Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nithincs
Staff
Staff

Created on ‎06-10-2022 08:25 AM Edited on ‎06-10-2022 08:58 AM By Anonymous

Article Id 214350

Technical Tip: SNMP communication working scenario with respect to fortigate device in HA and ha-direct options.

Description This article provides the SNMP communication working scenario with respect to FortiGate device in HA and ha-direct options.
Scope FortiGate, HA.
Solution

Explanation of SNMP working with FortiGate devices in HA:

 

1). With ha-direct disable and no ha-management configured under ha settings:

Only FortiGate master device will respond to SNMP queries or trap with any of the ingress interface.
SNMP should be enabled in the interface settings and SNMP server should be reachable or should have reverse route to server ip from same interface.

 

Fgt_Master:

 

# config system ha
    set group-id 10
    set group-name "TEST_HA"
    set mode a-p
    set hbdev "port10" 0
    set override disable
    set priority 250
    set monitor "port1" "port2"
  end


Fgt_backup:

 

 # config system ha
     set group-id 10
     set group-name "TEST_HA"
     set mode a-p
     set hbdev "port10" 0
     set override disable
     set monitor "port1" "port2"
   end

 

SNMP V3 setting in FortiGate (no ha-direct enabled).

 

#  config system snmp user
     edit "test_snmp"
       set notify-hosts 172.31.202.32 10.5.55.171 192.168.1.3 <<<<<< Snmp server ip's
       set security-level auth-priv
       set auth-proto md5
     next
   end

 

Routing table for SNMP server in master device:

 

Fgt_Master # get router info routing-table details 10.5.55.171

Routing table for VRF=0
Routing entry for 10.5.48.0/20
Known via "connected", distance 0, metric 0, best
* is directly connected, port2

 

Fgt_Master # get router info routing-table details 172.31.202.32

Routing table for VRF=0
Routing entry for 172.31.192.0/20
Known via "connected", distance 0, metric 0, best
* is directly connected, port3

SNMP needs to be enabled under Administrative Access (cli :allowaccess) of the interface settings.

 

#  config system interface
     edit "port2"
       set ip 10.5.61.92 255.255.240.0
       set allowaccess ping https ssh snmp http telnet
     next
   end

 

Fgt_Master # dia sniffer packet any " port 161" 4 0 ka
Using Original Sniffing Mode
interfaces=[any]
filters=[ port 161]
19.615514 port2 in 10.5.55.171.50638 -> 10.5.61.92.161: udp 60 <<<<<< Incoming SNMP communication
19.615806 port2 out 10.5.61.92.161 -> 10.5.55.171.50638: udp 124>>>>> SNMP communication response
19.619793 port2 in 10.5.55.171.50638 -> 10.5.61.92.161: udp 155
19.620777 port2 out 10.5.61.92.161 -> 10.5.55.171.50638: udp 156

 

==========================

 

2). Without HA management interface, if ha-direct is enabled in SNMP settings the FortiGate will not respond to any SNMP request hitting the FortiGate interface.

 

#  config system snmp user
     edit "test_snmp"
       set notify-hosts 172.31.202.32 10.5.55.171 192.168.1.3
       set ha-direct enable <<<<<<<<<
     next
   end

 

#  config system ha
     set group-id 10
     set group-name "TEST_HA"
     set mode a-p
     set hbdev "port10" 0
     set override disable
     set monitor "port1" "port2"
   end


Fgt_Master # dia sniffer packet any "port 161" 4 0 a
Using Original Sniffing Mode
interfaces=[any]
filters=[port 161]
2022-06-10 08:20:51.126315 port2 in 10.5.55.171.54248 -> 10.5.61.92.161: udp 60 <<< FortiGate will not respond for incoming SNMP traffic.
2022-06-10 08:20:53.160564 port2 in 10.5.55.171.54249 -> 10.5.61.92.161: udp 60

=============================

 

3). To do SNMP communication with both the devices in ha, Make sure ha-direct is enabled in SNMP setting and also ha-management need to be configured in the ha setting in both devices and SNMP traffic should be forwarded to ha-management interface.

 

Fgt_Master:

 

#  config system ha
     set group-id 10
     set group-name "TEST_HA"
     set mode a-p
     set ha-mgmt-status enable <<<<<<<<
     config ha-mgmt-interfaces
       edit 1
         set interface "port4" <<<<<<
         set gateway 172.31.151.171 <<<<<
       next
     end
   end

 

#  config system interface
     edit "port4"
       set ip 172.31.157.92 255.255.240.0 <<<<<<<<Master device ha mgmt ip
       set allowaccess ping https ssh snmp http telnet
       set type physical
     next
   end


#  config system snmp user
     edit "test_snmp"
       set notify-hosts 172.31.202.32 10.5.55.171 192.168.1.3
       set ha-direct enable <<<<<<<<<<<<<<<<<
       set security-level auth-priv
       set auth-proto md5
     next
   end

 

SNMP query to FortiGate master ha-mgmt-interface port4(172.31.157.92).

 

Fgt_Master # dia sniffer packet any "port 161" 4 0 a
Using Original Sniffing Mode
interfaces=[any]
filters=[port 161]
2022-06-10 13:37:26.757244 port4 in 172.31.151.171.56008 -> 172.31.157.92.161: udp 60
2022-06-10 13:37:26.762607 port4 out 172.31.157.92.161 -> 172.31.151.171.56008: udp 124
2022-06-10 13:37:26.767727 port4 in 172.31.151.171.56008 -> 172.31.157.92.161: udp 155
2022-06-10 13:37:26.768413 port4 out 172.31.157.92.161 -> 172.31.151.171.56008: udp 156
2022-06-10 13:50:52.250633 port4 in 192.168.1.3.58136 -> 172.31.157.92.161: udp 60
2022-06-10 13:50:52.250827 port4 out 172.31.157.92.161 -> 192.168.1.3.58136: udp 124
2022-06-10 13:50:52.253875 port4 in 192.168.1.3.58136 -> 172.31.157.92.161: udp 155
2022-06-10 13:50:52.254409 port4 out 172.31.157.92.161 -> 192.168.1.3.58136: udp 156

 

==========


Configuration in Backup device:

 

Fgt_backup:

 

#  config system ha
     set group-id 10
     set group-name "TEST_HA"
     set mode a-p
     set ha-mgmt-status enable <<<<<<<<
     config ha-mgmt-interfaces
       edit 1
         set interface "port4" <<<<<<<<<
         set gateway 172.31.151.171
       next
     end
   end

 

#  config system snmp user
     edit "test_snmp"
       set notify-hosts 172.31.202.32 10.5.55.171 192.168.1.3
       set ha-direct enable <<<<<<<<<<<<
       set security-level auth-priv
       set auth-proto md5
     next
   end

 

#  config system interface
     edit "port4"
       set ip 172.31.153.46 255.255.240.0 <<<<<<<<Backup device ha mgmt interface ip
       set allowaccess ping https ssh http telnet snmp
     next
   end

 

SNMP query to FortiGate backup ha-mgmt-interface port4(172.31.153.46).

 

Fgt_backup # dia sniffer packet any " port 161" 4 0 a
Using Original Sniffing Mode
interfaces=[any]
filters=[ port 161]
2022-06-10 13:53:41.546210 port4 in 192.168.1.3.62034 -> 172.31.153.46.161: udp 60
2022-06-10 13:53:41.551027 port4 out 172.31.153.46.161 -> 192.168.1.3.62034: udp 124
2022-06-10 13:53:41.552010 port4 in 192.168.1.3.62034 -> 172.31.153.46.161: udp 155
2022-06-10 13:53:41.553274 port4 out 172.31.153.46.161 -> 192.168.1.3.62034: udp 156
2022-06-10 13:53:59.315528 port4 in 172.31.202.32.62037 -> 172.31.153.46.161: udp 60
2022-06-10 13:53:59.315783 port4 out 172.31.153.46.161 -> 172.31.202.32.62037: udp 124
2022-06-10 13:53:59.316312 port4 in 172.31.202.32.62037 -> 172.31.153.46.161: udp 153
2022-06-10 13:53:59.316760 port4 out 172.31.153.46.161 -> 172.31.202.32.62037: udp 157

 
Labels:
5951
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.