Description
This article describes how to allow SNMP polling through the dedicated HA management interface.
Scope
FortiGate v5.6 and above.
Solution
Configuration:
In the example below, the network interface name of the dedicated HA management port is 'mgmt1': (If trusted hosts are configured in FortiGate's admin users, the SNMP server IP must match at least one of the trusted hosts)
config system interface
edit "mgmt1"
set ip 10.100.200.1 255.255.255.0
set allowaccess ping https ssh snmp fgfm
set dedicated-to management
next
end
config system ha
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface mgmt1
set gateway 10.100.200.254
next
end
set ha-direct enable
end
Configure SNMPv2:
config system snmp community
edit 1
config hosts
edit 1
set name "snmp_monitor"
set ha-direct enable
set ip 10.100.100.0 255.255.255.0
next
end
next
end
Configure SNMPv3:
config system snmp user
edit 1
set ha-direct enable
set ip 10.100.100.0 255.255.255.0
next
end
If there is more than one HA management port configured, a specific management port can be used for SNMP communication.
In the below configuration, the 'mgmt1' port has been used for SNMP communication.
config system ha
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface mgmt1
set dst 10.100.100.0 255.255.255.0 <--
set gateway 10.100.200.254
next
edit 2
set interface mgmt2
set gateway 10.100.200.254
next
end
If the Firewall is not running HA and there is no one-way traffic, disable ha-direct by following the command:
config system snmp community
edit 1
config hosts
edit 1
unset ha-direct
end
Notes:
- This setting alters the traffic flow. Enabling it may cause timeouts to occur due to an unresponsive FortiGate. This occurs because the response to a request is sent on a different interface, where the packet may not be routed back to the requester, resulting in a request timeout.
- If the ha-direct is enabled for the Syslog Server, the FortiGate will use the MGMT interface to communicate with the Syslog Server, and in the FortiGate, it is not possible to specify the Source IP in the Syslog configuration.
- When ha-direct is enabled, an SNMP query to the reserved management interface would work, but an SNMP query to the other interface (if configured, with a floating IP) would stop working. Means FortiGate does not support an interface with a floating IP for SNMP query when ha-direct is in place.
If the Firewall is set to run SNMP from the mgmt interface but should also send logs to the Syslog server, HA-direct must be enabled under the SNMP community configuration but disabled under the HA settings. Otherwise, syslog traffic might not work.
Excerpt of SNMP debug:
snmpd: <msg> 49 bytes 10.100.200.10:7414 -> 10.100.200.1/10.100.200.1:161 (itf 2.2)
snmpd: checking if community "snmp_monitor" is valid
snmpd: checking against community "snmp_monitor"
snmpd: request 2(vsys_hamgmt)/2/10.100.200.10 != comm 1/0/10.100.200.10/255.255.255.255
snmpd: host or intf mismatch
snmpd: failed to match community "snmp_monitor"
snmpd: </msg> 0
After 'ha-direct enable' under 'config system SNMP community':
snmpd: <msg> 49 bytes 10.100.200.100:7414 -> 10.100.200.1/10.100.200.1:161 (itf 2.2)
snmpd: checking if community "snmp_monitor" is valid
snmpd: checking against community "snmp_monitor"
snmpd: request 2(vsys_hamgmt)/2/10.100.200.10 != comm 1/0/10.100.200.10/255.255.255.255
snmpd: matched community "snmp_monitor"
snmpd: </msg> 0
Note:
It is necessary to enable 'ha-mgmt-status' under 'config system ha' to view the 'ha-direct' option. The 'ha-direct' option is visible under 'config system snmp community' even without enabling 'ha-mgmt-status' under 'config system ha'.
Except for SNMP debug for SNMPv3 request if 'ha-direct" has not been enabled:
snmpd: updating cache: idx_cache (:)
snmpd: updating cache: idx_cache (:)
snmpd: updating cache: idx_cache (:)
...
snmpd: updating cache: idx_cache (:)
