network interface through which the SNMP manager will connect. For details, see system interface.

On the SNMP manager, you must also verify that the SNMP manager is a member of the community to which the FortiWeb appliance belongs, and compile the necessary Fortinet proprietary management information blocks (MIBs) and Fortinet-supported standard MIBs. For information on MIBs, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

Syntax

config system snmp community

edit <community_index>

set status {enable | disable}

set name "<community_str>"

set events {cpu-high | intf-ip | log-full | mem-low | netlink-down-status | netlink-up-status | policy-start | policy-stop | pserver-failed | sys-ha-cluster-status-change | sys-ha-member-join | sys-ha-member-leave | sys-mode-change | waf-access-attack | waf-amethod-attack | waf-hidden-fields | waf-pvalid-attack | waf-signature-detection | waf-url-access-attack | waf-spage-attack | power-supply-failure}

set query-v1-port <port_int>

set query-v1-status {enable | disable}

set query-v2c-port <port_int>

set query-v2c-status {enable | disable}

set trap-v1-lport <port_int>

set trap-v1-rport <port_int>

set trap-v1-status {enable | disable}

set trap-v2c-lport <port_int>

set trap-v2c-rport <port_int>

set trap-v2c-status {enable | disable}

config hosts

edit <snmp-manager_index>

set ip {"<manager_ipv4>" | "<manager_ipv6>"}

next

end

next

end

Variable Description Default

<community_index>

Enter the index number of a community to which the FortiWeb appliance belongs. The valid range is 1–9,999,999,999,999,999,999. No default.

status {enable | disable}

Enable to activate the community.

This setting takes effect only if the SNMP agent is enabled. For details, see system snmp sysinfo.

disable

name "<community_str>"

Enter the name of the SNMP community to which the FortiWeb appliance and at least one SNMP manager belongs. The maximum length is 63 characters.

The FortiWeb appliance will not respond to SNMP managers whose query packets do not contain a matching community name. Similarly, trap packets from the FortiWeb appliance will include community name, and an SNMP manager may not accept the trap if its community name does not match.

No default.

events {cpu-high | intf-ip | log-full | mem-low | netlink-down-status | netlink-up-status | policy-start | policy-stop | pserver-failed | sys-ha-cluster-status-change | sys-ha-member-join | sys-ha-member-leave | sys-mode-change | waf-access-attack | waf-amethod-attack | waf-hidden-fields | waf-pvalid-attack | waf-signature-detection | waf-url-access-attack | waf-spage-attack | power-supply-failure}

Enter one or more of the following SNMP event names in order to cause the FortiWeb appliance to send traps when those events occur. Traps will be sent to the SNMP managers in this community. Also enable traps.

  • cpu-high—CPU usage has exceeded 80%.
  • intf-ip—A network interface’s IP address has changed. For details, see system interface.
  • log-full—Local log disk space usage has exceeded 80%. If the space is consumed and a new log message is triggered, the FortiWeb appliance will either drop it or overwrite the oldest log message, depending on your configuration. For details, see log disk.
  • mem-low—Memory (RAM) usage has exceeded 80%.
  • netlink-down-status—A network interface has been brought down (disabled). This could be due to either an administrator changing the network interface’s settings, or due to HA executing a failover.
  • netlink-up-status—A network interface has been brought up (enabled).This could be due to either an administrator changing the network interface’s settings, or due to HA executing a failover.
  • policy-start—A policy was enabled. For details, see server-policy policy.
  • policy-stop—A policy was disabled. For details, see server-policy policy.
  • pserver-failed—A server health check has determined that a physical server that is a member of a server farm is now unavailable. For details, see server-policy policy. on page 1.
  • sys-ha-cluster-status-change—HA cluster status was changed.
  • sys-ha-member-join—HA member has joined.
  • sys-ha-member-leave—HA member has left.
  • sys-mode-change—The operation mode was changed. See system settings.
No default.
   

query-v1-port <port_int>

Enter the port number on which the FortiWeb appliance will listen for SNMP v1 queries from the SNMP managers of the community. The valid range is 1–65,535. 161

query-v1-status {enable | disable}

Enable to respond to queries using the SNMP v1 version of the SNMP protocol. enable

query-v2c-port <port_int>

Enter the port number on which the FortiWeb appliance will listen for SNMP v2c queries from the SNMP managers of the community. The valid range is 1–65,535. 161

query-v2c-status {enable | disable}

Enable to respond to queries using the SNMP v2c version of the SNMP protocol. enable

trap-v1-lport <port_int>

Enter the port number that will be the source (also called local) port number for SNMP v1 trap packets. The valid range is 1–65,535. 162

trap-v1-rport <port_int>

Enter the port number that will be the destination (also called remote) port number for SNMP v1 trap packets. The valid range is 1–65,535. 162

trap-v1-status {enable | disable}

Enable to send traps using the SNMP v1 version of the SNMP protocol. enable

trap-v2c-lport <port_int>

Enter the port number that will be the source (also called local) port number for SNMP v2c trap packets. The valid range is 1–65,535. 162

trap-v2c-rport <port_int>

Enter the port number that will be the destination (also called remote) port number for SNMP v2c trap packets. The valid range is 1–65,535. 162

trap-v2c-status {enable | disable}

Enable to send traps using the SNMP v2c version of the SNMP protocol. enable

<snmp-manager_index>

Enter the index number of an SNMP manager for the community. The valid range is 1–9,999,999,999,999,999,999. No default.

ip {"<manager_ipv4>" | "<manager_ipv6>"}

Enter the IP address of the SNMP manager that, if traps and/or queries are enabled in this community:

  • Will receive traps from the FortiWeb appliance
  • Will be permitted to query the FortiWeb appliance

SNMP managers have read-only access.

To allow any IP address using this SNMP community name to query the FortiWeb appliance, enter 0.0.0.0.

Note: Entering 0.0.0.0 effectively disables traps if there are no other host IP entries, because there is no specific destination for trap packets. If you do not want to disable traps, you must add at least one other entry that specifies the IP address of an SNMP manager.

No default.

Example

For an example, see system snmp sysinfo.

Related topics

system snmp community

Use this command to configure the FortiWeb appliance’s SNMP agent to belong to an SNMP version 1 or 2c community, and to select which events cause the FortiWeb appliance to generate SNMP traps.

To configure the SNMP agent as a member of a SNMP version 3 community, see system snmp user.

The FortiWeb appliance’s simple network management protocol (SNMP) agent allows queries for system information can send traps (alarms or event messages) to the computer that you designate as its SNMP manager. In this way you can use an SNMP manager to monitor the FortiWeb appliance. You can add the IP addresses of up to eight SNMP managers to each community, which designate the destination of traps and which IP addresses are permitted to query the FortiWeb appliance.

An SNMP community is a grouping of equipment for network administration purposes. You must configure your FortiWeb appliance to belong to at least one SNMP community so that community’s SNMP managers can query the FortiWeb appliance’s system information and receive SNMP traps from the FortiWeb appliance.

You can add up to three SNMP communities. Each community can have a different configuration for queries and traps, and the set of events which trigger a trap. Use SNMP traps to notify the SNMP manager of a wide variety of types of events. Event types range from basic system events, such as high usage of resources, to when an attack type is detected or a specific rule is enforced by a policy.

Before you can use SNMP, you must activate the FortiWeb appliance’s SNMP agent and add it as a member of at least one community. For details, see system snmp sysinfo. You must also enable SNMP access on the network interface through which the SNMP manager will connect. For details, see system interface.

On the SNMP manager, you must also verify that the SNMP manager is a member of the community to which the FortiWeb appliance belongs, and compile the necessary Fortinet proprietary management information blocks (MIBs) and Fortinet-supported standard MIBs. For information on MIBs, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

Syntax

config system snmp community

edit <community_index>

set status {enable | disable}

set name "<community_str>"

set events {cpu-high | intf-ip | log-full | mem-low | netlink-down-status | netlink-up-status | policy-start | policy-stop | pserver-failed | sys-ha-cluster-status-change | sys-ha-member-join | sys-ha-member-leave | sys-mode-change | waf-access-attack | waf-amethod-attack | waf-hidden-fields | waf-pvalid-attack | waf-signature-detection | waf-url-access-attack | waf-spage-attack | power-supply-failure}

set query-v1-port <port_int>

set query-v1-status {enable | disable}

set query-v2c-port <port_int>

set query-v2c-status {enable | disable}

set trap-v1-lport <port_int>

set trap-v1-rport <port_int>

set trap-v1-status {enable | disable}

set trap-v2c-lport <port_int>

set trap-v2c-rport <port_int>

set trap-v2c-status {enable | disable}

config hosts

edit <snmp-manager_index>

set ip {"<manager_ipv4>" | "<manager_ipv6>"}

next

end

next

end

Variable Description Default

<community_index>

Enter the index number of a community to which the FortiWeb appliance belongs. The valid range is 1–9,999,999,999,999,999,999. No default.

status {enable | disable}

Enable to activate the community.

This setting takes effect only if the SNMP agent is enabled. For details, see system snmp sysinfo.

disable

name "<community_str>"

Enter the name of the SNMP community to which the FortiWeb appliance and at least one SNMP manager belongs. The maximum length is 63 characters.

The FortiWeb appliance will not respond to SNMP managers whose query packets do not contain a matching community name. Similarly, trap packets from the FortiWeb appliance will include community name, and an SNMP manager may not accept the trap if its community name does not match.

No default.

events {cpu-high | intf-ip | log-full | mem-low | netlink-down-status | netlink-up-status | policy-start | policy-stop | pserver-failed | sys-ha-cluster-status-change | sys-ha-member-join | sys-ha-member-leave | sys-mode-change | waf-access-attack | waf-amethod-attack | waf-hidden-fields | waf-pvalid-attack | waf-signature-detection | waf-url-access-attack | waf-spage-attack | power-supply-failure}

Enter one or more of the following SNMP event names in order to cause the FortiWeb appliance to send traps when those events occur. Traps will be sent to the SNMP managers in this community. Also enable traps.

  • cpu-high—CPU usage has exceeded 80%.
  • intf-ip—A network interface’s IP address has changed. For details, see system interface.
  • log-full—Local log disk space usage has exceeded 80%. If the space is consumed and a new log message is triggered, the FortiWeb appliance will either drop it or overwrite the oldest log message, depending on your configuration. For details, see log disk.
  • mem-low—Memory (RAM) usage has exceeded 80%.
  • netlink-down-status—A network interface has been brought down (disabled). This could be due to either an administrator changing the network interface’s settings, or due to HA executing a failover.
  • netlink-up-status—A network interface has been brought up (enabled).This could be due to either an administrator changing the network interface’s settings, or due to HA executing a failover.
  • policy-start—A policy was enabled. For details, see server-policy policy.
  • policy-stop—A policy was disabled. For details, see server-policy policy.
  • pserver-failed—A server health check has determined that a physical server that is a member of a server farm is now unavailable. For details, see server-policy policy. on page 1.
  • sys-ha-cluster-status-change—HA cluster status was changed.
  • sys-ha-member-join—HA member has joined.
  • sys-ha-member-leave—HA member has left.
  • sys-mode-change—The operation mode was changed. See system settings.
No default.
   

query-v1-port <port_int>

Enter the port number on which the FortiWeb appliance will listen for SNMP v1 queries from the SNMP managers of the community. The valid range is 1–65,535. 161

query-v1-status {enable | disable}

Enable to respond to queries using the SNMP v1 version of the SNMP protocol. enable

query-v2c-port <port_int>

Enter the port number on which the FortiWeb appliance will listen for SNMP v2c queries from the SNMP managers of the community. The valid range is 1–65,535. 161

query-v2c-status {enable | disable}

Enable to respond to queries using the SNMP v2c version of the SNMP protocol. enable

trap-v1-lport <port_int>

Enter the port number that will be the source (also called local) port number for SNMP v1 trap packets. The valid range is 1–65,535. 162

trap-v1-rport <port_int>

Enter the port number that will be the destination (also called remote) port number for SNMP v1 trap packets. The valid range is 1–65,535. 162

trap-v1-status {enable | disable}

Enable to send traps using the SNMP v1 version of the SNMP protocol. enable

trap-v2c-lport <port_int>

Enter the port number that will be the source (also called local) port number for SNMP v2c trap packets. The valid range is 1–65,535. 162

trap-v2c-rport <port_int>

Enter the port number that will be the destination (also called remote) port number for SNMP v2c trap packets. The valid range is 1–65,535. 162

trap-v2c-status {enable | disable}

Enable to send traps using the SNMP v2c version of the SNMP protocol. enable

<snmp-manager_index>

Enter the index number of an SNMP manager for the community. The valid range is 1–9,999,999,999,999,999,999. No default.

ip {"<manager_ipv4>" | "<manager_ipv6>"}

Enter the IP address of the SNMP manager that, if traps and/or queries are enabled in this community:

  • Will receive traps from the FortiWeb appliance
  • Will be permitted to query the FortiWeb appliance

SNMP managers have read-only access.

To allow any IP address using this SNMP community name to query the FortiWeb appliance, enter 0.0.0.0.

Note: Entering 0.0.0.0 effectively disables traps if there are no other host IP entries, because there is no specific destination for trap packets. If you do not want to disable traps, you must add at least one other entry that specifies the IP address of an SNMP manager.

No default.

Example

For an example, see system snmp sysinfo.

Related topics