FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
npariyar
Staff
Staff
Article Id 249192
Description

This article describes how to add a secondary SNMP server on VDOM-enabled FortiGate and FortiGate is on HA.

Scope FortiGate v7.2.0.
Solution

Suppose that interface ‘mgmt’ is a management interface for Primary FortiGate with:

 

IP 10.10.10.2/24

Interface port1 with IP 10.1.248.250/24

 

Both interface 'mgmt' and 'port1' are part of root VDOM

 

If VDOM is enabled on the FortiGate on HA, there are two options to configure SNMP.

 

Option 1: Enable ha-direct.

Option 2: Without enabling ha-direct.

 

Note:

In both scenarios, SNMP must be enabled on the root VDOM.

 

Option 1: Enable ha-direct.

Management IP configured for HA will be used as a source/destination IP address. For the secondary SNMP server, it is possible to enable ha-direct too, then the interface IP address will be used as a source destination IP.

 

config system snmp community

    edit 1

        set name "SNMP-SERVER"

        config hosts

            edit 1

                set ip 10.10.10.100 255.255.255.255

                set ha-direct enable

            next

            edit 2

                set ip 192.168.100.1 255.255.255.255

                set ha-direct enable

            next

        end

        set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure fm-if-change ha-member-up ha-member-down

    next

end

 

Option 2: Without enabling ha-direct.

Interface IP except HA management IP can be used as a source/destination IP address.

 

config system snmp community

    edit 1

        set name "SNMP-SERVER"

        config hosts

            edit 1

                set ip 10.10.10.100 255.255.255.255

               

            next

            edit 2

                set ip 192.168.100.1 255.255.255.25

            next

        end

        set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure fm-if-change ha-member-up ha-member-down

    next

end

 

FGT1(root) # get router info routing-table details 192.168.100.1

Routing table for VRF=0
Routing entry for 192.168.100.1/32
Known via "static", distance 10, metric 0, best
* 10.254.254.2, via VDOM11

 

FGT1(root) # diagnose sniffer packet any 'host 192.168.100.1' 4 0 a
interfaces=[any]
filters=[host 192.168.100.1]
2023-03-03 10:29:39.974494 CL-AZ-TAP1 in 192.168.100.1.49199 -> 10.1.248.250.161: udp 62
2023-03-03 10:29:39.974525 CTemp-SP1_1 out 192.168.100.1.49199 -> 10.1.248.250.161: udp 62
2023-03-03 10:29:39.974536 CTemp-SP1_0 in 192.168.100.1.49199 -> 10.1.248.250.161: udp 62
2023-03-03 10:29:39.974593 ITCS-B1-TAP1_0 out 192.168.100.1.49199 -> 10.1.248.250.161: udp 62
2023-03-03 10:29:39.997285 ITCS-B1-TAP1_0 in 10.1.248.250.161 -> 192.168.100.1.49199: udp 73
2023-03-03 10:29:39.997353 CTemp-SP1_0 out 10.1.248.250.161 -> 192.168.100.1.49199: udp 73
2023-03-03 10:29:39.997364 CTemp-SP1_1 in 10.1.248.250.161 -> 192.168.100.1.49199: udp 73
2023-03-03 10:29:39.997381 CL-AZ-TAP1 out 10.1.248.250.161 -> 192.168.100.1.49199: udp 73

 

Related articles:

Technical Tip: FortiGate SNMP polling via the dedicated HA management port
Technical Tip: Configuring SNMP when VDOM is enabled