Refer
managed FSW guide to know more about custom commands:
Page# 131 https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/d25d773a-37d0-11ea-9384-005056...
Starting from FOS 6.2.1, configure SNMP on
FortiGate is possible, refer page#71 https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/d25d773a-37d0-11ea-9384-005056...
Prior to FortiOS v6.2.1, use custom-commands on FortiGate to push SNMP configuration to FortiSwitch.
Configuration example:
1) Allow SNMP on switch internal interface, you can
configure this globally on FGT switch-controller which will be pushed to all
switches
OR by creating custom command and push the config to the individual switches.
a
aa a) Using switch-controller global config. Refer page#70 https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/d25d773a-37d0-11ea-9384-005056...
# config switch-controller security-policy local-access
edit "default"
(default) # set mgmt-allowaccess https ping ssh snmp
(default) # set internal-allowaccess https ping ssh snmp
(default) # end
b) Using custom command on FortiGate to allow SNMP
# config
switch-controller custom-command
(custom-command)edit snmp1
(snmp1)set command “config system interface %0a
edit internal %0a set allowaccess http https ping snmp ssh telnet %0a end %0a"
(snmp1)next
2) Configure SNMP details like community name, snmp server IP address, etc.
(custom-command)edit snmp2
(snmp2) # set command
"config system snmp community %0a edit 2 %0a config hosts %0a edit 1 %0a
set interface internal %0a set ip 1.1.1.1
255.255.255.0 %0a next %0a end %0a set name community
%0a next %0a end %0a"
Here as an example, 1.1.1.1
is IP of snmp server and 255.255.255.0 is subnet
mask.
Community is the SNMP community name.
(snmp2)next
(custom-command)edit snmp3
(snmp3)set command "config
system snmp sysinfo %0a set contact-info test2 %0a set description test %0a set
location test1 %0a set status enable %0a end %0a"
(snmp3)end
3) Push the commands to the switches: (the serial number is the switch(s) serial number).
# config switch-controller managed-switch
edit "S124EN591801029"
# config custom-command
edit "1"
set command-name " snmp1"
next
edit "2"
set command-name " snmp2"
next
edit "3"
set command-name " snmp3"
next
4) Create a policy from FortiGate CLI with incoming interface as the FortiLink interface and outgoing interface where snmp server is connected:
# config firewall policy
edit 1
set srcintf <fortilink interface name>
set dstintf <interface name where SNMP server is
located>
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "SNMP" "ALL_ICMP" "PING"
set nat enable
end
Note:
- The FortiLink interface (interface used to manage
FortiSwitch) is not visible in the GUI, Policy -> Source/Destination
Interface, that is why create the policy from CLI is necessary.
- Download MIB files from support site.
https://support.fortinet.com/Download/FirmwareImages.aspx
Image File Path / FortiSwitch/ v6.00/ 6.2/ 6.2.0/ MIB/
Related Articles
Technical Note : Download FortiSwitch and FortiCore SNMP MIBs
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.