we use FortiGate at a lot of customers and monitor everything using PRTG Network Monitor (latest version 126.96.36.1998). I found out today that if I monitor traffic in IPsec site2site tunnels I get strange results.
Here is a concrete example.
FortiGate 100F (6.4.9). There is one IPsec tunnel on the WAN interface to the central FortiGate 200F (6.4.10). All traffic is routed to the IPsec tunnel, nothing passes to the internet directly through the WAN.
This graph is from the WAN interface:
and this graph is from an IPsec tunnel:
As you can see there is a huge difference.
But I am unable to determine when this monitoring problem started. I tried deleting and recreating the problematic sensors but that didn't fix the problem. I also tried using SNMPv3 instead of SNMPv2 and also no luck.
I always considered IPsec tunnels as a classic interface (and that's how the PRTG program also approached it) and it always worked.
Has anyone encountered a similar problem? Other interfaces (physical, vlans or SSL) are displayed correctly via SNMP.
And I also registered that if I view the IPsec tunnel widget on FGT, I only see one direction.
I always selected the "SNMP Traffic" template in PRTG, scanned the FortiGate and it showed me all available interfaces for monitoring - incl. IPsec tunnels, VLAN, SSL interface. There was never problem with it.
It looks like this:
All this still works now, with the difference that the data read using SNMP does not correspond to the real load of the IPsec interface.
Can you provide me with a valid OID for traffic and unicast packet monitoring for the IPsec interface? I would try adding it manually.
Edit: I found one historic BUG in version 6.2.x: Could this not also be the case?
Oh nice one! I've never heard of that issue before. Going to dig in a bit more on this one because ideally you'd want that traffic offloaded and monitored accurately at the same time. I'll let you know if I find anything else out.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.