2.3.2 Allow only trusted hosts in SNMPv3

Information

Ensuring that only certain hosts are able to conduct SNMP GET or receive SNMP Trap.

SNMP offers rich information that can be useful for reconnaissance activity. Hence, limiting this information to only relevant devices such as NMS (Network Monitoring System) or other SNMP servers is necessary.

Solution

To remove 0.0.0.0 from trusted hosts in CLI:

FGT1 # config system snmp user
FGT1 (user) # edit "snmp_test"
FGT1 (snmp_test) # unselect notify-hosts 0.0.0.0
FGT1 (snmp_test) # end
FGT1 #

From GUI:

1. System > SNMP.
2. On SNMPv3 section, double click on the configured SNMPv3 settings.
3. Remove 0.0.0.0 from "Hosts" option.

See Also

https://workbench.cisecurity.org/benchmarks/15284

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-6, 800-53|CM-7, 800-53|SC-23, CSCv7|11.1, CSCv7|12.2

Plugin: FortiGate

Control ID: 8dfe5caaf6bf71ddec9f5262fda7b69ab2c97d24a3e96f1c4b377086042f5b13