config : system snmp community
 
system snmp community
Use this command to configure the FortiWeb appliance’s SNMP agent to belong to an SNMP community, and to select which events will cause the FortiWeb appliance to generate SNMP traps.
The FortiWeb appliance’s simple network management protocol (SNMP) agent allows queries for system information can send traps (alarms or event messages) to the computer that you designate as its SNMP manager. In this way you can use an SNMP manager to monitor the FortiWeb appliance. You can add the IP addresses of up to eight SNMP managers to each community, which designate the destination of traps and which IP addresses are permitted to query the FortiWeb appliance.
An SNMP community is a grouping of equipment for network administration purposes. You must configure your FortiWeb appliance to belong to at least one SNMP community so that community’s SNMP managers can query the FortiWeb appliance’s system information and receive SNMP traps from the FortiWeb appliance.
You can add up to three SNMP communities. Each community can have a different configuration for queries and traps, and the set of events which trigger a trap. Use SNMP traps to notify the SNMP manager of a wide variety of types of events. Event types range from basic system events, such as high usage of resources, to when an attack type is detected or a specific rule is enforced by a policy.
Before you can use SNMP, you must activate the FortiWeb appliance’s SNMP agent (see “config system snmp sysinfo”) and add it as a member of at least one community. You must also enable SNMP access on the network interface through which the SNMP manager will connect. (See “config system interface”.)
On the SNMP manager, you must also verify that the SNMP manager is a member of the community to which the FortiWeb appliance belongs, and compile the necessary Fortinet proprietary management information blocks (MIBs) and Fortinet-supported standard MIBs. For information on MIBs, see the FortiWeb Administration Guide.
To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For more information, see “Permissions”.
Syntax
config system snmp community
edit <community_index>
set status {enable | disable}
set name <community_str>
set events {cpu-high | intf-ip | log‑full | mem‑low | netlink-down-status | netlink-up-status | policy-start | policy-stop | pserver-failed | sys‑ha-hbfail | sys‑mode-change | waf‑access-attack | waf-amethod-attack | waf-blogin-attack |waf-hidden-fields | waf-pvalid-attack | waf-signature-detection | waf-url-access-attack | waf-spage-attack
set query-v1-port <port_int>
set query-v1-status {enable | disable}
set query-v2c-port <port_int>
set query-v2c-status {enable | disable}
set trap-v1-lport <port_int>
set trap-v1-rport <port_int>
set trap-v1-status {enable | disable}
set trap-v2c-lport <port_int>
set trap-v2c-rport <port_int>
set trap-v2c-status {enable | disable}
config hosts
edit <snmp-manager_index>
set interface <interface_name>
set ip <manager_ipv4>
next
end
next
end
Variable
Description
Default
<community_index>
Type the index number of a community to which the FortiWeb appliance belongs. The valid range is from 1 to 9,999,999,999,999,999,999.
No default.
status {enable | disable}
Enable to activate the community.
This setting takes effect only if the SNMP agent is enabled. For details, see “config system snmp sysinfo”.
disable
name <community_str>
Type the name of the SNMP community to which the FortiWeb appliance and at least one SNMP manager belongs. The maximum length is 35 characters.
The FortiWeb appliance will not respond to SNMP managers whose query packets do not contain a matching community name. Similarly, trap packets from the FortiWeb appliance will include community name, and an SNMP manager may not accept the trap if its community name does not match.
No default.
events {cpu-high | intf-ip | log‑full | mem‑low | netlink-down-status | netlink-up-status | policy-start | policy-stop | pserver-failed | sys‑ha-hbfail | sys‑mode-change | waf‑access-attack | waf-amethod-attack | waf-blogin-attack |waf-hidden-fields | waf-pvalid-attack | waf-signature-detection | waf-url-access-attack | waf-spage-attack
Type one or more of the following SNMP event names in order to cause the FortiWeb appliance to send traps when those events occur. Traps will be sent to the SNMP managers in this community. Also enable traps.
cpu-high — CPU usage has exceeded 80%.
intf-ip — A network interface’s IP address has changed. See “config system interface”.
log-full — Local log disk space usage has exceeded 80%. If the space is consumed and a new log message is triggered, the FortiWeb appliance will either drop it or overwrite the oldest log message, depending on your configuration. See “config log disk”.
mem-low — Memory (RAM) usage has exceeded 80%.
netlink-down-status — A network interface has been brought down (disabled). This could be due to either an administrator changing the network interface’s settings, or due to HA executing a failover.
netlink-up-status — A network interface has been brought up (enabled).This could be due to either an administrator changing the network interface’s settings, or due to HA executing a failover.
policy-start — A policy was enabled. See “config server-policy policy”.
policy-stop — A policy was disabled. See “config server-policy policy”.
pserver-failed — A server health check has determined that a physical server that is a member of a server farm is now unavailable. See “config server-policy policy”.
sys-ha-hbfail — An HA failover is occurring. See “config system ha”.
sys-mode-change — The operation mode was changed. See “config system settings”.
waf-access-attack — FortiWeb enforced a page access rule. See “config waf page-access-rule”.
waf-blogin-attack — FortiWeb detected a brute force login attack. See “config waf brute-force-login”.
waf-hidden-fields — FortiWeb detected a hidden fields attack.
waf-pvalid-attack — FortiWeb enforced an input/parameter validation rule. See “config waf parameter-validation-rule”.
No default.
 
waf-signature-detection — FortiWeb enforced a signature rule. See “config waf signature”. new
waf-url-access-attack — FortiWeb enforced a URL access rule. See “config waf url-access url-access-rule”. new
waf-spage-attack — FortiWeb enforced a start page rule. See “config waf start-pages”.
 
query-v1-port <port_int>
Type the port number on which the FortiWeb appliance will listen for SNMP v1 queries from the SNMP managers of the community. The valid range is from 1 to 65,535.
161
query-v1-status {enable | disable}
Enable to respond to queries using the SNMP v1 version of the SNMP protocol.
enable
query-v2c-port <port_int>
Type the port number on which the FortiWeb appliance will listen for SNMP v2c queries from the SNMP managers of the community. The valid range is from 1 to 65,535.
161
query-v2c-status {enable | disable}
Enable to respond to queries using the SNMP v2c version of the SNMP protocol.
enable
trap-v1-lport <port_int>
Type the port number that will be the source (also called local) port number for SNMP v1 trap packets. The valid range is from 1 to 65,535.
162
trap-v1-rport <port_int>
Type the port number that will be the destination (also called remote) port number for SNMP v1 trap packets. The valid range is from 1 to 65,535.
162
trap-v1-status {enable | disable}
Enable to send traps using the SNMP v1 version of the SNMP protocol.
enable
trap-v2c-lport <port_int>
Type the port number that will be the source (also called local) port number for SNMP v2c trap packets. The valid range is from 1 to 65,535.
162
trap-v2c-rport <port_int>
Type the port number that will be the destination (also called remote) port number for SNMP v2c trap packets. The valid range is from 1 to 65,535.
162
trap-v2c-status {enable | disable}
Enable to send traps using the SNMP v2c version of the SNMP protocol.
enable
<snmp-manager_index>
Type the index number of an SNMP manager for the community. The valid range is from 1 to 9,999,999,999,999,999,999.
No default.
interface <interface_name>
Type the name of the network interface from which the FortiWeb appliance will send traps and reply to queries. The maximum length is 35 characters.
Note: You must select a specific network interface if the SNMP manager is not on the same subnet as the FortiWeb appliance. This can occur if the SNMP manager is on the Internet or behind a router.
Note: This setting only applies to the interface sending SNMP traffic. To configure the receiving interface, see config system interface.
No default.
ip <manager_ipv4>
Type the IP address of the SNMP manager that, if traps and/or queries are enabled in this community:
will receive traps from the FortiWeb appliance
will be permitted to query the FortiWeb appliance
SNMP managers have read-only access.
To allow any IP address using this SNMP community name to query the FortiWeb appliance, enter 0.0.0.0.
Note: Entering 0.0.0.0 effectively disables traps if there are no other host IP entries, because there is no specific destination for trap packets. If you do not want to disable traps, you must add at least one other entry that specifies the IP address of an SNMP manager.
No default.
Example
For an example, see “config system snmp sysinfo”.
Related topics
config system snmp sysinfo
config system interface
config server-policy policy