Description
How to configure SLBC to poll FortiController, FortiGate directly or through FortiController.
Solution
Configuration on FortiController
config system interface
edit "mgmt"
set ip 172.31.19.84 255.255.252.0
set allowaccess ping https ssh snmp telnet http
next
edit "base-mgmt"
next
end
config system snmp ?
community snmp community configuration
sysinfo snmp system info configuration
config system snmp sysinfo
set status enable
end
config system snmp community
edit 1
set events cpu-high mem-low ha-switch ha-hb-failure ha-member-up ha-member-down hbfail hbrcv tkmem-down tkmem-up
config hosts
edit 2
set ip 172.31.0.0 255.255.0.0
next
end
set name "public"
next
end
config system global
set hostname "FT513B3912000065"
set load-balance enable
end
get system global
.../...
snmp-community : elbc-mgmt-comm
.../...
Configuration on FortiGate Worker Blades
config system interface
edit "base-mgmt"
set vdom "elbc-mgmt"
set ip 10.101.10.5 255.255.255.0
set allowaccess ping https ssh snmp
set type redundant
set member "base1" "base2"
set snmp-index 24
next
edit "mgmt1"
set vdom "elbc-mgmt"
set ip 172.31.18.66 255.255.252.0
set allowaccess ping https ssh snmp http telnet
.../...
config system snmp community
edit 1
set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change ha-member-up ha-member-down ent-conf-change av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open faz-disconnect wc-ap-up wc-ap-down
config hosts
edit 3
set ip 172.31.0.0 255.255.0.0
next
end
set name "public"
next
edit 2
set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change ha-member-up ha-member-down ent-conf-change av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open faz-disconnect wc-ap-up wc-ap-down
config hosts
edit 3
set ip 10.101.10.0 255.255.255.0
next
end
set name "elbc-mgmt-comm"
next
end
From the management PC with IP 172.31.18.77
- polling of the SLBC master blade mgmt intyerface (FGT MIB):
snmpwalk -v2c -c public 172.31.18.66 .1.3.6.1.4.1.12356
- polling of the FT5103B MIB:
snmpwalk -v2c -c public 172.31.19.84 .1.3.6.1.4.1.12356
- polling the FGT on the VIP: Instead of polling the Worker blade directly, you can ping the FGT through the Forticontroller with the VIP configured or base-mgmt-external-ip (172.31.19.38 255.255.252.0)
config load-balance setting
set base-ctrl-interface-mode active-passive
set base-ctrl-network 10.101.11.0 255.255.255.0
set base-mgmt-allowaccess ping https ssh snmp
set base-mgmt-external-ip 172.31.19.38 255.255.252.0
set base-mgmt-interface-mode active-passive
.../...
set base-mgmt-internal-network 10.101.10.0 255.255.255.0
.../....
In this case, you need to allow base-mgmt-internal-network (IP 10.101.10.0 255.255.255.0 ) to access the community of the worker blade as the polling will comes from FortiController.
snmpwalk -v2c -c elbc-mgmt-comm 172.31.19.38 .1.3.6.1.4.1.12356
The FortiController is polling regularly the worker blades to collect uptime, CPU, memory, number of session.
This polling is using the community configured in "config system global"
get system global
.../...
snmp-community : elbc-mgmt-comm
.../...
The request will comes from the network "10.101.10.0 255.255.255.0" as for the VIP queries.
To debug an issue, you could sniffer or activate the debug
diagnose debug application snmpd -1
diagnose debug enable