Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
npariyar
Staff
Staff

Created on ‎03-15-2023 02:47 AM Edited on ‎10-03-2024 10:58 PM By Community Manager

Article Id 249192

Technical Tip: Adding Secondary SNMP server on FortiGate HA when VDOM is enabled

Description

This article describes how to add a secondary SNMP server on VDOM-enabled FortiGate and FortiGate is on HA.
Scope FortiGate v7.2.0.
Solution

Suppose that interface ‘mgmt’ is a management interface for Primary FortiGate with:

 

IP 10.10.10.2/24

Interface port1 with IP 10.1.248.250/24

 

Both interface 'mgmt' and 'port1' are part of root VDOM

 

If VDOM is enabled on the FortiGate on HA, there are two options to configure SNMP.

 

Option 1: Enable ha-direct.

Option 2: Without enabling ha-direct.

 

Note:

In both scenarios, SNMP must be enabled on the root VDOM.

 

Option 1: Enable ha-direct.

Management IP configured for HA will be used as a source/destination IP address. For the secondary SNMP server, it is possible to enable ha-direct too, then the interface IP address will be used as a source destination IP.

 

config system snmp community

    edit 1

        set name "SNMP-SERVER"

        config hosts

            edit 1

                set ip 10.10.10.100 255.255.255.255

                set ha-direct enable

            next

            edit 2

                set ip 192.168.100.1 255.255.255.255

                set ha-direct enable

            next

        end

        set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure fm-if-change ha-member-up ha-member-down

    next

end

 

Option 2: Without enabling ha-direct.

Interface IP except HA management IP can be used as a source/destination IP address.

 

config system snmp community

    edit 1

        set name "SNMP-SERVER"

        config hosts

            edit 1

                set ip 10.10.10.100 255.255.255.255

               

            next

            edit 2

                set ip 192.168.100.1 255.255.255.25

            next

        end

        set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure fm-if-change ha-member-up ha-member-down

    next

end

 

FGT1(root) # get router info routing-table details 192.168.100.1

Routing table for VRF=0
Routing entry for 192.168.100.1/32
Known via "static", distance 10, metric 0, best
* 10.254.254.2, via VDOM11

 

FGT1(root) # diagnose sniffer packet any 'host 192.168.100.1' 4 0 a
interfaces=[any]
filters=[host 192.168.100.1]
2023-03-03 10:29:39.974494 CL-AZ-TAP1 in 192.168.100.1.49199 -> 10.1.248.250.161: udp 62
2023-03-03 10:29:39.974525 CTemp-SP1_1 out 192.168.100.1.49199 -> 10.1.248.250.161: udp 62
2023-03-03 10:29:39.974536 CTemp-SP1_0 in 192.168.100.1.49199 -> 10.1.248.250.161: udp 62
2023-03-03 10:29:39.974593 ITCS-B1-TAP1_0 out 192.168.100.1.49199 -> 10.1.248.250.161: udp 62
2023-03-03 10:29:39.997285 ITCS-B1-TAP1_0 in 10.1.248.250.161 -> 192.168.100.1.49199: udp 73
2023-03-03 10:29:39.997353 CTemp-SP1_0 out 10.1.248.250.161 -> 192.168.100.1.49199: udp 73
2023-03-03 10:29:39.997364 CTemp-SP1_1 in 10.1.248.250.161 -> 192.168.100.1.49199: udp 73
2023-03-03 10:29:39.997381 CL-AZ-TAP1 out 10.1.248.250.161 -> 192.168.100.1.49199: udp 73

 

Related articles:

Technical Tip: FortiGate SNMP polling via the dedicated HA management port
Technical Tip: Configuring SNMP when VDOM is enabled
2001
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.