Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff

Created on ‎02-06-2014 12:49 AM Edited on ‎08-13-2024 02:41 AM By Community Manager

Article Id 196034

Technical Tip: FortiGate SNMP polling via the dedicated HA management port

Description


This article describes how to allow SNMP polling through the dedicated HA management interface.

 

Scope

 

FortiGate (v5.6 and above)


Solution

 

Configuration

In the example below, the network interface name of the dedicated HA management port is 'mgmt1':

(If trusted hosts are configured in FortiGate's admin users, the SNMP server IP must match at least one of the trusted hosts)

 

config system interface

edit "mgmt1"

set ip 10.100.200.1 255.255.255.0

set allowaccess ping https ssh snmp fgfm

set dedicated-to management

next

end


config system ha

set ha-mgmt-status enable

config ha-mgmt-interfaces

edit 1

set interface mgmt1

set gateway 10.100.200.254

next

end

 

Configure SNMPv2:

 

config system snmp community

edit 1

config hosts

edit 1

   set name "snmp_monitor"

set ha-direct enable / disable

set ip 10.100.100.0 255.255.255.0

next

next

end

 

Configure SNMPv3:

 

config system snmp user

edit 1

set ha-direct enable

set ip 10.100.100.0 255.255.255.0

next

end

 

If there is more than one HA management port configured, a specific management port can be used for SNMP communication.

In the below configuration, the 'mgmt1' port has been used for SNMP communication.

 

config system ha

set ha-mgmt-status enable

config ha-mgmt-interfaces

edit 1

set interface mgmt1

set dst 10.100.100.0 255.255.255.0  <-

set gateway 10.100.200.254

next

edit 2

set interface mgmt2

set gateway 10.100.200.254

next

end

 

If the Firewall is not running HA and there is no one-way traffic, disable the direct by following the command:

 

     config system snmp community 

      edit 1 

          config hosts 

              edit 1 

              unset ha-direct  

          end

 

=========================================================

Excerpt of SNMP debug:

 

snmpd: <msg> 49 bytes 10.100.200.10:7414 -> 10.100.200.1/10.100.200.1:161 (itf 2.2)
snmpd: checking if community "snmp_monitor" is valid
snmpd: checking against community "snmp_monitor"
snmpd: request 2(vsys_hamgmt)/2/10.100.200.10 != comm 1/0/10.100.200.10/255.255.255.255
snmpd: host or intf mismatch
snmpd: failed to match community "snmp_monitor"
snmpd: </msg> 0

 

After 'ha-direct enable' under 'config system snmp community':

 

snmpd: <msg> 49 bytes 10.100.200.100:7414 -> 10.100.200.1/10.100.200.1:161 (itf 2.2)
snmpd: checking if community "snmp_monitor" is valid
snmpd: checking against community "snmp_monitor"
snmpd: request 2(vsys_hamgmt)/2/10.100.200.10 != comm 1/0/10.100.200.10/255.255.255.255
snmpd: matched community "snmp_monitor"
snmpd: </msg> 0

Labels:
66126
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.