FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
asostizzo_FTNT

Description

When FortiController High Availability is configured, SNMP queries meant for the secondary FortiController on slot #2 have to be relayed by the primary FortiController via the base management channel.  If the primary FortiController's internal base interface's IP is not added to the SNMP community's hosts list on the secondary FortiController, the SNMP queries will be dropped and not processed.


Solution

The correct internal IP to be added to the SNMP trusted host can be determined and added to the configuration as in the following example.

1.  Identify the subnet for the base-mgmt-internal-network:
# config load-balance setting
# show
...
    set base-mgmt-internal-network 169.254.7.0 255.255.255.0    <----
    set base-mgmt-external-ip 10.10.10.245 255.255.255.240
    set base-mgmt-internal-snmp-port 161
...
# end

2.  From the configuration above, the system will automatically assign the following IPs to the "sg1_mgmt" internal base management interfaces of the FortiController units:
Master (slot1) FortiController: 169.254.7.15
Backup (slot2) FortiController: 169.254.7.16

3.  Add the master's internal base management interface IP to the SNMP hosts list:
# config system snmp community
# edit <id>
# config hosts
# edit <id>
# set host-type any
# set ip 169.254.7.15 255.255.255.255
# end
# end

4.  SNMP queries can now be sent to the Primary FortiController's (slot1) 'base-mgmt-external-ip', UDP port 16102.

Note: Appending '02' to the SNMP port number 161 (16102) will tell the system to relay the query to the slot#2 system.
 

Related Articles

Technical Note: How to configure SNMP polling on FortiController and worker blades with SLBC