Description
This article describes how to configure SNMP traps on a FortiGate and receive fgTrapPerCpuHigh traps due to an 'updated' daemon.
Solution
SNMP traps use a push model where the SNMP agent (FortiGate) sends traps to the SNMP manager (monitoring tool).
There is also a pull model where the SNMP Manager sends requests to the SNMP agent.
Traps can be configured from both GUI and CLI.
GUI.
System -> SNMP -> SNMP v1/v2c and select 'Create New'.
Fill in the fields then select 'OK'.
CLI.
config system snmp community
edit 1
set name “Email-Traps”
config hosts
edit 4
set ip 1.1.1.1/32
set host-type trap
next
end
next
end
config system snmp sysinfo
set status enable -> disabled by default
set trap-high-cpu-threshold 80 <----- CPU usage when the trap is sent. The default value is 80.
end
If SNMP traps is configured, high CPU usage traps randomly will be received from time to time.
CPU utilization on FortiGate in general is at normal level.
There is an 'updated' daemon on the FortiGate that is used to update AV/IP spam/web filter signatures via the FortiGuard server.
diag sys top-summary
updated 1456 R N 99.9 0.3 <----- Showing 99.9% CPU utilization.The high CPU spike occurs for 1-2 seconds only.
FortiGate does not log but sends traps to the SNMP Manager.
If 'execute update-now' is run, notice that CPU utilization of the 'updated' daemon goes high for 2 seconds before gets normalized.
This is an expected behavior as all the AV/IPS/Web Filtering/ISDB signatures are requesting an update from the FortiGuard server.
To avoid receiving high CPU traps during business hours, the updates from the FortiGuard server can be scheduled to run at a particular time or after office hours.
The settings can be found under the GUI from System -> FortiGuard -> AntiVirus & IPS Updates -> Scheduled Updates.