Technical Tip: SNMP communication working scenario with respect to FortiGate device in HA and ha-direct options

nithincs · ‎06-10-2022

Description

This article describes the SNMP communication working scenario concerning the FortiGate device in HA and ha-direct options.

Scope

FortiGate, HA.

Solution

Explanation of SNMP working with FortiGate devices in HA:

With ha-direct disabled and no ha-management configured under ha settings:

Only the Primary FortiGate device will respond to SNMP queries or trap with any of the ingress interfaces.
SNMP should be enabled in the interface settings and the SNMP server should be reachable or should have a reverse route to the server IP from the same interface.

FortiGate_Primary:

config system ha
    set group-id 10
    set group-name "TEST_HA"
    set mode a-p
    set hbdev "port10" 0
    set override disable
    set priority 250
    set monitor "port1" "port2"
end

FortiGate_Secondary:

config system ha
     set group-id 10
     set group-name "TEST_HA"
     set mode a-p
     set hbdev "port10" 0
     set override disable
     set monitor "port1" "port2"
end

SNMP V1/V2c setting in FortiGate (no ha-direct enabled).

config system snmp community
edit 1

set name "SNMP-1"

config hosts

edit 1
set ip 10.10.100.1 <-- SNMP server IP.
next

end

SNMP V3 setting in FortiGate (no ha-direct enabled).

config system snmp user
edit "test_snmp"
set notify-hosts 172.31.202.32 10.5.55.171 192.168.1.3 <-- SNMP server IPs.
set security-level auth-priv
set auth-proto md5
next
end

The routing table for the SNMP server in the primary device:

FortiGate_Primary # get router info routing-table details 10.5.55.171

Routing table for VRF=0
Routing entry for 10.5.48.0/20
Known via "connected", distance 0, metric 0, best
* is directly connected, port2

FortiGate_Primary # get router info routing-table details 172.31.202.32

Routing table for VRF=0
Routing entry for 172.31.192.0/20
Known via "connected", distance 0, metric 0, best
* is directly connected, port3

SNMP needs to be enabled under Administrative Access (CLI: allowaccess) of the interface settings.

config system interface
edit "port2"
set ip 10.5.61.92 255.255.240.0
set allowaccess ping https ssh snmp http telnet
next
end

FortiGate_Primary # diagnose sniffer packet any "port 161 or port 162" 4 0 a
Using Original Sniffing Mode
interfaces=[any]
filters=[ port 161]
19.615514 port2 in 10.5.55.171.50638 -> 10.5.61.92.161: udp 60 <-- Incoming SNMP communication.
19.615806 port2 out 10.5.61.92.161 -> 10.5.55.171.50638: udp 124 --> SNMP communication response.
19.619793 port2 in 10.5.55.171.50638 -> 10.5.61.92.161: udp 155
19.620777 port2 out 10.5.61.92.161 -> 10.5.55.171.50638: udp 156

Without the HA management interface, if ha-direct is enabled in SNMP settings, the FortiGate will not respond to any SNMP request hitting the FortiGate interface, nor will it send any SNMP trap to the server.

SNMP V1/V2c setting in FortiGate (ha-direct enabled).

config system snmp community
edit 1
set name "SNMP-1"
config hosts
edit 1
set ip 10.10.100.1
set ha-direct enable <--
next
end
next

end

SNMP V3 setting in FortiGate (ha-direct enabled).

config system snmp user
edit "test_snmp"
set notify-hosts 172.31.202.32 10.5.55.171 192.168.1.3
set ha-direct enable <--
next
end

config system ha
set group-id 10
set group-name "TEST_HA"
set mode a-p
set hbdev "port10" 0
set override disable
set monitor "port1" "port2"
end

FortiGate_Primary # diagnose sniffer packet any "port 161 or port 162" 4 0 a
Using Original Sniffing Mode
interfaces=[any]
filters=[port 161]
2022-06-10 08:20:51.126315 port2 in 10.5.55.171.54248 -> 10.5.61.92.161: udp 60 <-- FortiGate will not respond for incoming SNMP traffic.
2022-06-10 08:20:53.160564 port2 in 10.5.55.171.54249 -> 10.5.61.92.161: udp 60

=============================

3. To do SNMP communication with both devices in HA, make sure ha-direct is enabled in the SNMP settings. Also, ha-management needs to be configured in the HA settings in both devices, and SNMP traffic should be forwarded to the ha-management interface.

Note: Since the HA management interface configuration does not sync, SNMP has to be enabled on the interface manually for all the devices in the cluster.

FortiGate_Primary:

config system ha
set group-id 10
set group-name "TEST_HA"
set mode a-p
set ha-mgmt-status enable <--
config ha-mgmt-interfaces
edit 1
set interface "port4" <--
set gateway 172.31.151.171 <--
next
end
end

config system interface
edit "port4"
set ip 172.31.157.92 255.255.240.0 <-- Primary device HA mgmt IP.
set allowaccess ping https ssh snmp http telnet
set type physical
next
end

SNMP V1/V2c setting in FortiGate (ha-direct enabled).

config system snmp community
edit 1
set name "SNMP-1"
config hosts
edit 1
set ip 10.10.100.1
set ha-direct enable <--
next
end
next

end

SNMP V3 setting in FortiGate (ha-direct enabled).

config system snmp user
edit "test_snmp"
set notify-hosts 172.31.202.32 10.5.55.171 192.168.1.3
set ha-direct enable <--
set security-level auth-priv
set auth-proto md5
next
end

SNMP communication to FortiGate primary ha-mgmt-interface port4 (172.31.157.92).

FortiGate_Primary # diagnose sniffer packet any "port 161 or port 162" 4 0 a
Using Original Sniffing Mode
interfaces=[any]
filters=[port 161]
2022-06-10 13:37:26.757244 port4 in 172.31.151.171.56008 -> 172.31.157.92.161: udp 60
2022-06-10 13:37:26.762607 port4 out 172.31.157.92.161 -> 172.31.151.171.56008: udp 124
2022-06-10 13:37:26.767727 port4 in 172.31.151.171.56008 -> 172.31.157.92.161: udp 155
2022-06-10 13:37:26.768413 port4 out 172.31.157.92.161 -> 172.31.151.171.56008: udp 156
2022-06-10 13:50:52.250633 port4 in 192.168.1.3.58136 -> 172.31.157.92.161: udp 60
2022-06-10 13:50:52.250827 port4 out 172.31.157.92.161 -> 192.168.1.3.58136: udp 124
2022-06-10 13:50:52.253875 port4 in 192.168.1.3.58136 -> 172.31.157.92.161: udp 155
2022-06-10 13:50:52.254409 port4 out 172.31.157.92.161 -> 192.168.1.3.58136: udp 156

Configuration in the Secondary device:

FortiGate_Secondary:

config system ha
set group-id 10
set group-name "TEST_HA"
set mode a-p
set ha-mgmt-status enable <--
config ha-mgmt-interfaces
edit 1
set interface "port4" <--
set gateway 172.31.151.171
next
end
end

SNMP V1/V2c setting in FortiGate (ha-direct enabled).

config system snmp community
edit 1
set name "SNMP-1"
config hosts

edit 1
set ip 10.10.100.1

set ha-direct enable <--
next

end

SNMP V3 setting in FortiGate (ha-direct enabled).

config system snmp user
edit "test_snmp"
set notify-hosts 172.31.202.32 10.5.55.171 192.168.1.3
set ha-direct enable <--
set security-level auth-priv
set auth-proto md5
next
end

config system interface
edit "port4"
set ip 172.31.153.46 255.255.240.0 <-- Secondary device HA mgmt interface IP.
set allowaccess ping https ssh http telnet snmp
next
end

SNMP communication to FortiGate Secondary ha-mgmt-interface port4 (172.31.153.46).

FortiGate_Secondary # diagnose sniffer packet any " port 161 or port 162" 4 0 a
Using Original Sniffing Mode
interfaces=[any]
filters=[ port 161]
2022-06-10 13:53:41.546210 port4 in 192.168.1.3.62034 -> 172.31.153.46.161: udp 60
2022-06-10 13:53:41.551027 port4 out 172.31.153.46.161 -> 192.168.1.3.62034: udp 124
2022-06-10 13:53:41.552010 port4 in 192.168.1.3.62034 -> 172.31.153.46.161: udp 155
2022-06-10 13:53:41.553274 port4 out 172.31.153.46.161 -> 192.168.1.3.62034: udp 156
2022-06-10 13:53:59.315528 port4 in 172.31.202.32.62037 -> 172.31.153.46.161: udp 60
2022-06-10 13:53:59.315783 port4 out 172.31.153.46.161 -> 172.31.202.32.62037: udp 124
2022-06-10 13:53:59.316312 port4 in 172.31.202.32.62037 -> 172.31.153.46.161: udp 153
2022-06-10 13:53:59.316760 port4 out 172.31.153.46.161 -> 172.31.202.32.62037: udp 157

Related article:
Technical Tip: How to monitor HA cluster members individually through Public Interface using SNMPv3

Technical Tip: SNMP communication working scenario with respect to FortiGate device in HA and ha-direct options

You are leaving our website