This article describes how to use SNMP to query FortiOS BIOS Security level.
Scope
FortiGate FortiOS 7.6.0.
Solution
In 7.6.0, there is an SNMP enhancement for support Bios Security Level. SNMP query will show the Security Level.
A change in Security Level will trigger the SNMP trap.
The new OID is 1.3.6.1.4.1.12356.101.4.1.38, it is in Read Only.
Example:
SNMPCommand - snmpwalk -v1 -c fortigate 10.56.240.96 1.3.6.1.4.1.12356.101.4.1.38 Result - iso.3.6.1.4.1.12356.101.4.1.38.0 = Gauge32: 2
FGT CLI output:
get sys status Version: FortiGate-VM64-KVM v7.6.0,build3401,240724 (GA.F) First GA patch build date: 240724 Security Level: 2 --> SNMP output same indicates Security Level is 2. Firmware Signature: certified Virus-DB: 1.00000(2018-04-09 18:07) Extended DB: 1.00000(2018-04-09 18:07) Extreme DB: 1.00000(2018-04-09 18:07) AV AI/ML Model: 0.00000(2001-01-01 00:00) IPS-DB: 6.00741(2015-12-01 02:30) IPS-ETDB: 6.00741(2015-12-01 02:30) APP-DB: 6.00741(2015-12-01 02:30) Proxy-IPS-DB: 6.00741(2015-12-01 02:30) Proxy-IPS-ETDB: 6.00741(2015-12-01 02:30) Proxy-APP-DB: 6.00741(2015-12-01 02:30) FMWP-DB: 24.00070(2024-07-05 17:45) IPS Malicious URL Database: 1.00001(2015-01-01 01:01) IoT-Detect: 0.00000(2022-08-17 17:31) OT-Detect-DB: 0.00000(2001-01-01 00:00) OT-Patch-DB: 0.00000(2001-01-01 00:00) OT-Threat-DB: 6.00741(2015-12-01 02:30) IPS-Engine: 7.01014(2024-07-02 21:57) Serial-Number: FGVM02TM19005873 License Status: Valid VM Resources: 1 CPU/2 allowed, 1994 MB RAM Log hard disk: Available Hostname: R2D2-kvm34 Private Encryption: Disable Operation Mode: NAT Current virtual domain: root Max number of virtual domains: 10 Virtual domains status: 1 in NAT mode, 0 in TP mode Virtual domain configuration: disable FIPS-CC mode: disable Current HA mode: standalone Branch point: 3401 Release Version Information: GA FortiOS x86-64: Yes System time: Mon Jul 29 17:51:46 2024 Last reboot reason: warm reboot
Limitation:
- Old series before G only support SNMP Query, not support SNMP trap.
- G series with physical hardware switch button support SNMP trap, need to manually press the button to trigger the trap