FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Pedro_FTNT
Staff
Staff
Article Id 192507
Description
This article describes how to configure SNMP community over cluster management port interface.

Scope


Solution
SNMP Configuration before HA-REDIRECT:
config system snmp community
    sh full-configuration
        edit 1
             config hosts
        edit 1
             set ip 10.222.222.166.166 255.255.255.255
             set name "snmp_monitor"
        end

config sys ha 
    sh full-configuration 
        config system ha
            set ha-mgmt-interface "wan1"
        end 
Using SNMP debug:
di de disable 
di de reset 
diagnose debug application snmpd -1 
di de enable
snmpd: <msg> 49 bytes 10.222.222.166:7414 -> 10.222.222.41/10.222.222.41:161 (itf 2.2)
snmpd: checking if community "
snmp_monitor" is valid
snmpd: checking against community "
snmp_monitor"
snmpd: request 2(vsys_hamgmt)/2/
10.222.222.166 != comm 1/0/10.222.222.166/255.255.255.255
snmpd: host or intf mismatch
snmpd: failed to match community "snmp_monitor"
snmpd: </msg> 0
Configure HA-REDIRECT:
config system snmp community
    edit 1
        config hosts
    edit 1
        set ha-direct enable           <----- From Disable to Enable
        set ip 10.222.222.166 255.255.255.255
    end
After the change is made:
From: 10.222.222.166
To:
10.222.222.41 port 161 communication is not correct

snmpd: <msg> 49 bytes
10.222.222.166:7414 -> 10.222.222.41/160.118.139.41:161 (itf 2.2)
snmpd: checking if community "
snmp_monitor" is valid
snmpd: checking against community "
snmp_monitor"
snmpd: request 2(vsys_hamgmt)/2/
10.222.222.166 != comm 1/0/10.222.222.166/255.255.255.255
snmpd: host or intf mismatch
snmpd: matched community "
snmp_monitor"
snmpd: </msg> 0
Conclusion:
To allow SNMP polling through the dedicated HA management port, the following settings need to be configured

ha-direct enable ------- From Disable to Enable


Related Articles

Technical Note: Unable to model FortiGate in High Availability mode

Contributors