|
When traps are not followed by an all-clear sent by the device the trap originated from, FortiMonitor closes the trap incident after a preset time. This is usually half an hour.
The question of deduplication arises if one or more additional traps are sent with the same trap OID as another already active trap. Deduplication allows a deeper look to determine whether two traps that share an OID are truly identical.
How it works:
When an SNMP trap is sent, it carries a payload of objects that are defined in its OID description. The descriptions can be found and viewed at sites such as https://www.oid-info.com or https://oidref.com/.
A 'deduplication OID' may be selected from the list of objects in a given trap type.
If an additional trap is sent while the trap is active and a deduplication OID is set, FortiMonitor will examine the selected object in the trap payload and compare whether its value is different from the value in the original trap. If it is identical, the new trap message is appended to the 'Timeline & Messages' of the existing trap incident. If the new object value is different, a new incident is generated instead.
|
