Technical Note : How to modify the community strings on the Shelf Manager - FortiGate Chassis

lpetit_FTNT · ‎12-02-2009

Description

This article describes how to modify the community strings on the Shelf Manager for SNMP polling

Follow the steps below

1 Connect to the SM via console.

2 Edit the snmpd.conf file by using the « vi » command.

3 Replace the public private communities with your own communities.

3 Save and quit the snmpd.conf.

4 Using the command « ps » identify the process id of the snmpd.

5 Kill this process.

6 Restart this process.

This is an example

Step 1

entry login: xxxxxxxxxxxx

Password: xxxxxxxxxxxx

# cd /etc

Step 2

# vi snmpd.conf

###############################################################################

#

# snmpd.conf: configuration file for the NET-SNMP agent.

#

###############################################################################

#

# All lines beginning with a '#' are comments and are intended for you to read.

# All other lines are configuration commands for the agent.

# See snmpd.conf(5) manual page for further details.

#

###############################################################################

# Access Control

###############################################################################

#

# By default, the agent responds to the "public" community for read-only access

# if run out of the box without any configuration file in place. The following

# user configuration is needed for SNMP v3 access. Also AgentX support in SNMP

# master agent is enabled in this section.

#

rwuser overlord

createUser overlord MD5 possessor DES

engineID "PPS_ShMM_NetSNMPd"

master agentx

# The following lines change the access permissions of the agent so that the

# COMMUNITY string provides read-only access to your entire NETWORK (default),

# and read/write access only to localhost (127.0.0.1, not its real ipaddress).

# Note that it is needed for SNMP versions 1 and 2.

####

# First, map "public" community name (COMMUNITY) into a security name

# (local and mynetwork, depending on where the request is coming from):

#

# sec.name source community

com2sec local localhost yourwritecommunity ------------------> change this (step C)

com2sec mynetwork default yourreadcommunity ------------------> change this (step C)

####

# Second, map the security names into group names:

#

# sec.model sec.name

group MyRWGroup v1 local

group MyRWGroup v2c local

group MyRWGroup usm local

group MyRWGroup v1 mynetwork

group MyRWGroup v2c mynetwork

group MyRWGroup usm mynetwork

####

# Third, create a view for us to let the groups have rights to:

#

# incl/excl subtree mask

view all included .1 80

####

# Finally, grant the 2 groups access to the 1 view with different write

# permissions:

#

# context sec.model sec.level match read write notif

access MyROGroup "" any noauth exact all none none

access MyRWGroup "" any noauth exact all all none

###############################################################################

# System contact information

###############################################################################

#

# It is possible to set the sysContact and sysLocation system variables through

# the snmpd.conf file:

#

syslocation PPS Shelf Manager Mezzanine Module

syscontact PPS <support@pigeonpoint.com>

:wq --------------------> to save and quit (Step 4)

Step 5

Identify the process id for snmpd.

# ps

PID Uid VmSize Stat Command

1 root 660 S init

2 root SW [keventd]

3 root RWN [ksoftirqd_CPU0]

4 root SW [kswapd]

5 root SW [bdflush]

6 root SW [kupdated]

9 root SW [mtdblockd]

10 root SW [khubd]

59 root SWN [jffs2_gcd_mtd0]

63 root SWN [jffs2_gcd_mtd10]

87 root 680 S syslogd -s 250000

92 root 660 S klogd

97 root SWN [jffs2_gcd_mtd1]

144 root 732 S /bin/inetd

180 root 620 S /bin/httpd -h /usr/httpd/html

185 root 3300 S shelfman -sf

192 root 608 S /bin/getty 0 ttyS0 vt100

193 root 612 S /bin/getty 115200 ttyS1 vt100

194 root 3300 S shelfman -sf

195 root 3300 S shelfman -sf

196 root 3300 S shelfman -sf

197 root 3300 S shelfman -sf

198 root 3300 S shelfman -sf

199 root 3300 S N shelfman -sf

200 root 3300 S shelfman -sf

201 root 3300 S shelfman -sf

202 root 3300 S shelfman -sf

203 root 3300 S shelfman -sf

204 root 3300 S shelfman -sf

205 root 3300 S shelfman -sf

206 root 3300 S shelfman -sf

207 root 3300 S shelfman -sf

208 root 3300 S shelfman -sf

209 root 3300 S shelfman -sf

210 root 3300 S shelfman -sf

213 root 3300 S shelfman -sf

214 root 3300 S shelfman -sf

216 root 3300 S shelfman -sf

217 root 3300 S shelfman -sf

230 root 3300 S shelfman -sf

293 root 496 S telnetd

294 root 796 S -sh

301 root 496 S telnetd

302 root 828 S -sh

307 root 696 S clia

848 root 688 S clia

930 root 2264 S snmpd -c /etc/snmpd.conf

933 root 676 R vi snmpd.conf

935 root 496 S telnetd

936 root 796 S -sh

941 root 740 R ps

# kill -9 930

The pid must be the number you noticed above for your snmpd -c /etc/snmpd.conf (step 6)

Then restart the process by doing (step 7)
# daemon -f snmpd -c /etc/snmpd.conf

You can additionally verify that the process has restarted by using the command # ps.

Make sure that a new pid as been assigned to snmpd meaning process as properly restarted.

How to verify that the new communities are working on the Shelf Manager

Verification can be made with any tool sending SNMP queries (iReasoning) and a sniffer (Wireshark).

Scope

Shelf Manager

Community strings

Solution