2.3.2 Ensure only SNMPv3 is enabled - snmpv3 user exist

Information

Ensuring that only SNMPv3 service is enabled and SNMPv1, SNMPv2c are disabled.

Rationale:

SNMP Version 3 provides security enhancements that are not available in SNMP Version 1 or SNMP Version 2c. SNMP Versions 1 and 2c transmit data between the SNMP server and SNMP agent in clear text. SNMP Version 3 adds authentication and privacy options to secure protocol operations. Some firewalls need to be constantly monitored of its performance and status. Especially if the firewalls are critical to the operation. Enabling SNMPv3 will ensure that the firewall is monitored properly.

Impact:

Some older SNMP server that only run SNMPv1 or SNMPv2C will not be able to query to this firewall.

Solution

To enable SNMP agent
in CLI

FGT1 # config system snmp sysinfo
FGT1 (sysinfo) # set status enable
FGT1 (sysinfo) # end

In GUI, go to System -> SNMP and enable SNMP Agent.
To delete SNMPv1/2c communities
In this example, we'll delete community 'public'
in CLI

FGT1 # config system snmp community
FGT1 (community) # delete public
FGT1 (community) # end
FGT #

In the GUI, go to System -> SNMP, select the community and click on the Delete button.
To add SNMPv3 User
in CLI

FGT1 # config system snmp user
FGT1 (user) # edit 'snmp_test'
FGT1 (snmp_test) # set security-level auth-priv
FGT1 (snmp_test) # set auth-proto sha256
FGT1 (snmp_test) # set auth-pwd xxxx
FGT1 (snmp_test) # set priv-proto aes256
FGT1 (snmp_test) # set priv_pwd xxxx
FGT1 (snmp_test) # end
FGT1 #

In the GUI, go to System -> SNMP, under SNMPv3, click on 'Create New' button. Select 'Authentication' and choose SHA256 as Authentication algorithm. Click 'Change' to type in the password. ALso select option 'Private', choose AES256 as Encryption Algorithm. Click on Change to change the password. Click 'OK' to add the new user. Click apply to apply the new setting into the current config.

Default Value:

By default, SNMP agent is disabled.

See Also

https://workbench.cisecurity.org/files/4077

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-6, 800-53|CM-7, 800-53|SC-23, CSCv7|11.5

Plugin: FortiGate

Control ID: cbf82b242d21b84e516d5ce2b6c4611d01e7432c49b5e0f5a1e9075516949093