Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ssriswadpong
Staff
Staff

Created on ‎11-29-2021 10:34 PM Edited on ‎12-05-2024 09:56 PM By Community Manager

Article Id 199930

Technical Tip: SNMP OIDs for monitoring IPsec tunnel status on the FortiGate

Description This article describes the SNMP OIDs that are available on the FortiGate for monitoring IPsec tunnel status (both site-to-site and dialup tunnels).
Scope FortiGate, SNMP.
Solution

As an overview, the following SNMP Tables in the official FORTINET-FORTIGATE MIB files can be queried for information on the active IPsec VPN tunnels on the FortiGate (MIB file available for download via the Fortinet Support Site):

 

Dialup IPsec tunnels

  • .1.3.6.1.4.1.12356.101.12.2.1 (fgVpnDialupTable).
  • .1.3.6.1.4.1.12356.101.12.4.1 (fgVpn2DialupTable)**.

Site-to-Site IPsec tunnels:

  • .1.3.6.1.4.1.12356.101.12.2.2 (fgVpnTunTable).
  • .1.3.6.1.4.1.12356.101.12.4.2 (fgVpn2TunTable)**.

** These SNMP OIDs are available in FortiOS 6.4.2 and later and are enhancements of the original OID. See: SNMP polling extensions to support new OIDs 6.4.2

 

For site-to-site IPsec tunnel's specifically, it is possible to monitor the status of the tunnel (down/up) using the following OIDs:

  • .1.3.6.1.4.1.12356.101.12.2.2.1.20 (fgVpnTunEntStatus, part of fgVpnTunTable).
  • .1.3.6.1.4.1.12356.101.12.4.2.1.26 ( fgVpn2TunStatus, part of fgVpn2TunTable).

Querying the above OIDs will return an INTEGER value of 1 or 2, with 1 meaning the tunnel is down and 2 meaning the tunnel is up.

 

Note:

Dialup IPsec VPN tunnels do not have an equivalent OID for reporting tunnel status. The fgVpnDialupTable and fgVpn2DialupTable tables will only ever contain entries for active VPN tunnels established by dialup clients, and so the only method for determining if a dialup tunnel is 'up' is to check if there are a non-zero number of dialup clients for that tunnel.

 

Below are all the SNMP OIDs related to the aforementioned IPsec VPN tables:

 

 

fgVpnDialupTable:

 

.1.3.6.1.4.1.12356.101.12.2.1 - fgVpnDialupTable
.1.3.6.1.4.1.12356.101.12.2.1.1 - fgVpnDialupEntry
.1.3.6.1.4.1.12356.101.12.2.1.1.1 - fgVpnDialupIndex
.1.3.6.1.4.1.12356.101.12.2.1.1.2 - fgVpnDialupGateway
.1.3.6.1.4.1.12356.101.12.2.1.1.3 - fgVpnDialupLifetime
.1.3.6.1.4.1.12356.101.12.2.1.1.4 - fgVpnDialupTimeout
.1.3.6.1.4.1.12356.101.12.2.1.1.5 - fgVpnDialupSrcBegin
.1.3.6.1.4.1.12356.101.12.2.1.1.6 - fgVpnDialupSrcEnd
.1.3.6.1.4.1.12356.101.12.2.1.1.7 - fgVpnDialupDstAddr
.1.3.6.1.4.1.12356.101.12.2.1.1.8 - fgVpnDialupVdom
.1.3.6.1.4.1.12356.101.12.2.1.1.9 - fgVpnDialupInOctets
.1.3.6.1.4.1.12356.101.12.2.1.1.10 - fgVpnDialupOutOctets

 

fgVpn2DialupTable

 

.1.3.6.1.4.1.12356.101.12.4.1 - fgVpn2DialupTable
.1.3.6.1.4.1.12356.101.12.4.1.1 - fgVpn2DialupEntry
.1.3.6.1.4.1.12356.101.12.4.1.1.1 - fgVpn2DialupIndex
.1.3.6.1.4.1.12356.101.12.4.1.1.2 - fgVpn2DialupGatewayType
.1.3.6.1.4.1.12356.101.12.4.1.1.3 - fgVpn2DialupGateway
.1.3.6.1.4.1.12356.101.12.4.1.1.4 - fgVpn2DialupLifetime
.1.3.6.1.4.1.12356.101.12.4.1.1.5 - fgVpn2DialupTimeout
.1.3.6.1.4.1.12356.101.12.4.1.1.6 - fgVpn2DialupSrcBeginType
.1.3.6.1.4.1.12356.101.12.4.1.1.7 - fgVpn2DialupSrcBegin
.1.3.6.1.4.1.12356.101.12.4.1.1.8 - fgVpn2DialupSrcEndType
.1.3.6.1.4.1.12356.101.12.4.1.1.9 - fgVpn2DialupSrcEnd
.1.3.6.1.4.1.12356.101.12.4.1.1.10 - fgVpn2DialupDstBeginType
.1.3.6.1.4.1.12356.101.12.4.1.1.11 - fgVpn2DialupDstBegin
.1.3.6.1.4.1.12356.101.12.4.1.1.12 - fgVpn2DialupDstEndType
.1.3.6.1.4.1.12356.101.12.4.1.1.13 - fgVpn2DialupDstEnd
.1.3.6.1.4.1.12356.101.12.4.1.1.14 - fgVpn2DialupInOctets
.1.3.6.1.4.1.12356.101.12.4.1.1.15 - fgVpn2DialupOutOctets
.1.3.6.1.4.1.12356.101.12.4.1.1.16 - fgVpn2DialupPhase1Name
.1.3.6.1.4.1.12356.101.12.4.1.1.17 - fgVpn2DialupVdom

 

fgVpnTunTable:

 

.1.3.6.1.4.1.12356.101.12.2.2.1.1 - fgVpnTunEntIndex
.1.3.6.1.4.1.12356.101.12.2.2.1.2 - fgVpnTunEntPhase1Name
.1.3.6.1.4.1.12356.101.12.2.2.1.3 - fgVpnTunEntPhase2Name
.1.3.6.1.4.1.12356.101.12.2.2.1.4 - fgVpnTunEntRemGwyIp
.1.3.6.1.4.1.12356.101.12.2.2.1.5 - fgVpnTunEntRemGwyPort
.1.3.6.1.4.1.12356.101.12.2.2.1.6 - fgVpnTunEntLocGwyIp
.1.3.6.1.4.1.12356.101.12.2.2.1.7 - fgVpnTunEntLocGwyPort
.1.3.6.1.4.1.12356.101.12.2.2.1.8 - fgVpnTunEntSelectorSrcBeginIp
.1.3.6.1.4.1.12356.101.12.2.2.1.9 - fgVpnTunEntSelectorSrcEndIp
.1.3.6.1.4.1.12356.101.12.2.2.1.10 - fgVpnTunEntSelectorSrcPort
.1.3.6.1.4.1.12356.101.12.2.2.1.11 - fgVpnTunEntSelectorDstBeginIp
.1.3.6.1.4.1.12356.101.12.2.2.1.12 - fgVpnTunEntSelectorDstEndIp
.1.3.6.1.4.1.12356.101.12.2.2.1.13 - fgVpnTunEntSelectorDstPort
.1.3.6.1.4.1.12356.101.12.2.2.1.14 - fgVpnTunEntSelectorProto
.1.3.6.1.4.1.12356.101.12.2.2.1.15 - fgVpnTunEntLifeSecs
.1.3.6.1.4.1.12356.101.12.2.2.1.16 - fgVpnTunEntLifeBytes
.1.3.6.1.4.1.12356.101.12.2.2.1.17 - fgVpnTunEntTimeout
.1.3.6.1.4.1.12356.101.12.2.2.1.18 - fgVpnTunEntInOctets
.1.3.6.1.4.1.12356.101.12.2.2.1.19 - fgVpnTunEntOutOctets
.1.3.6.1.4.1.12356.101.12.2.2.1.20 - fgVpnTunEntStatus
.1.3.6.1.4.1.12356.101.12.2.2.1.21 - fgVpnTunEntVdom
.1.3.6.1.4.1.12356.101.12.2.2.1.22 - fgVpnTunEntPhase2Index

 

Note:

OID 1.3.6.1.4.1.12356.101.12.2.2.1.1 (fgVpnTunEntIndex) is a legacy entry for MIB compatibility purposes only. As of FortiOS 6.2.3, VPN tunnels are indexed based on dynamic serial numbers assigned to the Phase1 and Phase2 Security Associations.

 

To find the serial numbers assigned to each IPsec tunnel on the FortiGate, run the following command: 'diagnose vpn tunnel list | grep serial'.

 

fgVpn2TunTable:

 

.1.3.6.1.4.1.12356.101.12.4.2 - fgVpn2TunTable
.1.3.6.1.4.1.12356.101.12.4.2.1 - fgVpn2TunEntry
.1.3.6.1.4.1.12356.101.12.4.2.1.1 - fgVpn2TunIndex
.1.3.6.1.4.1.12356.101.12.4.2.1.2 - fgVpn2TunPhase1Name
.1.3.6.1.4.1.12356.101.12.4.2.1.3 - fgVpn2TunPhase2Name
.1.3.6.1.4.1.12356.101.12.4.2.1.4 - fgVpn2TunRemGwyIpType
.1.3.6.1.4.1.12356.101.12.4.2.1.5 - fgVpn2TunRemGwyIp
.1.3.6.1.4.1.12356.101.12.4.2.1.6 - fgVpn2TunRemGwyPort
.1.3.6.1.4.1.12356.101.12.4.2.1.7 - fgVpn2TunLocGwyIpType
.1.3.6.1.4.1.12356.101.12.4.2.1.8 - fgVpn2TunLocGwyIp
.1.3.6.1.4.1.12356.101.12.4.2.1.9 - fgVpn2TunLocGwyPort
.1.3.6.1.4.1.12356.101.12.4.2.1.10 - fgVpn2TunSelSrcBeginIpType
.1.3.6.1.4.1.12356.101.12.4.2.1.11 - fgVpn2TunSelSrcBeginIp
.1.3.6.1.4.1.12356.101.12.4.2.1.12 - fgVpn2TunSelSrcEndIpType
.1.3.6.1.4.1.12356.101.12.4.2.1.13 - fgVpn2TunSelSrcEndIp
.1.3.6.1.4.1.12356.101.12.4.2.1.14 - fgVpn2TunSelSrcPort
.1.3.6.1.4.1.12356.101.12.4.2.1.15 - fgVpn2TunSelDstBeginIpType
.1.3.6.1.4.1.12356.101.12.4.2.1.16 - fgVpn2TunSelDstBeginIp
.1.3.6.1.4.1.12356.101.12.4.2.1.17 - fgVpn2TunSelDstEndIpType
.1.3.6.1.4.1.12356.101.12.4.2.1.18 - fgVpn2TunSelDstEndIp
.1.3.6.1.4.1.12356.101.12.4.2.1.19 - fgVpn2TunSelDstPort
.1.3.6.1.4.1.12356.101.12.4.2.1.20 - fgVpn2TunSelProto
.1.3.6.1.4.1.12356.101.12.4.2.1.21 - fgVpn2TunLifeSecs
.1.3.6.1.4.1.12356.101.12.4.2.1.22 - fgVpn2TunLifeBytes
.1.3.6.1.4.1.12356.101.12.4.2.1.23 - fgVpn2TunTimeout
.1.3.6.1.4.1.12356.101.12.4.2.1.24 - fgVpn2TunInOctets
.1.3.6.1.4.1.12356.101.12.4.2.1.25 - fgVpn2TunOutOctets
.1.3.6.1.4.1.12356.101.12.4.2.1.26 - fgVpn2TunStatus
.1.3.6.1.4.1.12356.101.12.4.2.1.27 - fgVpn2TunVdom
.1.3.6.1.4.1.12356.101.12.4.2.1.28 - fgVpn2TunPhase2Index

 

13883
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.