DescriptionThis article describes how to add known devices into FortiSIEM which are discovered as "Generic" and need correct vendor, model and device information. If the sys descriptor in the snmp entry is not detailed enough, FortiSIEM will not be able to parse and pick up the device and vendor information. The obvious easiest resolution is to modify the sysdescr OID, but this may not be possible with some devices that do not have the ability to edit the description.
SolutionHere is a step by step guide:
1. Obtain the Following Information for the "Generic" Device:Vendor
Model
Hardware Model
eg.
Vendor: HP
Model: ProCurve Switch
Hardware Model: 2950
2. Run an snmpwalk against the sysOID:#snmpwalk -v 2c -c <community string> <ip> sysObjectID.0
eg.
#snmpwalk -v 2c -c public 172.30.59.133 sysObjectID.0
#SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.11.2.3.7.11.160
3. Open and Edit userSnmpSysObjId.csv (see path bellow). This will allow to modify and correct the Vendor, Model, Hardware Model, SysObjectId.
#vi /opt/phoenix/config/userSnmpSysObjId.csv
4. Insert the following entry into the file:ORIGINAL EMPTY FILE EXAMPLE:
Vendor,Model,hwModel,OID
FILLED IN EXAMPLE:
Vendor,Model,hwModel,OID
HP,ProCurve Switch,5406,SNMPv2-SMI::enterprises.11.2.3.7.11.160
5. Save the Changes
6. Proceed to repeat the step 4 and insert to all the nodes, this will cover any time a new device is discovered with any other fortiSIEM node
7. Additional Information:
7.1 If the file does not exist, please feel free and create it using the name on step 3.
7.2 Add the following entries into /opt/phoenix/config/phoenix_config.txt
system_snmp_sysObjId_file=/opt/phoenix/config/systemSnmpSysObjId.csv
user_snmp_sysObjId_file=/opt/phoenix/config/userSnmpSysObjId.csv
Make sure it is inserted under the "phDiscover" Attribute Block.
Eg.
[BEGIN phDiscover]
command_port = 7928
discover_get_uri =phoenix/rest/deviceInfo
discover_put_uri =phoenix/rest/discovered/discover
discover_service_path=phoenix/rest/config/service
discover_package_path=phoenix/rest/config/applicationPackage
task_status_put_uri=phoenix/rest/sync/task/status
discover_from_file=1 #0:from network; 1:from file
discover_file_dir=/opt/phoenix/config/discoverFile #not reqd if prev flag is 0
system_snmp_sysObjId_file=/opt/phoenix/config/systemSnmpSysObjId.csv
user_snmp_sysObjId_file=/opt/phoenix/config/userSnmpSysObjId.csv
snmpwalk_timeout = 300 # seconds
system_call_timeout = 300 # seconds
vm_discov_timeout = 900 # 15 minutes
snmpwalk_v1_packet_timeout = 5 # second
snmpwalk_v2_packet_timeout = 5 # second
bgp_max_discov_count = -1 # max number of auto discoveries in one hour (set to -1 to disable auto discover)
discover_compress_threshold = 2048
snmp_ping_times=5
wmi_ping_times=5
[END]
7.3 Restart phDiscover after adding this into the phoenix_config.txt: killall -9 phDiscover
Related Articles
Technical Note: FortiSIEM testing SNMP from the command line
