Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fricci_FTNT
Staff
Staff

Created on ‎12-23-2022 07:18 AM Edited on ‎03-01-2023 08:35 AM By Moderator

Article Id 240757

Technical Tip: How to configure SNMP v3 on HA cluster of FortiGate 6000 or 7000 series to monitor individual slots

Description This article describes how to configure SNMP v3 on a HA cluster of FortiGate 6000 or 7000 Series with the purpose of monitoring each individual slot of cluster members.
Scope FortiGate 6000 and 7000 series on v5.6 and above.
Solution

Prerequisites:

 

1) Active-passive HA cluster between two FortiGates 6000 or 7000 series already configured.

2) SNMP on the FortiGate management interface must be enabled.
3) The preferred third parties SNMP monitoring tool is already up and running.

 

In this example, two FortiGates 6000 series in active-passive HA cluster configuration have been already configured and interface mgmt1 is the only management interface (there is no reserved management interface configured in this example):

 

# config system interface
    edit "mgmt1"
        set vdom "mgmt-vdom"
        set ip 10.10.10.1 255.255.255.0
        set allowaccess ping https ssh fgfm snmp
    next
end

 

The SNMPv3 configuration is the same as normal FortiOS firewalls. For authentication and encryption, SHA1 and AES algorithms are chosen due to limitations in the chosen SNMP monitoring tool:

 

# config system snmp user
    edit "mysnmpuser"
        set notify-hosts 172.16.16.250
        set ha-direct disable
        set security-level auth-priv
        set auth-proto sha
        set auth-pwd choose-your-authentication-password
        set priv-proto aes
        set priv-pwd choose-your-encryption-password
    next

end

 

SNMP must be enabled as below, otherwise, the SNMP polling fails:

 

# config system snmp sysinfo
    set status enable
end

 

From GUI menu Global -> System -> SNMP, the following should appear:

 

SNMP002.PNG

 

Now on the SNMP monitoring tool, it is possible to configure one device/object for each slot wanted to monitor, using the following settings:

 

- IP address: FortiGate mgmt IP 10.10.10.1.


- SNMP user: mysnmpuser.


- SNMP authentication algorithm: SHA1.


- SNMP encryption algorithm: AES.


- To monitor each individual slot of the FortiGate 6000 HA member configured with chassis-id 1, use the following ports:
MBD slot: SNMP port 16100.
FPC01 slot: SNMP port 16101.
FPC02 slot: SNMP port 16102.
FPC03 slot: SNMP port 16103.
FPC04 slot: SNMP port 16104.
FPC05 slot: SNMP port 16105.
FPC06 slot: SNMP port 16106.
FPC07 slot: SNMP port 16107.
FPC08 slot: SNMP port 16108.
FPC09 slot: SNMP port 16109.
FPC10 slot: SNMP port 16110.

 

- To monitor each individual slot of the FortiGate 6000 HA member configured with chassis-id 2, use the following ports:
MBD slot: SNMP port 16120.
FPC01 slot: SNMP port 16121.
FPC02 slot: SNMP port 16122.
FPC03 slot: SNMP port 16123.
FPC04 slot: SNMP port 16124.
FPC05 slot: SNMP port 16125.
FPC06 slot: SNMP port 16126.
FPC07 slot: SNMP port 16127.
FPC08 slot: SNMP port 16128.
FPC09 slot: SNMP port 16129.
FPC10 slot: SNMP port 16130.

 

Note that the special management ports are available only for the management IP corresponding to the SLBC management interface configured (default value is "mgmt1"):

 

# config load-balance setting
    set slbc-mgmt-intf "mgmt1"

 

For more information, see:
https://docs.fortinet.com/document/fortigate/6.4.10/fortigate-6000-and-fortigate-7000-release-notes/... 
https://docs.fortinet.com/document/fortigate/6.4.10/fortigate-6000-and-fortigate-7000-release-notes/... 

 

For port numbers to be used with FortiGate 7000 series:
https://docs.fortinet.com/document/fortigate/6.4.10/fortigate-6000-and-fortigate-7000-release-notes/... 

 

It is now possible to configure the specific OIDs in the favorite SNMP monitoring tool. To find the specific OID, refer to the MIB file that can be downloaded from your FortiGate's GUI (Menu: Global -> System -> SNMP) :

 

SNMP005-download-MIB-file-from-FGT.PNG

 

Those MIB files can be imported into an SNMP monitoring tool so it is possible to choose the specific sensors to monitor (refer to the specific SNMP monitoring tool guide). Alternatively, it is possible to import the MIB file into an SNMP browser tool (i.e.: iReasoning MIB browser) and search which specific OIDs to monitor.


Consider the below while using SNMP monitoring:

- The higher number of OID monitored, the more load will be added to the FortiGate.

- More frequent polling time can also add more load to your FortiGate.

- SNMPv3 requires more processor resources due to encryption/decryption.

- When receiving an SNMP alert, double-check the value from the FortiGate CLI and verify if the alert is reliable.

 

A list of useful OIDs can be found below:
.1.3.6.1.4.1.12356.101.4.1.3.0 = CPU usage.
.1.3.6.1.4.1.12356.101.4.1.4.0 = Memory Usage.
.1.3.6.1.4.1.12356.101.4.1.6.0 = Disk Usage.
.1.3.6.1.4.1.12356.101.4.1.7.0 = Disk Capacity.
.1.3.6.1.4.1.12356.101.4.1.9.0 = Low Memory Usage.
.1.3.6.1.4.1.12356.101.4.1.11.0 = Average session setup rate per second in last 1 minute.
.1.3.6.1.4.1.12356.101.4.1.20.0 = System Uptime.
.1.3.6.1.4.1.12356.101.4.4.2.1 = Processor table (CPU/NPU) {Note: MBD is able to see processor usage for all the CPUs/NPUs in the unit}.
.1.3.6.1.4.1.12356.101.10.100.4.0 = HTTP session count.
.1.3.6.1.4.1.12356.101.4.1.8.0 = IPv4 Session counts.
.1.3.6.1.4.1.12356.101.4.1.15.0 = IPv6 Session counts.
.1.3.6.1.4.1.12356.101.4.1.23.0 = NPU IPv4 session count.
.1.3.6.1.4.1.12356.101.4.1.28.0 = NPU IPv6 session count.
.1.3.6.1.4.1.12356.101.12.2.3.1.6.1 = Active SSL VPN tunnels on unit chassis ID 1.
.1.3.6.1.4.1.12356.101.12.2.3.1.6.2 = Active SSL VPN tunnels on unit chassis ID 2.
.1.3.6.1.4.1.12356.101.12.2.3.1.2.1 = Active SSL VPN users on unit chassis ID 1.
.1.3.6.1.4.1.12356.101.12.2.3.1.2.2 = Active SSL VPN users on unit chassis ID 2.
.1.3.6.1.4.1.12356.101.9.2.1.1.1.1 = IPS intrusions detected by chassis ID 1.
.1.3.6.1.4.1.12356.101.9.2.1.1.1.2 = IPS intrusions detected by chassis ID 2.
.1.3.6.1.4.1.12356.101.9.2.1.1.2.1 = IPS intrusions blocked by chassis ID 1.
.1.3.6.1.4.1.12356.101.9.2.1.1.2.2 = IPS intrusions blocked by chassis ID 2.
.1.3.6.1.4.1.12356.101.13.2.1.1.16.1 = Current primary unit Serial Number.
.1.3.6.1.4.1.12356.101.4.3.2.1.1 = Hardware sensors table.
.1.3.6.1.4.1.12356.101.4.3.2.1.4 = Hardware sensors alarm ('true' means there is an alarm).

 

If a reserved management IP is configured for each unit of the HA cluster, it is possible to use the specific unit management IP and the special port numbers below:
- FortiGate 6000 series: https://docs.fortinet.com/document/fortigate-6000/6.4.8/fortigate-6000-handbook/201534/special-manag... 

- FortiGate 7000 series: https://docs.fortinet.com/document/fortigate-7000/hardware/fortigate-7060e-system-guide/313666/speci... 


Related articles:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-do-SNMP-query-on-FortiGate-6000-and... 
https://community.fortinet.com/t5/FortiGate/Where-to-find-the-MIB-files-for-FortiGate-units-FortiOS-... 
3576
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.