Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff

Created on ‎02-06-2014 12:49 AM Edited on ‎02-25-2025 03:33 AM By Community Manager

Article Id 196034

Technical Tip: FortiGate SNMP polling via the dedicated HA management port

Description


This article describes how to allow SNMP polling through the dedicated HA management interface.

 

Scope

 

FortiGate v5.6 and above.


Solution

 

Configuration:

In the example below, the network interface name of the dedicated HA management port is 'mgmt1': (If trusted hosts are configured in FortiGate's admin users, the SNMP server IP must match at least one of the trusted hosts)

 

config system interface

edit "mgmt1"

set ip 10.100.200.1 255.255.255.0

set allowaccess ping https ssh snmp fgfm

set dedicated-to management

next

end


config system ha

set ha-mgmt-status enable

config ha-mgmt-interfaces

edit 1

set interface mgmt1

set gateway 10.100.200.254

next

end

set ha-direct enable

end

 

Configure SNMPv2:

 

config system snmp community

edit 1

config hosts

edit 1

   set name "snmp_monitor"

set ha-direct enable / disable

set ip 10.100.100.0 255.255.255.0

next

next

end

 

Configure SNMPv3:

 

config system snmp user

edit 1

set ha-direct enable

set ip 10.100.100.0 255.255.255.0

next

end

 

If there is more than one HA management port configured, a specific management port can be used for SNMP communication.

In the below configuration, the 'mgmt1' port has been used for SNMP communication.

 

config system ha

set ha-mgmt-status enable

config ha-mgmt-interfaces

edit 1

set interface mgmt1

set dst 10.100.100.0 255.255.255.0  <-

set gateway 10.100.200.254

next

edit 2

set interface mgmt2

set gateway 10.100.200.254

next

end

 

If the Firewall is not running HA and there is no one-way traffic, disable the direct by following the command:

 

     config system snmp community 

      edit 1 

          config hosts 

              edit 1 

              unset ha-direct  

          end

 

Excerpt of SNMP debug:

 

snmpd: <msg> 49 bytes 10.100.200.10:7414 -> 10.100.200.1/10.100.200.1:161 (itf 2.2)
snmpd: checking if community "snmp_monitor" is valid
snmpd: checking against community "snmp_monitor"
snmpd: request 2(vsys_hamgmt)/2/10.100.200.10 != comm 1/0/10.100.200.10/255.255.255.255
snmpd: host or intf mismatch
snmpd: failed to match community "snmp_monitor"
snmpd: </msg> 0

 

After 'ha-direct enable' under 'config system SNMP community':

 

snmpd: <msg> 49 bytes 10.100.200.100:7414 -> 10.100.200.1/10.100.200.1:161 (itf 2.2)
snmpd: checking if community "snmp_monitor" is valid
snmpd: checking against community "snmp_monitor"
snmpd: request 2(vsys_hamgmt)/2/10.100.200.10 != comm 1/0/10.100.200.10/255.255.255.255
snmpd: matched community "snmp_monitor"
snmpd: </msg> 0

Labels:
73308
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.