配置FortiGate的SNMP,同时存在管理员可信任主机:

1.接口上开启SNMP的允许访问

2.开启SNMP的总开关

3.配置SNMP v2的属性,比如配置SNMP v2的SNMP属性为Fortinet123#,建议不要使用通用的public,容易被探测和攻击

4.配置SNMP v3,配置SNMP v3的用户名为fortinet,认证算法选择SHA1,密码为forti3389,加密算法选择为AES,密码为forti5566。



SNMP命令行配置汇总: 

config system interface
    edit "port4"
        set allowaccess ping https ssh snmp http
    next
end

config system snmp sysinfo
    set status enable
    set description "Fortinet_BeiJing_LAB_FGT-KVM"
    set contact-info "kmliu@fortinet.com"
    set location "China_BeiJing_Lab"
end

config system snmp community
    edit 1
        set name "Fortinet123#"
        config hosts
            edit 1
                set ip 192.168.90.7 255.255.255.255
            next
        end
        set query-v1-status disable
        set trap-v1-status disable
    next
end

config system snmp user
    edit "fortinet"
        set notify-hosts 192.168.90.7
        set security-level auth-priv
        set auth-pwd forti3389
        set priv-pwd forti5566
        set security-level auth-priv
        set auth-proto sha
        set priv-proto aes
    next
end
注意:有一个特别的场景需要特别注意,那就是HA独立管理口的场景,需要一些特殊的配置才可以搞定。下一个章节会描述这种情况。其他情况下都是以上类似的配置即可开启FortiGate的SNMP。

Net-SNMP SNMP V2结果验证: 
[Thu Aug 06 11:46:54 root@centos7~#snmpwalk -v2c -c Fortinet123# 192.168.90.3 .1.3.6.1.4.1.12356.101.4.1.1.0
SNMPv2-SMI::enterprises.12356.101.4.1.1.0 = STRING: "v6.4.1,build1637,200604 (GA)"
[Thu Aug 06 11:46:55 root@centos7~#
[Thu Aug 06 11:46:55 root@centos7~#
[Thu Aug 06 11:46:55 root@centos7~#snmpwalk -v2c -c Fortinet123# 192.168.90.3 1.3.6.1.2.1.1.3.0
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (301635896) 34 days, 21:52:38.96
[Thu Aug 06 11:46:57 root@centos7~#
[Thu Aug 06 11:46:58 root@centos7~#snmpwalk -v2c -c Fortinet123# 192.168.90.3 .1.3.6.1.4.1.12356.100.1.1.1.0
SNMPv2-SMI::enterprises.12356.100.1.1.1.0 = STRING: "FGVM04TM20003482"
[Thu Aug 06 11:47:04 root@centos7~#
[Thu Aug 06 11:47:46 root@centos7~#snmpwalk -v2c -c Fortinet123# 192.168.90.3 1.3.6.1.2.1.31.1.1.1.1.1
IF-MIB::ifName.1 = STRING: port1
[Thu Aug 06 11:47:47 root@centos7~#snmpwalk -v2c -c Fortinet123# 192.168.90.3 1.3.6.1.2.1.31.1.1.1.1.2
IF-MIB::ifName.2 = STRING: port2
[Thu Aug 06 11:47:50 root@centos7~#
[Thu Aug 06 11:47:51 root@centos7~#snmpwalk -v2c -c Fortinet123# 192.168.90.3 1.3.6.1.4.1.12356.101.4.1.8.0
SNMPv2-SMI::enterprises.12356.101.4.1.8.0 = Gauge32: 77
[Thu Aug 06 11:48:45 root@centos7~#
[Thu Aug 06 11:50:03 root@centos7~#ifconfig
ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.90.7  netmask 255.255.255.0  broadcast 192.168.90.255
        inet6 fe80::20c:29ff:fea4:c28f  prefixlen 64  scopeid 0x20<link>
        inet6 2090::20c:29ff:fea4:c28f  prefixlen 64  scopeid 0x0<global>
        ether 00:0c:29:a4:c2:8f  txqueuelen 1000  (Ethernet)
        RX packets 42079997  bytes 9765439741 (9.0 GiB)
        RX errors 0  dropped 26044405  overruns 0  frame 0
        TX packets 178673  bytes 33179586 (31.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
[Thu Aug 06 11:50:04 root@centos7~#
Net-SNMP SNMP V3结果验证:
 
[Thu Aug 06 11:56:06 root@centos7~#service snmpd  stop
Stopping snmpd (via systemctl):                            [  OK  ]
[Thu Aug 06 11:56:20 root@centos7~#
[Thu Aug 06 12:00:52 root@centos7~#
[Thu Aug 06 12:01:01 root@centos7~#net-snmp-config --create-snmpv3-user -ro -a SHA -A forti3389 -x AES -X forti5566 fortinet 
adding the following line to /var/lib/net-snmp/snmpd.conf:
   createUser fortinet SHA "forti3389" AES forti5566
adding the following line to /etc/snmp/snmpd.conf:
   rouser fortinet
[Thu Aug 06 12:01:09 root@centos7~#
[Thu Aug 06 12:01:10 root@centos7~#chkconfig snmpd on
Note: Forwarding request to 'systemctl enable snmpd.service'.
Created symlink from /etc/systemd/system/multi-user.target.wants/snmpd.service to /usr/lib/systemd/system/snmpd.service.
[Thu Aug 06 12:01:30 root@centos7~#service snmpd start
Starting snmpd (via systemctl):                            [  OK  ]
[Thu Aug 06 12:01:36 root@centos7~#
[Thu Aug 06 12:06:29 root@centos7~#
[Thu Aug 06 12:06:38 root@centos7~#snmpwalk -v3 -u fortinet -l authPriv -a SHA -A forti3389 -x AES -X forti5566 192.168.90.3
SNMPv2-MIB::sysDescr.0 = STRING: Fortinet_BeiJing_LAB_FGT-KVM
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.12356.101.1.60
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (301754102) 34 days, 22:12:21.02
SNMPv2-MIB::sysContact.0 = STRING: kmliu@fortinet.com
SNMPv2-MIB::sysName.0 = STRING: HUB2-ShangHai
SNMPv2-MIB::sysLocation.0 = STRING: China_BeiJing_Lab
SNMPv2-MIB::sysServices.0 = INTEGER: 78
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORIndex.1 = INTEGER: 1
SNMPv2-MIB::sysORID.1 = OID: SNMPv2-SMI::zeroDotZero.0
SNMPv2-MIB::sysORDescr.1 = STRING: 
SNMPv2-MIB::sysORUpTime.1 = Timeticks: (0) 0:00:00.00
IF-MIB::ifNumber.0 = INTEGER: 19
IF-MIB::ifIndex.1 = INTEGER: 1
IF-MIB::ifIndex.2 = INTEGER: 2
^C
[Thu Aug 06 12:06:41 root@centos7~#
[Thu Aug 06 12:06:45 root@centos7~#
[Thu Aug 06 12:10:23 root@centos7~#snmpwalk -v3 -u fortinet -l authPriv -a SHA -A forti3389 -x AES -X forti5566 192.168.90.3 .1.3.6.1.4.1.12356.100.1.1.1.0
SNMPv2-SMI::enterprises.12356.100.1.1.1.0 = STRING: "FGVM04TM20003482"
[Thu Aug 06 12:10:45 root@centos7~#
[Thu Aug 06 12:10:46 root@centos7~#snmpwalk -v3 -u fortinet -l authPriv -a SHA -A forti3389 -x AES -X forti5566 192.168.90.3 1.3.6.1.2.1.1.3.0
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (301780209) 34 days, 22:16:42.09
[Thu Aug 06 12:11:00 root@centos7~#
[Thu Aug 06 12:11:12 root@centos7~#snmpwalk -v3 -u fortinet -l authPriv -a SHA -A forti3389 -x AES -X forti5566 192.168.90.3 .1.3.6.1.4.1.12356.101.4.1.1.0
SNMPv2-SMI::enterprises.12356.101.4.1.1.0 = STRING: "v6.4.1,build1637,200604 (GA)"
[Thu Aug 06 12:11:19 root@centos7~#
Net-SNMP v3参考链接:https://www.thegeekdiary.com/centos-rhel-6-install-and-configure-snmpv3/

在没有配置管理员可信任主机之前,SNMP v2和SNMP v3都正常。

OK,接下来配置管理员可信任主机,但是不包括SNMP的IP地址192.168.90.7。

可以查看到当前我GUI和SSH管理防火墙的IP地址都是192.168.90.254,我们将192.168.90.254添加到管理员可信任主机里面,除了192.168.90.254,其他的IP都没有权限管理FortiGate。

对应的命令: 
HUB2-ShangHai # config system admin 
HUB2-ShangHai (admin) # show 
config system admin
    edit "admin"
        set trusthost1 192.168.90.254 255.255.255.255
        set accprofile "super_admin"
        set vdom "root"
        set password ENC SH2c4U3k1zG2o8L2OFdIW6HOP2CGSdaWI8ipqYygPVlSU5GCJXp+63fntlZJjA=
    next
end
HUB2-ShangHai (admin) # end
此时再看SNMP的获取情况(SNMP出现失败,Timeout): 
[Tue Aug 11 15:09:36 root@centos7~#snmpwalk -v2c -c Fortinet123# 192.168.90.3 .1.3.6.1.4.1.12356.100.1.1.1.0
Timeout: No Response from 192.168.90.3
[Tue Aug 11 15:09:45 root@centos7~#snmpwalk -v2c -c Fortinet123# 192.168.90.3 .1.3.6.1.4.1.12356.101.4.1.1.0
Timeout: No Response from 192.168.90.3
[Tue Aug 11 15:09:56 root@centos7~#snmpwalk -v2c -c Fortinet123# 192.168.90.3 1.3.6.1.2.1.1.3.0
Timeout: No Response from 192.168.90.3
[Tue Aug 11 15:10:05 root@centos7~#
原因是什么呢?
很明显管理员可信任主机是对接口下面的所有访问协议起作用的,包括所有的这些(除了PING),自然也包括了SNMP协议:


要解决这个问题,需要将SNMP的IP地址也加入到管理员的可信任主机中,这样SNMP才可以正常获取信息:

对应的命令:
HUB2-ShangHai # config system admin 
HUB2-ShangHai (admin) # 
HUB2-ShangHai (admin) # show 
config system admin
    edit "admin"
        set trusthost1 192.168.90.254 255.255.255.255
        set trusthost2 192.168.90.7 255.255.255.255
        set accprofile "super_admin"
        set vdom "root"
        set password ENC SH2c4U3k1zG2o8L2OFdIW6HOP2CGSdaWI8ipqYygPVlSU5GCJXp+63fntlZJjA=
    next
end
HUB2-ShangHai (admin) # end
HUB2-ShangHai #
此时再看SNMP的获取情况(SNMP可以成功获取SNMP信息): 
[Tue Aug 11 15:16:23 root@centos7~#snmpwalk -v2c -c Fortinet123# 192.168.90.3 .1.3.6.1.4.1.12356.101.4.1.1.0
SNMPv2-SMI::enterprises.12356.101.4.1.1.0 = STRING: "v6.4.1,build1637,200604 (GA)"
[Tue Aug 11 15:16:26 root@centos7~#snmpwalk -v2c -c Fortinet123# 192.168.90.3 1.3.6.1.2.1.1.3.0
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (346095043) 40 days, 1:22:30.43
[Tue Aug 11 15:16:29 root@centos7~#snmpwalk -v2c -c Fortinet123# 192.168.90.3 .1.3.6.1.4.1.12356.100.1.1.1.0
SNMPv2-SMI::enterprises.12356.100.1.1.1.0 = STRING: "FGVM04TM20003482"
[Tue Aug 11 15:16:35 root@centos7~#
总结:配置SNMP的时候一定要注意有管理员可信任主机这个点,很容易被忽略,从而导致SNMP不可以用,同时也很难排错。

SNMP的排错,如果SNMP不行怎么办? 
1.抓包,确认SNMP UDP 161的通信是正常的,正常SNMP是有去有回的。
# diagnose sniffer packet any "port 161 and host 192.168.90.3" 4

2.通过第一步抓包看到SNMP流量有去有回了,但是SNMP还是失败,则开启SNMP进程的debug,查看具体原因:
HUB2-ShangHai # diagnose debug application  snmpd -1
HUB2-ShangHai # diagnose debug enable

比如,最常见的错误“community”不匹配,比如,管理员配置了可信任主机,但是没有包括SNMP的IP地址等等...:
HUB2-ShangHai # snmpd: updating cache: idx_cache
snmpd: <msg> 47 bytes 192.168.90.254:44539 -> 200.1.1.1/200.1.1.1:161 (itf 3.3)
snmpd: checking if community "Fortinet123#2" is valid
snmpd: updating cache: vdom_idx_map_cache
snmpd: updating vdom idx mapping
snmpd: Creating vdom_idx_cache for root
snmpd: Vdom created kernel-index=0, snmp-index=1, name=root
snmpd: checking against community "Fortinet123#"
snmpd: vdom name mismatch
snmpd: checking against community "FortiManager"
snmpd: name mismatch.
snmpd: failed to match community "Fortinet123#2"
snmpd: </msg> 0

3.是否存在管理员可信任主机的配置,需要包括SNMP的IP地址才可以,否则SNMP获取将不可用。
FGT101E_Master_379 # config system admin 
FGT101E_Master_379 (admin) # show 
config system admin
    edit "admin"
        set trusthost1 192.168.91.254 255.255.255.255   // 存在管理员可信任主机,但是不包括SNMP的IP地址。
        set accprofile "super_admin"
        set vdom "root"
        set password ENC SH2m46wbTSEUOglCBtoYmS/ax6YJpPO6iQU7OY1RdbWYE4pe11yof65xP/peWU=
    next
end
FGT101E_Master_379 (admin) # end
FGT101E_Master_379 # diagnose sniffer packet any "port 161" 4
interfaces=[any]
filters=[port 161]
3.196294 mgmt in 192.168.91.125.3842 -> 192.168.91.21.161: udp 46    // SNMP将不再回复数据,只有IN,没有OUT,不回包的状态。
8.196752 mgmt in 192.168.91.125.3842 -> 192.168.91.21.161: udp 46
13.196785 mgmt in 192.168.91.125.3842 -> 192.168.91.21.161: udp 46
18.196741 mgmt in 192.168.91.125.3842 -> 192.168.91.21.161: udp 46
^C
4 packets received by filter
0 packets dropped by kernel
FGT101E_Master_379 # 
FGT101E_Master_379 # config system admin 
FGT101E_Master_379 (admin) # edit admin 
FGT101E_Master_379 (admin) # set trusthost2 192.168.91.125/24
FGT101E_Master_379 (admin) # set trusthost2 192.168.91.125/32    // 把SNMP的IP地址添加到管理员可信任主机中。
FGT101E_Master_379 (admin) # show 
config system admin
    edit "admin"
        set trusthost1 192.168.91.254 255.255.255.255
        set trusthost2 192.168.91.125 255.255.255.255
        set accprofile "super_admin"
        set vdom "root"
        set password ENC SH2m46wbTSEUOglCBtoYmS/ax6YJpPO6iQU7OY1RdbWYE4pe11yof65xP/peWU=
    next
end
FGT101E_Master_379 (admin) # end
FGT101E_Master_379 # diagnose sniffer packet any "port 161" 4
interfaces=[any]
filters=[port 161]
2.837199 mgmt in 192.168.91.125.3870 -> 192.168.91.21.161: udp 46    // SNMP就可以正常获取数据了。实际的部署中也要特别关注管理员可信任主机这个点,很容易被忽略掉。
2.837949 mgmt out 192.168.91.21.161 -> 192.168.91.125.3870: udp 51
6.083550 mgmt in 192.168.91.125.3871 -> 192.168.91.21.161: udp 45
6.084284 mgmt out 192.168.91.21.161 -> 192.168.91.125.3871: udp 283
6.092138 mgmt in 192.168.91.125.3871 -> 192.168.91.21.161: udp 49
6.094511 mgmt out 192.168.91.21.161 -> 192.168.91.125.3871: udp 203
^C
6 packets received by filter
0 packets dropped by kernel
FGT101E_Master_379 #

img_18584.jpg img_31001.jpg 2018-12-17_150540.png 2018-12-17_151015.png 2018-12-17_151652.png 2018-12-17_151916.png 2018-12-17_152109.png