Plan de pruebas: Las pruebas que se realizaron en el aplicativo son:

Normally, to get configuration and status information for a FortiGate unit, an SNMP manager would use an SNMP get commands to get the information in a MIB field. The SNMP get command syntax would be similar to:

snmpget -v2c -c <community_name> <address_ipv4> {<OID> | <MIB_field>} …where…

<community_name> is an SNMP community name added to the FortiGate configuration. You can add more than one community name to a FortiGate SNMP configuration. The most commonly used community name is public.

<address_ipv4> is the IP address of the FortiGate interface that the SNMP manager connects to.

{<OID> | <MIB_field>} is the object identifier (OID) for the MIB field or the MIB field name itself.

The SNMP get command gets firmware version running on the FortiGate unit. The community name is public. The IP address of the interface configured for SNMP management access is 10.10.10.1. The firmware version MIB field is fgSysVersion and the OID for this MIB field is Table 9: Fortinet MIBs

MIB file name or RFC Description

FORTINET-CORE-MIB.mib The Fortinet MIB includes all system configuration information and trap information that is common to all Fortinet products.

Your SNMP manager requires this information to monitor FortiGate unit configuration settings and receive traps from the FortiGate SNMP agent.

FORTINET-FORTIGATE-MIB.mib The FortiGate MIB includes all system configuration information and trap information that is specific to FortiGate units.

Your SNMP manager requires this information to monitor FortiGate configuration settings and receive traps from the FortiGate SNMP agent. FortiManager systems require this MIB to monitor FortiGate units.

RFC-1213 (MIB II) The FortiGate SNMP agent supports MIB II groups with these exceptions.

• No support for the EGP group from MIB II (RFC 1213, section 3.11 and 6.10).

• Protocol statistics returned for MIB II groups

(IP/ICMP/TCP/UDP/etc.) do not accurately capture all FortiGate traffic activity. More accurate information can be obtained from the information reported by the Fortinet MIB.

RFC-2665 (Ethernet-like MIB) The FortiGate SNMP agent supports Ethernet-like MIB information. FortiGate SNMP does not support for the dot3Tests and dot3Errors groups.

1.3.6.1.4.1.12356.101.4.1.1 The first command uses the MIB field name and the second uses the OID:

snmpget -v2c -c public 10.10.10.1 fgSysVersion.0

snmpget -v2c -c public 10.10.10.1 1.3.6.1.4.1.12356.101.4.1.1.0 The OIDs and object names used in these examples are dependent on the version of MIB and are subject to change.

Page 153

VLANs

Virtual Local Area Networks (VLANs) multiply the capabilities of your FortiGate unit, and can also provide added network security. Virtual LANs (VLANs) use ID tags to logically separate devices on a network into smaller broadcast domains. These smaller domains forward packets only to devices that are part of that VLAN domain. This reduces traffic and increases network security.

A Local Area Network (LAN) is a group of connected computers and devices that are arranged into network broadcast domains. A LAN broadcast domain includes all the computers that receive a packet broadcast from any computer in that broadcast domain. A switch will automatically forward the packets to all of its ports; in contrast, routers do not automatically forward network broadcast packets. This means routers separate broadcast domains. If a network has only switches and no routers, that network is considered one broadcast domain, no matter how large or small it is. Smaller broadcast domains are more efficient because fewer devices receive unnecessary packets. They are more secure as well because a hacker reading traffic on the network will have access to only a small portion of the network instead of the entire network’s traffic.

Virtual LANs (VLANs) use ID tags to logically separate a LAN into smaller broadcast domains. Each VLAN is its own broadcast domain. Smaller broadcast domains reduce traffic and increase network security. The IEEE 802.1Q standard defines VLANs. All layer-2 and layer-3 devices along a route must be 802.1Q-compliant to support VLANs along that route. For more information, see “VLAN switching and routing” on page154 and “VLAN layer-3 routing” on page157.

VLANs reduce the size of the broadcast domains by only forwarding packets to interfaces that are part of that VLAN or part of a VLAN trunk link. Trunk links form switch-to-switch or

switch-to-router connections, and forward traffic for all VLANs. This enables a VLAN to include devices that are part of the same broadcast domain, but physically distant from each other. VLAN ID tags consist of a 4-byte frame extension that switches and routers apply to every packet sent and received in the VLAN. Workstations and desktop computers, which are commonly originators or destinations of network traffic, are not an active part of the VLAN process. All the VLAN tagging and tag removal is done after the packet has left the computer. For more information, see “VLAN ID rules” on page154.

Any FortiGate unit without VDOMs enabled can have a maximum of 255 interfaces in

transparent operating mode. The same is true for any single VDOM. In NAT mode, the number can range from 255 to 8192 interfaces per VDOM, depending on the FortiGate model. These numbers include VLANs, other virtual interfaces, and physical interfaces. To have more than 255 interfaces configured in transparent operating mode, you need to configure multiple VDOMs that enable you to divide the total number of interfaces over all the VDOMs.

One example of an application of VLANs is a company’s accounting department. Accounting computers may be located at both main and branch offices. However, accounting computers need to communicate with each other frequently and require increased security. VLANs allow the accounting network traffic to be sent only to accounting computers and to connect accounting computers in different locations as if they were on the same physical subnet. This guide uses the term “packet” to refer to both layer-2 frames and layer-3 packets.