FortiOS 5.6 Online Help Link FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link
> Chapter 28 - System Administration > Monitoring > SNMP

Home > Online Help

SNMP

Simple Network Management Protocol (SNMP) enables you to monitor hardware on your network. You can configure the hardware, such as the FortiGate SNMP agent, to report system information and send traps (alarms or event messages) to SNMP managers. An SNMP manager, or host, is a typically a computer running an application that can read the incoming trap and event messages from the agent and send out SNMP queries to the SNMP agents. A FortiManager unit can act as an SNMP manager to one or more FortiGate units. FortiOS supports SNMP using IPv4 and IPv6 addressing.

By using an SNMP manager, you can access SNMP traps and data from any FortiGate interface or VLAN subinterface configured for SNMP management access. Part of configuring an SNMP manager is to list it as a host in a community on the FortiGate unit it will be monitoring. Otherwise, the SNMP monitor will not receive any traps from that FortiGate unit or be able to query that unit.

The FortiGate SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP managers have read-only access to FortiGate system information through queries and can receive trap messages from the FortiGate unit.

To monitor FortiGate system information and receive FortiGate traps, you must first compile the Fortinet and FortiGate Management Information Base (MIB) files. A MIB is a text file that describes a list of SNMP data objects that are used by the SNMP manager. These MIBs provide information the SNMP manager needs to interpret the SNMP trap, event, and query messages sent by the FortiGate unit SNMP agent.

FortiGate core MIB files are available for download by going to System > SNMP and selecting the download link on the page.

The Fortinet implementation of SNMP includes support for most of RFC 2665 (Ethernet‑like MIB) and most of RFC 1213 (MIB II). For more information, see “Fortinet MIBs”. RFC support for SNMP v3 includes Architecture for SNMP Frameworks (RFC 3411), and partial support of User-based Security Model (RFC 3414).

SNMP traps alert you to events that occur such as a full log disk or a virus detected.

SNMP fields contain information about the FortiGate unit, such as CPU usage percentage or the number of sessions. This information is useful for monitoring the condition of the unit on an ongoing basis and to provide more information when a trap occurs.

The FortiGate SNMP v3 implementation includes support for queries, traps, authentication, and privacy. Authentication and encryption are configured in the CLI. See the system snmp user command in the FortiGate CLI Reference.

SNMP configuration settings

Before a remote SNMP manager can connect to the FortiGate agent, you must configure one or more FortiGate interfaces to accept SNMP connections by going to Network > Interfaces. Select the interface and, in the Administrative Access, select SNMP.

For VDOMS, SNMP traps can only be sent on interfaces in the management VDOM. Traps cannot be sent over other interfaces outside the management VDOM.

To configure SNMP settings, go to System > SNMP.

SNMP Agent Select to enable SNMP communication.
Description Enter descriptive information about the FortiGate unit. The description can be up to 35 characters.
Location Enter the physical location of the FortiGate unit. The system location description can be up to 35 characters long.
Contact Enter the contact information for the person responsible for this FortiGate unit. The contact information can be up to 35 characters.
SNMP v1/v2c section
To create a new SNMP community, see SNMP Community.
Community Name The name to identify the community.
Queries Indicates whether queries protocols (v1 and v2c) are enabled or disabled. A green check mark indicates queries are enabled; a gray x indicates queries are disabled. If one query is disabled and another one enabled, there will still be a green check mark.
Traps Indicates whether trap protocols (v1 and v2c) are enabled or disabled. A green check mark indicates traps are enabled; a gray x indicates traps are disabled. If one query is disabled and another one enabled, there will still be a green check mark.
Enable Select the check box to enable or disable the community.
SNMP v3 section
To create a new SNMP community, see SNMP Community page.
User Name The name of the SNMPv3 user.
Security Level The security level of the user.
Notification Host The IP address or addresses of the host.
Queries Indicates whether queries are enabled or disabled. A green check mark indicates queries are enabled; a gray x indicates queries are disabled
New SNMP Community page
Community Name Enter a name to identify the SNMP community
Hosts (section)
IP Address Enter the IP address and Identify the SNMP managers that can use the settings in this SNMP community to monitor the FortiGate unit.

You can also set the IP address to 0.0.0.0 to so that any SNMP manager can use this SNMP community.
Delete Removes an SNMP manager from the list within the Hosts section.
Add Select to add a blank line to the Hosts list. You can add up to eight SNMP managers to a single community.
Queries (section)
Protocol The SNMP protocol. In the v1 row, this means that the settings are for SNMP v1. In the v2c row, this means that the settings are for SNMP v2c.
Port Enter the port number (161 by default) that the SNMP managers in this community use for SNMP v1 and SNMP v2c queries to receive configuration information from the FortiGate unit. Select the Enable check box to activate queries for each SNMP version.

Note: The SNMP client software and the FortiGate unit must use the same port for queries.
Enable Select to enable that SNMP protocol.
Traps (section)
Protocol The SNMP protocol. In the v1 row, this means that the settings are for SNMP v1. In the v2c row, this means that the settings are for SNMP v2c.
Local Enter the remote port numbers (port 162 for each by default) that the FortiGate unit uses to send SNMP v1 or SNMP v2c traps to the SNMP managers in this community. Select the Enable check box to activate traps for each SNMP version.

Note: The SNMP client software and the FortiGate unit must use the same port for traps.
Remote Enter the remote port number (port 162 is default) that the FortiGate unit uses to send SNMP v1 or v2c traps to the SNMP managers in this community.

Note: The SNMP client software and the FortiGate unit must use the same port for queries.
Enable Select to activate traps for each SNMP version.
SNMP Event Enable each SNMP event for which the FortiGate unit should send traps to the SNMP managers in this community.

CPU Over usage traps sensitivity is slightly reduced, by spreading values out over 8 polling cycles. This prevents sharp spikes due to CPU intensive short-term events such as changing a policy.

Power Supply Failure event trap is available only on some models.

AMC interfaces enter bypass mode event trap is available only on models that support AMC modules.
Enable Select to enable the SNMP event.
Create New SNMP V3 User
User Name Enter the name of the user.
Security Level Select the type of security level the user will have.
Notification Host Enter the IP address of the notification host. If you want to add more than one host, after entering the IP address of the first host, select the plus sign to add another host.
Enable Query Select to enable or disable the query. By default, the query is enabled.
Port Enter the port number in the field.
Events Select the SNMP events that will be associated with that user.

Gigabit interfaces

When determining the interface speed of a FortiGate unit with a 10G interface, the IF‑MIB.ifSpeed may not return the correct value. IF-MIB.ifSpeed is a 32-bit gauge used to report interface speeds in bits/second and cannot convert to a 64-bit value. The 32-bit counter wrap the output too fast to be accurate.

In this case, you can use the value ifHighSpeed. It reports interface speeds in megabits/second. This ensures that 10Gb interfaces report the correct value.

SNMP agent

You need to first enter information and enable the FortiGate SNMP Agent. Enter information about the FortiGate unit to identify it so that when your SNMP manager receives traps from the FortiGate unit, you will know which unit sent the information.

To configure the SNMP agent - GUI
  1. Go to System > SNMP.
  2. Select Enable for the SNMP Agent.
  3. Enter a descriptive name for the agent.
  4. Enter the location of the FortiGate unit.
  5. Enter a contact or administrator for the SNMP Agent or FortiGate unit.
  6. Select Apply.
To configure SNMP agent - CLI

config system snmp sysinfo

set status enable

set contact-info <contact_information>

set description <description_of_FortiGate>

set location <FortiGate_location>

end

SNMP community

An SNMP community is a grouping of devices for network administration purposes. Within that SNMP community, devices can communicate by sending and receiving traps and other information. One device can belong to multiple communities, such as one administrator terminal monitoring both a firewall SNMP and a printer SNMP community.

Add SNMP communities to your FortiGate unit so that SNMP managers can connect to view system information and receive SNMP traps.

You can add up to three SNMP communities. Each community can have a different configuration for SNMP queries and traps. Each community can be configured to monitor the FortiGate unit for a different set of events. You can also add the IP addresses of up to 8 SNMP managers to each community.

When the FortiGate unit is in virtual domain mode, SNMP traps can only be sent on interfaces in the management virtual domain. Traps cannot be sent over other interfaces.

To add an SNMP v1/v2c community - GUI
  1. Go to System > SNMP.
  2. In the SNMP v1/v2c area, select Create New.
  3. Enter a Community Name.
  4. Enter the IP address and Identify the SNMP managers that can use the settings in this SNMP community to monitor the FortiGate unit.
  5. Select the interface if the SNMP manager is not on the same subnet as the FortiGate unit.
  6. Enter the Port number that the SNMP managers in this community use for SNMP v1 and SNMP v2c queries to receive configuration information from the FortiGate unit. Select the Enable check box to activate queries for each SNMP version.
  7. Enter the Local and Remote port numbers that the FortiGate unit uses to send SNMP v1 and SNMP v2c traps to the SNMP managers in this community.
  8. Select the Enable check box to activate traps for each SNMP version.
  9. Select OK.
To add an SNMP v1/v2c community - CLI

config system snmp community

edit <index_number>

set events <events_list>

set name <community_name>

set query-v1-port <port_number>

set query-v1-status {enable | disable}

set query-v2c-port <port_number>

set query-v2c-status {enable | disable}

set status {enable | disable}

set trap-v1-lport <port_number>

set trap-v1-rport <port_number>

set trap-v1-status {enable | disable}

set trap-v2c-lport <port_number>

set trap-v2c-rport <port_number>

set trap-v2c-status {enable | disable}

end

To add an SNMP v3 community - GUI
  1. Go to System > SNMP.
  2. In the SNMP v3 area, select Create New.
  3. Enter a User Name.
  4. Select a Security Level and associated authorization algorithms.
  5. Enter the IP address of the Notification Host SNMP managers that can use the settings in this SNMP community to monitor the FortiGate unit.
  6. Enter the Port number that the SNMP managers in this community use to receive configuration information from the FortiGate unit. Select the Enable check box to activate queries for each SNMP version.
  7. Select the Enable check box to activate traps.
  8. Select OK.
To add an SNMP v3 community - CLI

config system snmp user

edit <index_number>

set security-level [auth-priv | auth-no-priv | no-auth-no-priv}

set queries enable

set query-port <port_number>

set notify-hosts <ip_address>

set events <event_selections>

end

Enabling on the interface

Before a remote SNMP manager can connect to the FortiGate agent, you must configure one or more FortiGate interfaces to accept SNMP connections.

To configure SNMP access - GUI
  1. Go to Network > Interfaces.
  2. Choose an interface that an SNMP manager connects to and select Edit.
  3. In Administrative Access, select SNMP.
  4. Select OK.
To configure SNMP access - CLI

config system interface

edit <interface_name>

set allowaccess snmp

end

note icon If the interface you are configuring already has protocols that are allowed access, use the command append allowaccess snmp instead, or else the other protocols will be replaced. For more information, see Adding and removing options from lists.

Fortinet MIBs

The FortiGate SNMP agent supports Fortinet proprietary MIBs as well as standard RFC 1213 and RFC 2665 MIBs. RFC support includes support for the parts of RFC 2665 (Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that apply to FortiGate unit configuration.

There are two MIB files for FortiGate units - the Fortinet MIB, and the FortiGate MIB. The Fortinet MIB contains traps, fields and information that is common to all Fortinet products. The FortiGate MIB contains traps, fields and information that is specific to FortiGate units. Each Fortinet product has its own MIB. If you use other Fortinet products you will need to download their MIB files as well. Both MIB files are used for FortiOS and FortiOS Carrier; there are no additional traps for the Carrier version of the operating system.

The Fortinet MIB and FortiGate MIB along with the two RFC MIBs are listed in tables in this section. You can download the two FortiGate MIB files from Fortinet Customer Support. The Fortinet MIB contains information for Fortinet products in general. the Fortinet FortiGate MIB includes the system information for The FortiGate unit and version of FortiOS. Both files are required for proper SNMP data collection.

To download the MIB files, go to System > SNMP and select a MIB link in the FortiGate SNMP MIB section.

Your SNMP manager may already include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet proprietary MIB to this database to have access to the Fortinet specific information.

note icon There were major changes to the MIB files between FortiOS Carrier v3.0 and v4.0. You need to use the new MIBs for FortiOS Carrier v4.0 or you may mistakenly access the wrong traps and fields.

MIB files are updated for each version of FortiOS. When upgrading the firmware ensure that you updated the Fortinet FortiGate MIB file as well.
Fortinet MIBs
MIB file name or RFC Description
FORTINET-CORE-MIB.mib The Fortinet MIB includes all system configuration information and trap information that is common to all Fortinet products.

Your SNMP manager requires this information to monitor FortiGate unit configuration settings and receive traps from the FortiGate SNMP agent.
FORTINET-FORTIGATE-MIB.mib The FortiGate MIB includes all system configuration information and trap information that is specific to FortiGate units.

Your SNMP manager requires this information to monitor FortiGate configuration settings and receive traps from the FortiGate SNMP agent. FortiManager systems require this MIB to monitor FortiGate units.
RFC-1213 (MIB II) The FortiGate SNMP agent supports MIB II groups with these exceptions.

•   No support for the EGP group from MIB II (RFC 1213, section 3.11 and 6.10).
•   Protocol statistics returned for MIB II groups (IP/ICMP/TCP/UDP/etc.) do not accurately capture all FortiGate traffic activity. More accurate information can be obtained from the information reported by the Fortinet MIB.
RFC-2665 (Ethernet-like MIB) The FortiGate SNMP agent supports Ethernet-like MIB information. FortiGate SNMP does not support for the dot3Tests and dot3Errors groups.
note icon SNMP improvements for dynamic routing include support for RFC 4750 OSPF Version 2 Management Information Base and RFC 5643 Management Information Base for OSPFv3. These changes add the capability of logging dynamic routing activity. Examples include sending OSPF routing events or changes to a syslog server or FortiAnalyzer or changes in neighborhood status.

Device Detection for SNMP Traps in FortiOS 5.4.0

This setting is related to the device detection feature. It allows SNMP traps to detect when a new device comes online. Within SNMP configurations there is a configurable timeout setting that periodically checks for the device. When a check determines that the device is present a trap is sent.

In the GUI, when configuring an SNMP object, one of the settings is a checkbox, under SNMP Events for Device detected.

To configure the SNMP object in the CLI use the following syntax:

config system snmp community

edit <community ID number>

set name <string>

set events device-new

end

 

In order to configure the idle timeout for the device, use the following syntax in the CLI:

config system global

set device-idel-timeout <integer of time in seconds>

end

The time value for the field can be set from 30 to 31536000.