| Description | This article describes how to configure FortiMonitor and FortiGates to leverage SNMP and dedicated management ports in an HA cluster to ensure each device-specific uplink, as the shared uplink can be properly monitored. |
| Scope | FortiMonitor. |
| Solution |
Overview: - When a FortiGate cluster is created without a dedicated management port on each device. it is not possible to monitor the metrics on the non-primary device. In this situation, the visibility into critical metrics such as the non-primary device uplink ports is lost. This could lead to an unexpected outage in the event of a failure on the primary device while the unmonitored passive uplink is already down.
Steps: 1) Configure each FortiGate in the HA cluster to have an out-of-band dedicated management interface. Details on how to configure this can be found in the below article:
2) In order to properly configure the FortiGates to support SNMP polling follow the instructions in this article: https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-SNMP-polling-via-the-dedicated-H...to configure SNMP settings for the cluster and then for each device’s dedicated management port to support SNMP.
3) Add the SNMP credentials to FortiMonitor. Follow the below article: https://docs.fortinet.com/document/fortimonitor/23.1.0/user-guide/400646/snmp
4) Add each FortiGate to FortiMonitor GUI as a Network (Advanced) instance using the dedicated management IP address where SNMP has been enabled: https://docs.fortinet.com/document/fortimonitor/23.1.0/user-guide/619979/network-device-monitoring
5) Add a new Network (Basic) instance with the shared network link’s IP address. This will create a ping check to monitor the status of the shared network connection.
6) Optional: In FortiMonitor set the Network (Basic) instance for the shared IP as the parent instance for the FortiGate instance in order to suppress alerts for the FortiGate instances if the shared link should enter an alert state.
Example: In this example, the goal is to leverage SNMP to monitor the overall health of HA FortiGate 01 and HA FortiGate 02 as well as the state of the individual ports that make up that device’s portion of each shared link. The state of the shared external (10.10.10.10) and internal (192.168.10.10) IP addresses need to be monitored using ping checks to ensure those links are functional as well. Below are the steps to accomplish this.
- Add an advanced network instance for HA FortiGate 01 using IP address 192.168.10.20. Create a metric threshold and set an alert timeline for the operational status of Port 1 and Port 2. - Add an advanced network instance for HA FortiGate 02 using IP address 192.168.10.30. Create a metric threshold and set an alert for the operational status of Port 1 and Port 2. - Add a basic network instance with IP 10.10.10.10 to monitor the state of the redundant external IP address. Create a metric threshold and set an alert timeline for the ping check. - Add a basic network instance with IP 192.168.10.10 to monitor the state of the redundant internal IP address. Create a metric threshold and set an alert timeline for the ping check |
