Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pt
New Contributor

SNMP polling of a Cluster

Hi,

 

i have a fundamental question regarding SNMP access to a Fortigate cluster:

I know that it's necessary to configure a dedicated management interface, to configure "ha-direct enable" and to activate SNMP on the corresponding management interface and than both cluster members can be monitored and queried via SNMP.

 

This works fine, but i additional need to poll the cluster-management port, i.e. the virtual ip address of the cluster-management too, and this is not possible. It seems, that if ha-direct is enabled and a dedicated management interfaces is configured,  it's not possible to poll other interfaces via snmp then the dedicated managment interfaces.

 

Is this intentional or a bug or is there a special configuration option? Thx in advance.

 

Kind regards

Patrick

 

4 REPLIES 4
ESCHAN_FTNT
Staff
Staff

Hi Patrick

 

Can I know why do you need to poll 2 different interfaces? (dedicated management interface and normal interface). I don't see there is any different in polling on any interfaces. The advantage of polling dedicated management interface is just for you to be able to poll the secondary FGT as well (instead of just primary).

pt
New Contributor

Hi, 

 

no problem, i will try to explain why we need this. This is important for analysing the netflow data. The netflow data is always send with the management-ip of the cluster, i. e. the vip. It's not possible to choose the dedicated cluster management-interfaces as source for netflow data.

 

In order for our netflow server to display the data correctly (e.g. which flow belongs to which vlan) it needs snmp access to the ip address that sends the netflow data and that is cluster management ip.

 

Kind regards

Patrick

 

 

ede_pfau
Esteemed Contributor III

It's perfectly reasonable to monitor both the cluster address and both cluster members, for different values. For example, you can monitor the cluster's throughput, but for single members this wouldn't make sense (except for the member which is master at the time).

 

The way I do it is to only poll the cluster's address. This will give you the readings for the cluster.

Then, for cluster members, you use a special SNMP community:

cluster: comm=public

member1: comm=public-FGT1K5abcdef1

member2: comm=public-FGT1K5abcdef2

 

that is, you append the serial number of the cluster member to the community. The master unit will then forward the request to the correct cluster member.

This is documented here: https://kb.fortinet.com/kb/viewContent.do?externalId=13077

One caveat: this is valid for SNMP v2 only, not v3.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
pt
New Contributor

Hi, 

 

and thx for the answer. The problem is we have to use SNMPv3, v2 is not allowed.

 

Kind regards

Patrick