system : snmp user
 
snmp user
Use this command to configure an SNMP user including which SNMP events the user wants to be notified about, which hosts will be notified, and if queries are enabled which port to listen on for them.
FortiOS implements the user security model of RFC 3414. You can require the user to authenticate with a password and you can use encryption to protect the communication with the user.
Syntax
config system snmp user
edit <username>
set auth-proto {md5 | sha}
set auth-pwd <password>
set events <event_string>
set ha-direct {enable | disable}
set notify-hosts <hosts_string>
set notify-hosts6 <hosts_string>
set priv-proto {aes | des | aes256}
set priv-pwd <key>
set queries {enable | disable}
set query-port <port_int>
set security-level <slevel>
set source-ip <ipv4_addr>
set source-ipv6 <ipv6_addr>
end
Variable
Description
Default
edit <username>
Edit or add selected user.
No default.
auth-proto {md5 | sha}
Select authentication protocol:
md5 — use HMAC-MD5-96 authentication protocol.
sha — use HMAC-SHA-96 authentication protocol.
This is only available if security-level is auth‑priv or auth‑no‑priv.
sha
auth-pwd <password>
Enter the user’s password. Maximum 32 characters.
This is only available if security-level is auth‑priv or auth‑no‑priv.
No default.
events <event_string>
Select which SNMP notifications to send. Select each event that will generate a notification, and add to string. Separate multiple events by a space. Available events include:
amc-bypass — an AMC bridge module has switched to bridge (bypass) mode.
av-bypass — AV bypass happens
av-conserve — AV system enters conserve mode
av-fragmented — AV detected fragmented file
av-oversize — AV detected oversized file
av-oversize-blocked — AV oversized files blocked
av-oversize-passed — AV oversized files passed
av-pattern — AV detected file matching pattern
av-virus — AV detected virus
cpu-high — cpu usage too high
ent-conf-change — entity config change (rfc4133)
fan-failure — A cooling fan has failed.
faz-disconnect — FortiAnalyzer unit disconnected
fm-conf-change — config change (FM trap)
fm-if-change — interface IP change (FM trap)
ha-hb-failure — HA heartbeat interface failure
ha-member-down — HA cluster member down
ha-member-up — HA cluster member up
ha-switch — HA cluster status change
intf-ip — interface IP address changed
ips-anomaly — ips detected an anomaly
ips-pkg-update — ips package updated
ips-signature — ips detected an attack
log-full — available log space is low
mem-low — available memory is low
power-supply-failure — power supply failure
vpn-tun-down — VPN tunnel is down
vpn-tun-up — VPN tunnel is up
Note: On the events field, the unset command clears all options.
No default.
ha-direct {enable | disable}
Enable direct management of cluster members.
Enabling ha-direct in non-HA environments may disrupt SNMP.
disable
notify-hosts <hosts_string>
Enter IPv4 IP addresses to send SNMP notifications (SNMP traps) to when events occur. Separate multiple addresses with a space.
No default.
notify-hosts6 <hosts_string>
Enter IPv6 IP addresses to send SNMP notifications (SNMP traps) to when events occur. Separate multiple addresses with a space.
No default.
priv-proto {aes | des | aes256}
Select privacy (encryption) protocol:
aes — use CFB128-AES-128 symmetric encryption.
des — use CBC-DES symmetric encryption.
aes256 — use CFB128-AES-256 symmetric encryption.
This is available if security-level is auth‑priv.
aes
priv-pwd <key>
Enter the privacy encryption key. Maximum 32 characters. This is available if security-level is auth‑priv.
No default.
queries {enable | disable}
Enable or disable SNMP v3 queries for this user. Queries are used to determine the status of SNMP variables.
enable
query-port <port_int>
Enter the number of the port used for SNMP v3 queries. If multiple versions of SNMP are being supported, each version should listen on a different port.
161
security-level <slevel>
Set security level to one of:
no-auth-no-priv — no authentication or privacy
auth-no-priv — authentication but no privacy
auth-priv — authentication and privacy
no-auth-no-priv
source-ip <ipv4_addr>
Optionally, set a source IPv4 address to use in traps.
0.0.0.0
source-ipv6 <ipv6_addr>
Optionally, set a source IPv6 address to use in traps.
::