Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
carabhavi
Staff
Staff

Created on ‎08-22-2019 12:29 AM Edited on ‎08-26-2025 11:54 PM By Moderator

Article Id 196866

Technical Tip: How to Configure FortiGate SNMP Agent for Monitoring

Description


This article describes the configuration of the FortiGate SNMP agent in order for the SNMP manager to get status information from the FortiGate unit and for the FortiGate unit to send traps to the SNMP manager.

 

Scope

 

FortiGate.

Solution


To configure SNMP access - GUI:

  1. Go to Network -> Interfaces.
  2. Choose an interface that an SNMP manager connects to and select 'Edit'.
  3. In Administrative Access, select 'SNMP'.
  4. Select 'OK'.

 

Note: The trusted hosts’ configuration applies to most forms of administrative access, including HTTPS, SSH, and SNMP.
When a trusted host is identified for an administrator account, FortiOS accepts that administrator’s login only from one of the trusted hosts. A login, even with proper credentials, from a non-trusted host is dropped. 

Guide for Trusted hosts

To configure the SNMP agent GUI:

 

If no SNMP option is under the system, check the VDOM options; maybe global is not selected. This happens when the VDOM option is enabled. In that case, the SNMP option is visible under the global VDOM.

 

SNMP.png

 

  1. Go to System -> SNMP and select 'Enable' for the 'SNMP Agent'.
  2. Enter a descriptive name for the Agent.
  3. Enter the location of the 'FortiGate'.
  4. Enter a contact or administrator information for the SNMP Agent or FortiGate unit.
  5. Select 'Apply'.

 

SNMP.PNG

 

If the SNMP Agent is not enabled and configured, then there might be an issue with SNMP traffic where FortiGate does not reply to SNMP queries.

 

To add an SNMP v1/v2c community - GUI:

  1. Go to System -> SNMP.
  2. In the SNMP v1/v2c area, select 'Create New'.
  3. Enter a Community Name.
  4. Enter the IP address and identify the SNMP.
  5. Select the interface if the SNMP manager is not on the same subnet as the FortiGate unit.
  6. Enter the Port number that the SNMP managers in this community use for SNMP v1 and SNMP v2c queries to receive configuration information from the FortiGate.
  7. Select the Enable check box to activate queries for each SNMP version.
  8. Enter the Local and Remote port numbers that the FortiGate unit uses to send SNMP v1 and SNMP v2c traps to the SNMP managers in this community.
  9. Select the Enable check box to activate traps for each SNMP version.
  10. Select 'OK'.

 

To add an SNMP v3 community GUI:

  1. Go to System -> SNMP.
  2. In the SNMP v3 area, select 'Create New'.
  3. Enter a User Name.
  4. Select a Security Level and associated authorization algorithms.
  5. Enter the IP address of the Notification Host SNMP managers that can use the settings in this SNMP community to monitor the FortiGate.
  6. Enter the Port number that the SNMP managers in this community use to receive configuration information from the FortiGate unit.
  7. Select the Enable check box to activate queries for each SNMP version.
  8. Select the Enable check box to activate traps.
  9. Select 'OK'.

 

Two types of MIB files are available for FortiGate units: The Fortinet MIB and the FortiGate Core MIB.

Go to System -> SNMP and select 'Download FortiGate SNMP MIB File' and 'Download Fortinet Core MIB File'. 
Configure the SNMP manager to receive traps from the FortiGate unit. 

If units are in HA.
Each unit in the cluster sends its own traps, and the manager can query both units.

A dedicated HA management port has to be enabled in the HA settings.

Note.
The ha-management interface must be cleared of all configuration and references (e.g., routes, DHCP server, policies…). 'Ref' needs to be 0. Otherwise, 'mgmt1' will not be presented as an interface to choose.

V5.2 and v5.4:

 

config system ha
    set ha-mgmt-status enable
    set ha-mgmt-interface "mgmt1"
    set ha-mgmt-interface-gateway x.x.x.x
end


config system ha
    set ha-mgmt-status enable
        config ha-mgmt-interfaces
            edit 1
                set interface "interfaceX"
                set gateway x.x.x.x
            next
        end
end

 

Since v5.6:
The 'ha-direct' setting has to be enabled on the SNMP settings.

For SNMPv2:

 

config system snmp community
    edit 1
        config hosts
            edit 1
                set ha-direct enable
            next
     next
end

 

For SNMPv3:

 

config system snmp user
    edit 1
        set ha-direct enable
    next
next
end

 

Note:
In version 7.2.x, deleting the version 2 community entries may cause the 'set ha-direct enable' entry to disappear. Consequently, double-check this particular setting after editing the SNMP configuration.


For troubleshooting, collect the following debug command output:

Putty1:

 

diagnose debug application snmpd -1
diagnose debug console timestamp enable

diagnose debug enable

 

To disable debug :

 

diagnose debug disable

diagnose debug reset

 

Putty2:

 

diagnose sniffer packet any "port 161 or  port 162" 6 0 a

 

Note:

Always make sure the SNMP agent is enabled in the following CLI section:

 

config system snmp sysinfo
    set status enable
end

 

Related articles:

Technical Tip: How to perform queries usning SNMPv3 to non-management VDOMs

Troubleshooting Tip: General troubleshooting guide for SNMP issues 

282599
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.