i have a fundamental question regarding SNMP access to a Fortigate cluster:
I know that it's necessary to configure a dedicated management interface, to configure "ha-direct enable" and to activate SNMP on the corresponding management interface and than both cluster members can be monitored and queried via SNMP.
This works fine, but i additional need to poll the cluster-management port, i.e. the virtual ip address of the cluster-management too, and this is not possible. It seems, that if ha-direct is enabled and a dedicated management interfaces is configured, it's not possible to poll other interfaces via snmp then the dedicated managment interfaces.
Is this intentional or a bug or is there a special configuration option? Thx in advance.
Can I know why do you need to poll 2 different interfaces? (dedicated management interface and normal interface). I don't see there is any different in polling on any interfaces. The advantage of polling dedicated management interface is just for you to be able to poll the secondary FGT as well (instead of just primary).
no problem, i will try to explain why we need this. This is important for analysing the netflow data. The netflow data is always send with the management-ip of the cluster, i. e. the vip. It's not possible to choose the dedicated cluster management-interfaces as source for netflow data.
In order for our netflow server to display the data correctly (e.g. which flow belongs to which vlan) it needs snmp access to the ip address that sends the netflow data and that is cluster management ip.
It's perfectly reasonable to monitor both the cluster address and both cluster members, for different values. For example, you can monitor the cluster's throughput, but for single members this wouldn't make sense (except for the member which is master at the time).
The way I do it is to only poll the cluster's address. This will give you the readings for the cluster.
Then, for cluster members, you use a special SNMP community:
that is, you append the serial number of the cluster member to the community. The master unit will then forward the request to the correct cluster member.