FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hrahuman_FTNT
Article Id 225491
Description

This article describes how to monitor the individual VPN by SNMP (OID).

Scope

FortiGate.

Solution

OID '1.3.6.1.4.1.12356.101.12.2.2.1.2' is used to get the IPsec VPN Phase1 name and OID '1.3.6.1.4.1.12356.101.12.2.2.1.20.x.y' is used to monitor IPsec VPN Phase2. x is phase1 serial and y is phase2 serial.

 

Both of them are used as indexes in the VPN tunnel list, the serial number can be identified by running the CLI command  'dia vpn tunnel list':


-----------------------------------------------------------------------------------------------
name=p1 ver=1 serial=1 10.10.99.1:0->10.10.99.2:0 dst_mtu=0 <-- x= phase1 serial.
bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1 overlay_id=0

proxyid_num=2 child_num=0 refcnt=11 ilast=9 olast=29 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=p2 proto=0 sa=0 ref=1 serial=1 <-- y= phase2 serial.
src: 0:192.168.61.0/255.255.255.0:0
dst: 0:192.168.62.0/255.255.255.0:0
proxyid=t2 proto=0 sa=0 ref=1 serial=2 <-- y= phase2 serial.
src: 0:192.168.51.0/255.255.255.0:0
dst: 0:192.168.52.0/255.255.255.0:0

 

Note: The value for the serial is in hexadecimal format and needs to be converted to decimal format to use in the OID. For example, serial=10 would be 16 in decimal format and serial=1a would be 26 in decimal format.

 

If this OID returns the INTEGER: 1 means the tunnel is down and INTEGER: 2, means the tunnel is up.
Monitoring the status of the IPsec tunnel is possible only for 'static' tunnels. For Dialup it is not possible to monitor the status.