This article describes how to add a secondary SNMP server on VDOM-enabled FortiGate and FortiGate is on HA.

Suppose that interface ‘mgmt’ is a management interface for Primary FortiGate with:

IP 10.10.10.2/24.

Interface port1 with IP 10.1.248.250/24.

Both interfaces 'mgmt' and 'port1' are part of a root VDOM.

If VDOM is enabled on the FortiGate on HA, there are two options to configure SNMP.

Option 1: Enable ha-direct.

Option 2: Without enabling ha-direct.

Note:

In both scenarios, SNMP must be enabled on the root VDOM.

Option 1: Enable ha-direct.

Management IP configured for HA will be used as a source/destination IP address. For the secondary SNMP server, it is possible to enable ha-direct too, then the interface IP address will be used as a source destination IP.

Since the HA management interface configuration does not sync, SNMP has to be enabled on the interface manually for all the devices in the cluster.

SNMP v1/v2:

config system snmp community

    edit 1

        set name "SNMP-SERVER"

        config hosts

            edit 1

                set ip 10.10.10.100 255.255.255.255

                set ha-direct enable

            next

            edit 2

                set ip 192.168.100.1 255.255.255.255

                set ha-direct enable

            next

        end

        set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure fm-if-change ha-member-up ha-member-down

    next

end

SNMP v3:

config system snmp user

    edit "snmp-server"

        set ip 10.10.10.100 255.255.255.255

        set ha-direct enable

    next

    edit "snmp-server2"

        set ip 192.168.100.1 255.255.255.255

        set ha-direct enable

    next

end

Option 2: Without enabling ha-direct.

Interface IP except HA management IP can be used as a source/destination IP address.

SNMP v1/v2:

config system snmp community

    edit 1

        set name "SNMP-SERVER"

            config hosts

                edit 1

                    set ip 10.10.10.100 255.255.255.255

                next

                edit 2

                    set ip 192.168.100.1 255.255.255.25

                next

            end

        set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure fm-if-change ha-member-up ha-member-down

    next

end

SNMP v3:

config system snmp user

    edit "snmp-server"

        set ip 10.10.10.100 255.255.255.255

    next

    edit "snmp-server2"

        set ip 192.168.100.1 255.255.255.255

    next

end

FGT1(root) # get router info routing-table details 192.168.100.1

Routing table for VRF=0
Routing entry for 192.168.100.1/32
Known via "static", distance 10, metric 0, best
* 10.254.254.2, via VDOM11

FGT1(root) # diagnose sniffer packet any 'host 192.168.100.1' 4 0 a
interfaces=[any]
filters=[host 192.168.100.1]
2023-03-03 10:29:39.974494 CL-AZ-TAP1 in 192.168.100.1.49199 -> 10.1.248.250.161: udp 62
2023-03-03 10:29:39.974525 CTemp-SP1_1 out 192.168.100.1.49199 -> 10.1.248.250.161: udp 62
2023-03-03 10:29:39.974536 CTemp-SP1_0 in 192.168.100.1.49199 -> 10.1.248.250.161: udp 62
2023-03-03 10:29:39.974593 ITCS-B1-TAP1_0 out 192.168.100.1.49199 -> 10.1.248.250.161: udp 62
2023-03-03 10:29:39.997285 ITCS-B1-TAP1_0 in 10.1.248.250.161 -> 192.168.100.1.49199: udp 73
2023-03-03 10:29:39.997353 CTemp-SP1_0 out 10.1.248.250.161 -> 192.168.100.1.49199: udp 73
2023-03-03 10:29:39.997364 CTemp-SP1_1 in 10.1.248.250.161 -> 192.168.100.1.49199: udp 73
2023-03-03 10:29:39.997381 CL-AZ-TAP1 out 10.1.248.250.161 -> 192.168.100.1.49199: udp 73

Related articles:

• Technical Tip: FortiGate SNMP polling via the dedicated HA management port
• Technical Tip: Configuring SNMP when VDOM is enabled