Troubleshooting Tip: Configure SNMP for Managed FortiSwitch using custom-command

sachitdas_FTNT · ‎04-30-2020

Description
The article describes how to configure SNMP on a Managed FortiSwitch

Related link: https://docs.fortinet.com/product/fortiswitch/6.2

Refer switch admin and CLI guide to know more about SNMP configuration:
Page# 53 : https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/b895b007-f1f3-11e9-8977-005056...
Page# 193: https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/e02f7122-2d83-11ea-9384-005056...

Refer managed FSW guide to know more about custom commands:
Page# 131 https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/d25d773a-37d0-11ea-9384-005056...

Solution

Starting from FOS 6.2.1, configure SNMP on FortiGate is possible, refer page#71 https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/d25d773a-37d0-11ea-9384-005056...

Prior to FortiOS v6.2.1, use custom-commands on FortiGate to push SNMP configuration to FortiSwitch.

Configuration example:

1) Allow SNMP on switch internal interface, you can configure this globally on FGT switch-controller which will be pushed to all switches

OR by creating custom command and push the config to the individual switches.

a

aa a) Using switch-controller global config. Refer page#70 https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/d25d773a-37d0-11ea-9384-005056...

# config switch-controller security-policy local-access

edit "default"

(default) # set mgmt-allowaccess https ping ssh snmp

(default) # set internal-allowaccess https ping ssh snmp

(default) # end

b) Using custom command on FortiGate to allow SNMP

# config switch-controller custom-command

(custom-command)edit snmp1

(snmp1)set command “config system interface %0a edit internal %0a set allowaccess http https ping snmp ssh telnet %0a end %0a"

(snmp1)next

2) Configure SNMP details like community name, snmp server IP address, etc.

(custom-command)edit snmp2
(snmp2) # set command "config system snmp community %0a edit 2 %0a config hosts %0a edit 1 %0a set interface internal %0a set ip 1.1.1.1 255.255.255.0 %0a next %0a end %0a set name community %0a next %0a end %0a"

Here as an example, 1.1.1.1 is IP of snmp server and 255.255.255.0 is subnet mask.
Community is the SNMP community name.

(snmp2)next
(custom-command)edit snmp3
(snmp3)set command "config system snmp sysinfo %0a set contact-info test2 %0a set description test %0a set location test1 %0a set status enable %0a end %0a"
(snmp3)end

3) Push the commands to the switches: (the serial number is the switch(s) serial number).

# config switch-controller managed-switch
    edit "S124EN591801029"
        # config custom-command
            edit "1"
                set command-name " snmp1"
            next
            edit "2"
                set command-name " snmp2"
            next
            edit "3"
                set command-name " snmp3"
            next

4) Create a policy from FortiGate CLI with incoming interface as the FortiLink interface and outgoing interface where snmp server is connected:

# config firewall policy
    edit 1
        set srcintf <fortilink interface name>
        set dstintf <interface name where SNMP server is located>
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "SNMP" "ALL_ICMP" "PING"
        set nat enable
    end

Note:

- The FortiLink interface (interface used to manage FortiSwitch) is not visible in the GUI, Policy -> Source/Destination Interface, that is why create the policy from CLI is necessary.

- Download MIB files from support site.

https://support.fortinet.com/Download/FirmwareImages.aspx

Image File Path / FortiSwitch/ v6.00/ 6.2/ 6.2.0/ MIB/

Related Articles

Technical Note : Download FortiSwitch and FortiCore SNMP MIBs