2.3.1 Ensure only SNMPv3 is enabled

Information

Ensuring that only SNMPv3 service is enabled and SNMPv1, SNMPv2c are disabled.

SNMP Version 3 provides security enhancements that are not available in SNMP Version 1 or SNMP Version 2c. SNMP Versions 1 and 2c transmit data between the SNMP server and SNMP agent in clear text. SNMP Version 3 adds authentication and privacy options to secure protocol operations. Some firewalls need to be constantly monitored of its performance and status, especially if the firewalls are critical to the operation. Enabling SNMPv3 will ensure that the firewall is monitored properly.

Solution

To enable SNMP agent in CLI:

FGT1 # config system snmp sysinfo
FGT1 (sysinfo) # set status enable
FGT1 (sysinfo) # end

In GUI, go to System > SNMP and enable SNMP Agent.

To delete SNMPv1/2c communities. In this example, we'll delete community "public" in CLI:

FGT1 # config system snmp community
FGT1 (community) # delete public
FGT1 (community) # end
FGT #

In the GUI, go to:

System > SNMP, select the community and click on the Delete button.

To add SNMPv3 user in CLI:

FGT1 # config system snmp user
FGT1 (user) # edit "snmp_test"
FGT1 (snmp_test) # set security-level auth-priv
FGT1 (snmp_test) # set auth-proto sha256
FGT1 (snmp_test) # set auth-pwd xxxx
FGT1 (snmp_test) # set priv-proto aes256
FGT1 (snmp_test) # set priv_pwd xxxx
FGT1 (snmp_test) # end
FGT1 #

In the GUI, go to:

1. System > SNMP, under SNMPv3, click on "Create New" button.
2. Select "Authentication" and choose SHA256 as Authentication algorithm.
3. Click "Change" to type in the password.
4. Also select option "Private", choose AES256 as Encryption Algorithm.
5. Click on "Change" to change the password. Click "OK" to add the new user.
6. Click apply to apply the new setting into the current config.

Impact:

Some older SNMP servers that only run SNMPv1 or SNMPv2c will not be able to query to this firewall.

See Also

https://workbench.cisecurity.org/benchmarks/15284

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-6, 800-53|CM-7, 800-53|SC-23, CSCv7|11.5

Plugin: FortiGate

Control ID: 02b2a8ba05cd90af89bd3424d8620f2f5db622d953085f1dff76a10dd56f597d