Technical Tip: Adding Secondary SNMP server on FortiGate HA when VDOM is enabled

This article describes how to add a secondary SNMP server on VDOM-enabled FortiGate and FortiGate is on HA.

Suppose that interface ‘mgmt’ is a management interface for Primary FortiGate with:

IP 10.10.10.2/24

Interface port1 with IP 10.1.248.250/24

Both interface 'mgmt' and 'port1' are part of root VDOM

If VDOM is enabled on the FortiGate on HA, there are two options to configure SNMP.

Option 1: Enable ha-direct.

Option 2: Without enabling ha-direct.

Note:

In both scenarios, SNMP must be enabled on the root VDOM.

Option 1: Enable ha-direct.

Management IP configured for HA will be used as a source/destination IP address. For the secondary SNMP server, it is possible to disable ha-direct too, then the interface IP address will be used as a source destination IP.

# config system snmp community

    edit 1

        set name "SNMP-SERVER"

        config hosts

            edit 1

                set ip 10.10.10.100 255.255.255.255

                set ha-direct enable

            next

            edit 2

                set ip 192.168.100.1 255.255.255.255

                set ha-direct enable

            next

        end

        set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure fm-if-change ha-member-up ha-member-down

    next

end

Option 2: Without enabling ha-direct.

Interface IP except HA management IP can be used as a source/destination IP address.

# config system snmp community

    edit 1

        set name "SNMP-SERVER"

        config hosts

            edit 1

                set ip 10.10.10.100 255.255.255.255

            next

            edit 2

                set ip 192.168.100.1 255.255.255.25

            next

        end

        set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure fm-if-change ha-member-up ha-member-down

    next

end

FGT1(root) # get router info routing-table details 192.168.100.1

Routing table for VRF=0
Routing entry for 192.168.100.1/32
Known via "static", distance 10, metric 0, best
* 10.254.254.2, via VDOM11

FGT1(root) # diagnose sniffer packet any 'host 192.168.100.1' 4 0 a
interfaces=[any]
filters=[host 192.168.100.1]
2023-03-03 10:29:39.974494 CL-AZ-TAP1 in 192.168.100.1.49199 -> 10.1.248.250.161: udp 62
2023-03-03 10:29:39.974525 CTemp-SP1_1 out 192.168.100.1.49199 -> 10.1.248.250.161: udp 62
2023-03-03 10:29:39.974536 CTemp-SP1_0 in 192.168.100.1.49199 -> 10.1.248.250.161: udp 62
2023-03-03 10:29:39.974593 ITCS-B1-TAP1_0 out 192.168.100.1.49199 -> 10.1.248.250.161: udp 62
2023-03-03 10:29:39.997285 ITCS-B1-TAP1_0 in 10.1.248.250.161 -> 192.168.100.1.49199: udp 73
2023-03-03 10:29:39.997353 CTemp-SP1_0 out 10.1.248.250.161 -> 192.168.100.1.49199: udp 73
2023-03-03 10:29:39.997364 CTemp-SP1_1 in 10.1.248.250.161 -> 192.168.100.1.49199: udp 73
2023-03-03 10:29:39.997381 CL-AZ-TAP1 out 10.1.248.250.161 -> 192.168.100.1.49199: udp 73

Related articles:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-SNMP-polling-via-the-dedicated-H...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-SNMP-when-VDOM-is-enabled/ta-p...