FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alif
Staff
Staff
Article Id 196542

Description

 

This article describes how to configure SNMP traps on a FortiGate and receive fgTrapPerCpuHigh traps due to an 'updated' daemon.

Solution


SNMP traps use a push model where the SNMP agent (FortiGate) sends traps to the SNMP manager (monitoring tool).

There is also a pull model where the SNMP Manager sends requests to the SNMP agent.


Traps can be configured from both GUI and CLI.

GUI.

System -> SNMP -> SNMP v1/v2c and select 'Create New'.

Fill in the fields then select 'OK'.



 
 
CLI.
 
config system snmp community
    edit 1
        set name “Email-Traps”
            config hosts
                edit 4
                    set ip 1.1.1.1/32
                    set host-type trap
                next
            end
      next
end

config system snmp sysinfo
    set status enable -> disabled by default
    set trap-high-cpu-threshold 80                             <----- CPU usage when the trap is sent. The default value is 80.
end
 
If SNMP traps is configured, high CPU usage traps randomly will be received from time to time.
CPU utilization on FortiGate in general is at normal level.
There is an 'updated' daemon on the FortiGate that is used to update AV/IP spam/web filter signatures via the FortiGuard server.

diag sys top-summary
updated 1456 R N 99.9 0.3                                      <----- Showing 99.9% CPU utilization.The high CPU spike occurs for 1-2 seconds only.

FortiGate does not log but sends traps to the SNMP Manager.
If 'execute update-now' is run, notice that  CPU utilization of the 'updated' daemon goes high for 2 seconds before gets normalized.
 
This is an expected behavior as all the AV/IPS/Web Filtering/ISDB signatures are requesting an update from the FortiGuard server.

To avoid receiving high CPU traps during business hours, the updates from the FortiGuard server can be scheduled to run at a particular time or after office hours.

The settings can be found under the GUI from System -> FortiGuard -> AntiVirus & IPS Updates -> Scheduled Updates.