FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tino_p
Staff
Staff
Article Id 277109
Description This article explains why OID .1.3.6.1.2.1.2.2.1.8.X (ifOperStatus) should not be used to check the VPN interface status.
Scope FortiGate, SNMP, VPN.
Solution

1.3.6.1.2.1.2.2.1.8 (ifOperStatus) is the OID used to check the status of the interface and to monitor a specific interface, use the OID 1.3.6.1.2.1.2.2.1.8.x, where the 'x' is the SNMP-index number for that specific interface.

 

However, it should not be used to monitor the VPN interface status, because even when the VPN tunnel is down, its VPN interface is also down but its SNMP value still remains 1 (means UP, like the other VPN tunnel which is up). Its SNMP value will only change to 2 (which means DOWN) when the VPN interface is manually disabled.

 

For example:

There are 3 tunnels: (1) To_kvm85, (2) To_other and (3) tunnel3. Their SNMP-index is 17, 18, and 19, respectively.

 

tunnels_status.PNG

 

Tunnel (1) is UP, both tunnel (2) and (3) is DOWN but the interface (3) is disabled manually.

 

vpn_interface_status.PNG

 

In the snmpwalk results, the value of tunnel (1-UP) and (2-DOWN) is still 1. Only tunnel (3-disable manually its interface) can change its OID value to 2 (means down).

 

snmpwalk_results.PNG

Related links: