Description
This article describes how to allow SNMP polling through the dedicated HA management interface.
Scope
FortiGate (v5.6 and above)
Solution
Configuration
In the example below, the network interface name of the dedicated HA management port is 'mgmt1':
(If trusted hosts are configured in FortiGate's admin users, the SNMP server IP must match at least one of the trusted hosts)
config system interface
edit "mgmt1"
set ip 10.100.200.1 255.255.255.0
set allowaccess ping https ssh snmp fgfm
set dedicated-to management
next
end
config system ha
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface mgmt1
set gateway 10.100.200.254
next
end
Configure SNMPv2:
config system snmp community
edit 1
config hosts
edit 1
set name "snmp_monitor"
set ha-direct enable / disable
set ip 10.100.100.0 255.255.255.0
next
next
end
Configure SNMPv3:
config system snmp user
edit 1
set ha-direct enable
set ip 10.100.100.0 255.255.255.0
next
end
If there is more than one HA management port configured, a specific management port can be used for SNMP communication.
In the below configuration, the 'mgmt1' port has been used for SNMP communication.
config system ha
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface mgmt1
set dst 10.100.100.0 255.255.255.0 <-
set gateway 10.100.200.254
next
edit 2
set interface mgmt2
set gateway 10.100.200.254
next
end
If the Firewall is not running HA and there is no one-way traffic, disable the direct by following the command:
config system snmp community
edit 1
config hosts
edit 1
unset ha-direct
end
=========================================================
Excerpt of SNMP debug:
snmpd: <msg> 49 bytes 10.100.200.10:7414 -> 10.100.200.1/10.100.200.1:161 (itf 2.2)
snmpd: checking if community "snmp_monitor" is valid
snmpd: checking against community "snmp_monitor"
snmpd: request 2(vsys_hamgmt)/2/10.100.200.10 != comm 1/0/10.100.200.10/255.255.255.255
snmpd: host or intf mismatch
snmpd: failed to match community "snmp_monitor"
snmpd: </msg> 0
After 'ha-direct enable' under 'config system snmp community':
snmpd: <msg> 49 bytes 10.100.200.100:7414 -> 10.100.200.1/10.100.200.1:161 (itf 2.2)
snmpd: checking if community "snmp_monitor" is valid
snmpd: checking against community "snmp_monitor"
snmpd: request 2(vsys_hamgmt)/2/10.100.200.10 != comm 1/0/10.100.200.10/255.255.255.255
snmpd: matched community "snmp_monitor"
snmpd: </msg> 0
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.