FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gfranceschi
Staff
Staff
Article Id 195154
Description
How to configure SLBC to poll FortiController, FortiGate directly or through FortiController.

Solution
Configuration on FortiController


config system interface
    edit "mgmt"
        set ip 172.31.19.84 255.255.252.0
        set allowaccess ping https ssh snmp telnet http
    next
    edit "base-mgmt"
    next
end

config system snmp ?
community    snmp community configuration
sysinfo      snmp system info configuration

config system snmp sysinfo
    set status enable
end

config system snmp community
    edit 1
        set events cpu-high mem-low ha-switch ha-hb-failure ha-member-up ha-member-down hbfail hbrcv tkmem-down tkmem-up
            config hosts
                 edit 2
                    set ip 172.31.0.0 255.255.0.0
                next
            end
        set name "public"
    next
end

config system global
    set hostname "FT513B3912000065"
    set load-balance enable
end

get system global
.../...
snmp-community      : elbc-mgmt-comm
.../...

Configuration on FortiGate Worker Blades

config system interface
    edit "base-mgmt"
        set vdom "elbc-mgmt"
        set ip 10.101.10.5 255.255.255.0
        set allowaccess ping https ssh snmp
        set type redundant
        set member "base1" "base2"
        set snmp-index 24
    next
    edit "mgmt1"
        set vdom "elbc-mgmt"
        set ip 172.31.18.66 255.255.252.0
        set allowaccess ping https ssh snmp http telnet
        .../...


config system snmp community
    edit 1
        set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change ha-member-up ha-member-down ent-conf-change av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open faz-disconnect wc-ap-up wc-ap-down
            config hosts
                edit 3
                    set ip 172.31.0.0 255.255.0.0
                next
            end
        set name "public"
    next
    edit 2
        set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change ha-member-up ha-member-down ent-conf-change av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open faz-disconnect wc-ap-up wc-ap-down
            config hosts
                edit 3
                    set ip 10.101.10.0 255.255.255.0
                next
            end
        set name "elbc-mgmt-comm"
    next
end

From the management PC with IP 172.31.18.77


- polling of the SLBC master blade mgmt intyerface (FGT MIB):
snmpwalk -v2c -c public 172.31.18.66 .1.3.6.1.4.1.12356

- polling of the FT5103B MIB:
snmpwalk -v2c -c public 172.31.19.84 .1.3.6.1.4.1.12356

- polling the FGT on the VIP: Instead of polling the Worker blade directly, you can ping the FGT through the Forticontroller with the VIP configured or base-mgmt-external-ip (172.31.19.38 255.255.252.0)

config load-balance setting
    set base-ctrl-interface-mode active-passive
    set base-ctrl-network 10.101.11.0 255.255.255.0
    set base-mgmt-allowaccess ping https ssh snmp
    set base-mgmt-external-ip 172.31.19.38 255.255.252.0
    set base-mgmt-interface-mode active-passive
   .../...
    set base-mgmt-internal-network 10.101.10.0 255.255.255.0
   .../....

In this case, you need to allow base-mgmt-internal-network (IP 10.101.10.0 255.255.255.0 ) to access the community of the worker blade as the polling will comes from FortiController.
snmpwalk -v2c -c elbc-mgmt-comm 172.31.19.38 .1.3.6.1.4.1.12356

The FortiController is polling regularly the worker blades to collect uptime, CPU, memory, number of session.
This polling is using the community configured in "config system global"
   get system global
   .../...
   snmp-community      : elbc-mgmt-comm
   .../...
The request will comes from the network "10.101.10.0 255.255.255.0" as for the VIP queries.

To debug an issue, you could sniffer or activate the debug
 diagnose debug application snmpd -1
 diagnose debug enable




Contributors