advertisement
Chapter 12: System Management Configuring SNMP
Configuring SNMP
Many organizations use SNMP (simple network management protocol) to track the health of their systems.
FortiADC supports SNMP v1, v2c, and v3.
SNMP depends on network devices that maintain standard management information bases (MIBs).
MIBs describe the structure of the management data maintained on the device. Some MIB definitions are standard for all network devices, and some are vendor and product-family specific.
The FortiADC system runs an SNMP agent to communicate with the SNMP manager. The agent enables the system to respond to SNMP queries for system information and to send SNMP traps (alarms or event messages) to the SNMP manager.
illustrates the basic communication.
Figure 53: SNMP communication
276
With SNMP v1 and v2c managers, you configure SNMP communities to connect FortiADC and the SNMP manager. The SNMP Manager sends the community string along with all SNMP requests. If the community string is correct, the device responds with the requested information. If the community string is incorrect, the device simply discards the request and does not respond.
Fortinet strongly recommends that you do not add FortiADC to the community named public . This default name is well-known, and attackers that attempt to gain access to your network often try this name first.
With SNMPv3 managers, you configure SNMP users to connect FortiADC and the SNMP manager. Queries and traps include username/password authentication, along with an encryption key. FortiADC implements the user security model described in RFC 3414 .
Before you begin: l
On the SNMP manager, you must verify that the SNMP manager is a member of the community to which the
FortiADC system belongs, and you must compile the necessary Fortinet-proprietary management information blocks (MIBs) and Fortinet-supported standard MIBs. For information on Fortinet MIBs, see
FortiADC D-Series Handbook
Fortinet Technologies, Inc.
advertisement
advertisement
Table of contents
- 13 Features
- 13 Basic network topology
- 14 Scope
- 16 FortiADC 4.6.1
- 16 FortiADC 4.6.0
- 18 FortiADC 4.5.3
- 18 FortiADC 4.5.2
- 18 FortiADC 4.5.1
- 19 FortiADC 4.5.0
- 20 FortiADC 4.4.0
- 21 FortiADC 4.3.1
- 21 FortiADC 4.3.1
- 22 FortiADC 4.3.0
- 23 FortiADC 4.2.3
- 23 FortiADC 4.2.1
- 23 FortiADC 4.2.0
- 24 FortiADC 4.1
- 24 FortiADC 4.0 Patch 2
- 24 FortiADC 4.0 Patch 1
- 24 FortiADC 4.0
- 25 FortiADC 3.2.0
- 25 FortiADC 3.1.0
- 26 FortiADC 3.0.0
- 26 FortiADC 2.1.0
- 27 Server load balancing
- 27 Feature Summary
- 28 Authentication
- 28 Caching
- 29 Compression
- 29 Content rewriting
- 29 Content routing
- 29 Scripting
- 29 SSL transactions
- 30 Link load balancing
- 30 Global load balancing
- 30 Security
- 30 High availability
- 31 Virtual domains
- 32 Step 1: Install the appliance
- 33 Step 2: Configure the management interface
- 36 Step 3: Configure basic network settings
- 40 Step 4: Test connectivity to destination servers
- 40 Step 5: Complete product registration, licensing, and upgrades
- 42 Step 6: Configure a basic server load balancing policy
- 45 Step 7: Test the deployment
- 48 Step 8: Back up the configuration
- 50 Server load balancing basics
- 53 Server load balancing configuration overview
- 56 Configuring real server SSL profiles
- 61 Using real server pools
- 61 Configuring real server pools
- 66 Example: Using port ranges and the port 0 configuration
- 67 Configuring persistence rules
- 73 Configuring content routes
- 75 Using content rewriting rules
- 75 Overview
- 76 Configuring content rewriting rules
- 78 Example: Redirecting HTTP to HTTPS
- 86 Example: Rewriting the HTTP response when using content routing
- 88 Example: Rewriting the HTTP request and response to mask application details
- 90 Example: Rewriting the HTTP request to harmonize port numbers
- 91 Configuring compression rules
- 93 Using caching features
- 93 Static caching
- 95 Dynamic caching
- 95 Configuring caching rules
- 97 Configuring Application profiles
- 121 Configuring error pages
- 121 Using source pools
- 122 Configuring source pools
- 124 Example: DNAT
- 125 Example: full NAT
- 126 Example: NAT46 (Layer 4 virtual servers)
- 128 Example: NAT64 (Layer 4 virtual servers)
- 130 Example: NAT46 (Layer 7 virtual servers)
- 132 Example: NAT64 (Layer 7 virtual servers)
- 133 Configuring auth policies
- 135 Configuring methods
- 136 Configuring an L2 exception list
- 137 Using the Web Category tab
- 138 Creating a Web Filter Profile configuration
- 138 Configuring virtual servers
- 144 TCP multiplexing
- 145 Using scripts
- 146 Create a script object
- 146 Import a script
- 146 Export a script
- 147 Delete a script
- 148 Link load balancing basics
- 148 Using link groups
- 149 Using virtual tunnels
- 151 Link load balancing configuration overview
- 153 Configuring gateway links
- 154 Configuring persistence rules
- 156 Configuring proximity route settings
- 158 Configuring a link group
- 160 Configuring a virtual tunnel group
- 162 Configuring link policies
- 164 Global load balancing basics
- 166 Global load balancing configuration overview
- 168 Configuring servers
- 171 Configuring a global load balance link
- 172 Configuring data centers
- 173 Configuring hosts
- 174 Configuring virtual server pools
- 176 Configuring dynamic proximity
- 177 Configuring persistence
- 178 Configuring an address group
- 179 Configuring remote DNS servers
- 180 Configuring the DSSET list
- 180 Configuring DNS zones
- 184 Configuring DNS64
- 185 Configuring the response rate limit
- 186 onfiguring a Global DNS policy
- 187 Configuring general settings
- 189 Configuring the trust anchor key
- 190 Security features basics
- 190 Managing IP Reputation policy settings
- 192 Configure IP reputation exception
- 193 Using the Geo IP block list
- 194 Using the Geo IP whitelist
- 195 Enabling denial of service protection
- 196 Configuring a firewall policy
- 197 Configuring the firewall connection limit
- 199 Web application firewall basics
- 200 Web application firewall configuration overview
- 201 Predefined configuration elements
- 201 Severity
- 201 Exceptions
- 201 Configuring a WAF Profile
- 203 Configuring a Web Attack Signature policy
- 208 Configuring a URL Protection policy
- 209 Configuring an HTTP Protocol Constraint policy
- 213 Configuring an SQL/XSS Injection Detection policy
- 215 Configuring WAF Exception objects
- 216 Configuring a Bot Detection policy
- 219 Configuring user groups
- 220 Using the local authentication server
- 221 Using an LDAP authentication server
- 222 Using a RADIUS authentication server
- 223 Using Kerberos Authentication Relay
- 223 Authentication Workflow
- 223 Step 1: Client authentication
- 224 Step 2: Client service authorization
- 224 Step 3: Client service request
- 224 FortiADC Kerberos authentication implementation
- 225 Configure Authentication Relay (Kerberos)
- 225 Configure SAML authentication
- 226 Import IDP metadata
- 226 Configure SAML authentication
- 228 Configuring health checks
- 235 Creating schedule groups
- 236 Creating IPv4 address objects
- 237 Configuring IPv4 address groups
- 238 Creating IPv6 address objects
- 239 Configuring IPv6 address groups
- 240 Managing ISP address books
- 242 Create an ISP address book object
- 243 Creating service objects
- 244 Creating service groups
- 246 Configuring network interfaces
- 246 Using physical interfaces
- 247 Using VLAN interfaces
- 247 Using aggregate interfaces
- 248 Configuring network interfaces
- 253 Configuring static routes
- 254 Configuring policy routes
- 256 Configuring basic system settings
- 257 Configuring system time
- 259 Configuring an SMTP mail server
- 259 Configuring FortiGuard service settings
- 261 Pushing/pulling configurations
- 262 Backing up and restoring the configuration
- 263 Updating firmware
- 264 Upgrade considerations
- 264 Updating firmware using the web UI
- 266 Updating firmware using the CLI
- 267 Rebooting, resetting, and shutting down the system
- 268 Create a traffic group
- 269 Create a traffic group via the command line interface
- 269 Create a traffic group from the Web GUI
- 270 Create administrator users
- 272 Configure access profiles
- 275 Enable password policies
- 276 Configuring SNMP
- 277 Download SNMP MIBs
- 278 Configure SNMP threshold
- 278 Configure SNMP v1/v2
- 280 Configure SNMP v3
- 281 Manage and validate certificates
- 282 Overview
- 282 Prerequisite tasks
- 283 Manage certificates
- 284 Generating a certificate signing request
- 286 Importing local certificates
- 288 Creating a local certificate group
- 288 Importing intermediate CAs
- 289 Creating an intermediate CA group
- 290 Validating certificates
- 290 Configure a certificate verification object
- 293 Importing CRLs
- 294 Adding OCSPs
- 296 Importing remote certificates
- 297 Importing CAs
- 298 Creating a CA group
- 300 Using the event log
- 307 Using the security log
- 313 Using the *traffic log
- 321 Configuring local log settings
- 323 Configuring syslog settings
- 325 Configuring high speed logging
- 326 Enabling real-time statistics
- 327 Configuring alert email settings
- 328 Configuring an alert email recipient
- 328 Configuring reports
- 329 Configuring Report Queries
- 332 Configuring fast reports
- 333 Using reports
- 334 Display logs via CLI
- 335 HA feature overview
- 339 HA system requirements
- 340 HA synchronization
- 341 Configuring HA settings
- 346 Monitoring an HA cluster
- 348 Updating firmware for an HA cluster
- 349 Deploying an active-passive cluster
- 349 Overview
- 351 Basic steps
- 351 Best practice tips
- 351 Deploying an active-active cluster
- 352 Configuration overview
- 353 Basic steps
- 354 Expected behavior
- 354 Traffic to TCP virtual servers
- 358 Traffic to HTTP virtual servers
- 360 FTP traffic and traffic processed by firewall rules
- 363 Best practice tips
- 363 Advantages of HA Active-Active-VRRP
- 363 Deploying an active-active-VRRP cluster
- 364 Configuration overview
- 365 Basic steps
- 366 Best practice tips
- 368 Virtual domain basics
- 368 Enabling the virtual domain feature
- 369 Creating virtual domains
- 369 Assigning network interfaces and admin users to VDOMs
- 370 Virtual domain policies
- 371 Disabling virtual domains
- 372 SSL offloading
- 374 SSL decryption by forward proxy
- 374 Layer 7 deployments
- 376 Layer 2 deployments
- 377 Profile configurations
- 381 Certificate guidelines
- 381 SSL/TLS versions and cipher suites
- 385 Exceptions list
- 385 SSL traffic mirroring
- 387 Configure source NAT
- 389 Configure source NAT
- 392 Configure 1-to-1 NAT
- 394 QoS
- 395 Configuring a QoS queue
- 395 Configuring the QoS filter
- 396 Configuring the QoS IPv6 filter
- 397 ISP routes
- 398 BGP
- 398 How BGP works
- 398 IBGP vs. EBGP
- 402 Access list vs. prefix list
- 403 Configuring an IPv4 access list
- 403 Configuring an IPv6 access list
- 404 Configuring an IPv4 prefix list
- 405 Configuring an IPv6 prefix list
- 405 OSPF
- 409 Reverse path route caching
- 411 Packet capture
- 413 Regular backups
- 413 Security
- 414 Topology
- 414 Administrator access
- 415 Performance tips
- 415 System performance
- 415 Reducing the impact of logging on performance
- 415 Reducing the impact of reports on system performance
- 415 Reducing the impact of packet capture on system performance
- 416 High availability
- 417 Logs
- 417 Tools
- 417 execute commands
- 418 diagnose commands
- 419 System dump
- 420 Packet capture
- 421 Diff
- 422 Solutions by issue type
- 422 Login issues
- 423 Connectivity issues
- 423 Checking hardware connections
- 423 Checking routing
- 427 Examining the routing table
- 427 Examining server daemons
- 427 Checking port assignments
- 427 Performing a packet trace
- 428 Checking the SSL/TLS handshake & encryption
- 428 Resource issues
- 428 Monitoring traffic load
- 429 DoS attacks
- 429 Resetting the configuration
- 429 Restoring firmware (“clean install”)
- 432 Additional resources
- 435 Status
- 436 Data Analytics
- 437 Server load balance
- 437 Select a display option
- 438 Filter virtual servers onscreen
- 439 Add virtual servers
- 439 Link load balance
- 439 Global load balance
- 440 HA status
- 441 Session monitoring
- 446 Events and actions
- 446 Predefined Commands
- 452 Control structures
- 452 Operators
- 453 String library
- 454 Examples
- 454 Select content routes based on URI string matches
- 455 Rewrite the HTTP request host header and path
- 456 Rewrite the HTTP response Location header
- 456 Redirect HTTP to HTTPS using Lua string substitution
- 456 Redirect mobile users to the mobile version of a website