Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Rosalyn
Staff
Staff

Created on ‎04-01-2021 01:15 AM

Article Id 195977

Technical Tip: Add SNMP OIDs for shaping-related statistics

Description
Four SNMP OIDs have been added for polling the number of packets and bytes that either conform or discard by traffic shaping.





This article describes how to add SNMP OIDs for shaping-related statistics.

Solution
To configure an OID related to traffic shaping:

1) Configure SNMP:
# config system snmp community
    edit 1
        set name "SNMP-TEST"
        # config hosts
            edit 1
                set ip 10.1.100.11 255.255.255.255
            next
            edit 2
                set ip 172.16.200.55 255.255.255.255
            next
        end
        # config hosts6
            edit 1
                set ipv6 2000:172:16:200::55/128
            next
            edit 2
                set ipv6 2000:10:1:100::11/128
            next
        end
        set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change fm-conf-change ha-member-up ha-member-down ent-conf-change av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update faz-disconnect
    next
end
To configure from GUI, go to System -> SNMP.





2) Configure the traffic shaping profile:
# config firewall shaping-profile
    edit "eth-shape-hierarchical"
        set comment "output shaper"
        set type queuing
        set default-class-id 31
        # config shaping-entries
            edit 31
                set class-id 31
                set priority low
                set guaranteed-bandwidth-percentage 20
                set maximum-bandwidth-percentage 100
            next
            edit 11
                set class-id 11
                set priority top
                set guaranteed-bandwidth-percentage 50
                set maximum-bandwidth-percentage 50
                set limit 5
            next
            edit 12
                set class-id 12
                set priority critical
                set guaranteed-bandwidth-percentage 20
                set maximum-bandwidth-percentage 100
                set red-probability 10
                set min 5
                set max 10
            next
        end
    next
end
To configure from GUI, go to Policy & Object -> Traffic Shaping Profile and select 'Create New'.





3) Configure the traffic shaping policy:
# config firewall shaping-policy
    edit 11
        set comment "DIAMOND - 26 - AF31"
        set service "ALL"
        set dstintf "port1"
        set class-id 11
        set diffserv-forward enable
        set srcaddr "HOST_10.71.15.2"
        set dstaddr "HOST_10.72.15.2"
        set diffservcode-forward 011010
    next
    edit 25
        set comment "GOLD - 20 - AF22"
        set service "ALL"
        set dstintf "port1"
        set class-id 12
        set diffserv-forward enable
        set srcaddr "HOST_10.71.15.3"
        set dstaddr "HOST_10.72.15.3"
        set diffservcode-forward 010100
    next
end
To configure from GUI, go to Policy & Object -> Traffic Shaping Policy and select 'Create New'.




4) Configure the traffic class:
# config firewall traffic-class
    edit 31
        set class-name "output shaper"
    next
    edit 11
        set class-name "a"
    next
    edit 12
        set class-name "b"
    next
    edit 13
        set class-name "c"
    next
    edit 14
        set class-name "d"
    next
end
Note.
Above configuration is available on CLI only.

5) Configure the interface:
# config system interface
    edit "port1"
        set vdom "root"
        set ip 172.16.200.1 255.255.255.0
        set allowaccess ping https ssh http telnet
        set type physical
        set egress-shaping-profile "eth-shape-hierarchical"
        set snmp-index 1
    next
end
To configure from GUI, go to Network -> Interfaces, select 'WAN interface', select 'Edit' -> Traffic shaping, to enable the 'Outbound shaping profile'.





Sample query.
$ snmpwalk -v2c -c SNMP-TEST 172.16.200.1 1.3.6.1.4.1.12356.101.7.5.4.1.1
FORTINET-FORTIGATE-MIB::fgIntfBcQPackets.1.12 = Counter64: 11992
FORTINET-FORTIGATE-MIB::fgIntfBcQPackets.1.13 = Counter64: 2015
FORTINET-FORTIGATE-MIB::fgIntfBcQPackets.1.14 = Counter64: 2014
FORTINET-FORTIGATE-MIB::fgIntfBcQPackets.1.15 = Counter64: 1062
$ snmpwalk -v2c -c SNMP-TEST 172.16.200.1 1.3.6.1.4.1.12356.101.7.5.4.1.2
FORTINET-FORTIGATE-MIB::fgIntfBcQBytes.1.12 = Counter64: 3021984
FORTINET-FORTIGATE-MIB::fgIntfBcQBytes.1.13 = Counter64: 507780
FORTINET-FORTIGATE-MIB::fgIntfBcQBytes.1.14 = Counter64: 507528
FORTINET-FORTIGATE-MIB::fgIntfBcQBytes.1.15 = Counter64: 266272
$ snmpwalk -v2c -c SNMP-TEST 172.16.200.1 1.3.6.1.4.1.12356.101.7.5.4.1.3
FORTINET-FORTIGATE-MIB::fgIntfBcQPDrops.1.12 = Counter64: 15211
FORTINET-FORTIGATE-MIB::fgIntfBcQPDrops.1.13 = Counter64: 0
FORTINET-FORTIGATE-MIB::fgIntfBcQPDrops.1.14 = Counter64: 0
FORTINET-FORTIGATE-MIB::fgIntfBcQPDrops.1.15 = Counter64: 15267
$ snmpwalk -v2c -c SNMP-TEST 172.16.200.1 1.3.6.1.4.1.12356.101.7.5.4.1.4
FORTINET-FORTIGATE-MIB::fgIntfBcQBDrops.1.12 = Counter64: 3833172
FORTINET-FORTIGATE-MIB::fgIntfBcQBDrops.1.13 = Counter64: 0
FORTINET-FORTIGATE-MIB::fgIntfBcQBDrops.1.14 = Counter64: 0
FORTINET-FORTIGATE-MIB::fgIntfBcQBDrops.1.15 = Counter64: 3816750

Labels:
2328
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.