75. Lecture-75:Configure SNMP V1/V2 and SNMP V3 in FortiGate.
Another topic is how we can configure SNMP. Because we discuss SNMP and five courses. I remember most of you guys take my five courses. So let me go through quickly those who are new simple network management protocol SNMP we are using this for monitoring and management purpose. SNMP is application based protocol. It works on layer say one we configure SNMP on router switch for wall and many other devices to monitor them. It can be read only and it can be read write only. SNMP is using a UDP base. It’s a UDP based user.
Datagram is using 161 port and for trap message, it’s using 162. You know trap message what is and what is agent communication? There are three things SNMP Manager either NMS, either network management system the server where SNMP is installed, we call them SNMP Manager. And where the SNMP is configured we call them SNMP Agent. Like a firewall router switches system, they are called SNMP Agent. Another thing is management information based MIB. MIB is basically pull up question which their two devices ask with each other. It’s like a database of questions. SNMP Messages SNMP has many messages.
Get message, get response, get bulk, get next end trap message. Whenever something goes wrong in these devices, they will send a trap message. Maybe I mentioned here like interface is down, it will send to SNMP manager some of the messages using by SNMP Manager the software which is installed like a git bulk. They say give me all the information altogether. So they will respond them with get response. There is get message and set message as well. Set is used by SNMP Manager as well to set change something and get next to get next question because we discussed these in detail, that’s why I’m just going through quickly. SNMP has three versions. SNMP.
Version one S and M p, two S and MP3. One and two is almost similar. They are using a password which they call them community string. And SNMPs can be configured three different way. It can be configured securely and it can be secure and can be configured unsecurely most of the time. SNMP version three is more secure, but it can be configured as unsecured as well. That’s it. So the same thing we can configure FortiGate Firewall is the SNMP agent as well. So whenever something goes wrong in FortiGate Firewall, it will change all to the SNMP server. So we will use the same topology this FortiGate Firewall and let’s create this as an SNMP server. This window, XP So let me log in like the last time we use them as a TFTP.
There are many application available. You can use any application and let’s use a simple application free up cost just one to just to see how it is working. So let me download Google. com and there is one application. So I just need to take this one to this one either this one. So let me download and make this server. PRTG is very good one you can use. There are so many SNMP. But I just need the simplest one just to do our lab. Otherwise there are reward Bit, PRPG and Splunk and so many other are there. But anyway, I just need the simplest one. So let’s go to this one. Power SNMP to download this one stick free one which we can do our job. So let me download this one and until it download okay, let’s configure Firewall. Firewall is IP or not? Let’s see, our interfaces are configured or not until they yeah, so 100, 234 and one. One. Okay, so it’s tier. So let’s configure this one. It’s done. Yeah, it’s almost done. So let me run it. Okay. There are many tool. By the way, I just want to use this one. And really what it will be very good application which will show you CPU utilization, Ram utilization, bandwidth detail and many, many things. The one which we are using now, this is a simple one.
Anyway, it will install. Let’s go to configure it. So what we need first of all, on which interface we will send SNMP traffic. So on which interface that’s my SNMP server. So, on which interface port one one. Keep in mind, you have to enable their SNMP. You remember, we done this one. Administrative access SNMP is disabled, otherwise it will not work. Choose this one. That’s the first step. N okay, on which interface? So that’s the interface where they will send the traffic up SNMP. Now go to system and there is SNMP. Click on SNMP. This is the MIB, which I told you. Management information base. Now the SNMP agent. This Firewall is like an agent. I told you, there are two things agent and server description. So I say 40 gate. This if you don’t want to give us. Okay, 40 gate. Firewall location. Suppose I will say Firewall suppose so that you know where it installed this one and contact. Suppose I say Ahmad Ali. I told you two versions. So SNMP one, two and SNMP three. If you want to configure one, two, click create new. What is the community string? You know the password? Suppose I say public any password. Enable IP address where to send the traffic. So we want to send them here. So what is the IP of this server? 100. So I will type 109, 216810, 100 send the traffic here. Now they say what only read, write or read only we know. I just tell you that there are two ways. Query and send trap messages. Version one, port number 161. I told you, there are two port.
For trap they are using 162, and for normal communication they are using 161. These are the thing. Look at how many things they are sending. CPU utilization, memory utilization, space, detailed VPN tunnel, so many things. But unfortunately we don’t have a proper application SNMP. To see all these but anyway, look at a lot of thing can be seen for wall and SNMP which is very good. So version one and two s configure if you want to configure as a version three, which is secure. One. Okay, let me apply SNMP version one, two. Then I will show you this one. It’s done. From Desert desert enable an interface and configure here. Now come to SNMP Manager and SNMP Power SNMP Run Power SNMP, which we install them to work as an SNMP. Click on Agent. Right click Aid Agent and click on Aid Agent. What is our agent? IP 192 one 6800 234 destroywall IP 234 and version two what is the community? We put public there. If you put something else, you have to change here n okay, that’s it. Look at a shoeing 48 Firewall let me just working FG is the name N.
Okay, now anything goes wrong there, it will show here and you know what name I give them the extra description. So if I click on system contact it will show my name. This one query. So contact name ismadali and system name was 40 gate something fjia n. System description for gate firewall we give them this description. System name system location. We put them h Firewall. H Firewall. If you have so many devices, so it will help pull. If something goes wrong, it will show you that H Firewall is down. So now everything is here how we can see. So now let’s change something either down something, either connect something so suppose no, I cannot down this one. Let me go to switching down the interface or do some other changes by the way, it’s not necessary so let me go to interface and just put the test so I change something. Let’s go change is there or not? Still I’m not receiving. I will receive. I need to receive. And let me check this one is listening on wrong interfaces to be this one. Okay, okay, let me check again on 162 because Trap message is coming on 162 and okay, and now let’s do some changes again. Okay, so let me go to there and test one, two, three. I done some changes and now let’s see can I receive logs? Yeah so it’s showing by the way, I need to receive logs here it’s listening on 100 162 and listening on this one.
So by the way, this is my IP, I have to receive some logs so let me do some more changes which is what to do. Let’s see what can I down some interface as well? No, I need to configure something which is show there. Okay, let me go to switch and disable this interface by the way, so it will I cannot see your screen same for me also, sir. Okay, for some reason I’m seeing okay, sorry okay, by mistake I click okay, so now let me go to switch and disable some interface so that we can generate some logs. So go to enable configuration interface e zero slate zero shutdown so I hope so it will generate some logs and we’ll see. Here, I just need to show you some logs. For some reason, if you do something wrong in firewall either some changes so it has to show you here till now I’m not receiving for some reason either it’s taking time or something it has to come by the way up to now let me click on query yeah, it’s reachable so let’s do again and no shut down and let’s go to far one and do some other changes. Let me create a static route as there okay, so let’s create another route 192, 168 and gateway is 192, 168 and when interface just let me do something so that we can see the logs here still for some reason I need to receive here the log by the way and let me create a user as well. End of the day, I will receive, but for some reason, it’s taking time or something.
So let me create a user here, ABCN 123123 and administrative, right? And okay, now, I done many things. I have to receive them right now. So 100. Okay, log this is listening. On this 162 is the trap messages if something goes wrong. So for some reason, they are not sending the logs properly. And you can see the log. It will be, by the way, visible. Okay. And clear text. If I right click and capture this port, you will see SNMP logs there, which they are sending or not. So let’s see SNMP is there or not SNMP okay, so SNMP they are not sending so it means let’s go to interface and SNMP has to be enabled on the interface where they are sending the logs. So yes, click by the way, if it is not, then it will not show you. Okay and let’s see here something still we are not receiving, let me delete something, it means it’s not sending, that’s why I thought maybe it’s sending but for some reason so it’s why delete SNMP.
So let’s go to SNMP again system and go to SNMP. SNMP agent is the name and let me quickly double check this one public okay, it’s correct, 100 is our IP and it should be anything query and everything yeah, it’s okay, there is nothing wrong on port, it’s not sending the logs, so what can be the issue? Let me double check this 11216, 808 and public is enable no need of second IP and trap messages okay, how are there for the needs? Okay, yeah, policy may be not there, so it will stop them. So let’s see, your policy is not there so let everything and lend to when source is all because normally it’s not an aware interface so that’s why it has to be normally so let me choose all N okay now let’s see, we can see SNMP traffic on port one SNMP. So still I cannot see the traffic. And let me create another policy and for last time I need to see I don’t know how it’s not working. It has to by the way, it has to work. SNMP is enabled. Yes. And now I need to see the traffic SNMP still I cannot see SNMP traffic on this interface. And by the way it’s enable. Let me double check SNMP.
Okay. And here let me go for the last time system SNMP cNMP agent version one, version two and it’s okay. Yeah, it’s come up now. So now if I go there so look at now these are the logs which I am receiving. So they say this the port number one, this the IP somebody changed because I make them static. Okay and it’s live now if you do some changes. So let me go to administrator and create a user suppose ABC one, two, three and one two three and give them anything I just want to see. So the traffic will go but it’s visible by the way. You see if you click on simple network version two what is the community public issuing and clear text everything version two and public we put the what is called the community, the password and the same thing it will show here the name we change it is not still yet here. The administrator we create that trap is still not here. That’s the trap message and get and other messages. Let me quickly show you those get messages. If I go to my server and say system description query. So this is get message you will see get here, get response, get request and get response and trap message which I told you there are six messages type here so get response, I get request which was I think so I get request, I miss here. There is a get request as well.
So I say get request and they send me get response here. So get request, get response and trap message three messages you can use set message as well and there is bulk message as well if you want to get all the detail at once. I don’t think so there is get. There is another SMMP tool which you can get all the detail altogether. Like if you want to choose all and get the detail so for that purpose you can use them. So now I’m receiving but in real world it will be a good software which will show you the bandwidth, detail, everything. It will be visible. But the main thing and how to configure your site is this part. So it was so easy which unfortunately for some reason has stopped working. But the interface which you want to send the SNMP choose that one. And the simple thing is just go to system and click SNMP, put the detailed extra description and SNMP version one, two detail and that’s it for SNMP version three there are three category to create username it’s required, does not require a community. So I say user one, no authentication authentication and privacy three type privacy and no privacy. As I told you here, SNMP can be configured in three different ways no authentication, no privacy authentication, no privacy in authentication, privacy which I explained them in five courses. So let me go directly and show you if you don’t need, let me see I want authentication, which authentication? I say empty five. What is the password? I say one, two, three change. Let me type one, two, three do you need privacy? So I say yes, which privacy? AES and I want to change AES password as well. Where to send the traffic 192, 100 and 6800. That’s the NMS server.
Again, query send and everything is similar like SNMP version one two. Keep in mind user one MD five nas password is one, two, three and okay, and now my SNMP version three is configured with the third option, the more secure one. Now go to SNMP server rather than now let delete this one because this is SNMP version one and two. Right click a Dign, a Dign this time 100 and 921-681-0234, which is firewall IP and choose version three. Look at N. Version three is asking name ename means username. So I say user one authentication password was one, two, three privacy password. I put one, two, three authentication. I choose MD five and privacy. I use AES N. Okay, it show here, so it’s okay and okay, now let’s clear this one because now it will come as a version three. So let me clear this one and now let’s do some changes and you will see this one.
So let me do but this time it will be encrypted. Look at encrypted up to this point it was version one and two. Now we say Encrypted PDU. Encrypted PDU look at I cannot see anything. It’s SNMP version three now and all the traffic is encrypted now. But if you go one up, look at SNMP version two and public is the key. This is the difference. Every traffic will go now in encrypted version and here I will receive OK, now let’s do some changes so that we can see. So what need to do go to network interfaces and change some interfaces description. So let me go there and change this to ABCD and okay, so it will send encrypted PDU as a version three and we will receive them. So it’s still not sending and let’s do some other changes and hopefully we will receive some traffic here.
Okay and let’s do some other changes. What to do? Let me go to system and let me create a policy in something. So let me create a policy len two, port three. Now let’s see again, for some reason it’s taking time to receive the traffic. By the way, up to now we have to receive encrypted PDU and it will show you here, but it will be encrypted. It will show here and the way it will be encrypted. So it’s taking time. Anyway, you can see now this will be like Encrypted SNMP version three. Anything? Let me see if I missed something. So we done. SNMP agent version one and two, community strength. And you can use is a version three as well. Okay. And you can choose here and you will see the traffic. That’s the thing which you can verify.