Technical Tip: SNMP and HA clusters

You can use SNMP to manage a cluster by configuring a cluster interface for SNMP administrative access. Using an SNMP manager you can get cluster configuration and status information and receive traps.

Configuring SNMP for a cluster is done in the same way as configuring SNMP for a standalone FortiGate unit. SNMP configuration changes made to the cluster are shared by all cluster units.

This article also describes how to use a special community name with to get configuration and status information for any cluster unit (including subordinate units, also called slave units).

Normally, to get a configuration and status information for a standalone FortiGate unit or for a primary unit, an SNMP manager would use an SNMP get command to get the information in a MIB field. The SNMP get command syntax would be similar to the following:

  snmpget -v2c -c <community_name> <address_ipv4> <OID>

<community_name> is an SNMP community name added to the FortiGate configuration. You can add more than one community names to a FortiGate SNMP configuration. The most commonly used community name is public.

<address_ipv4> is the IP address of the FortiGate address that the SNMP manager connects to.

<OID> is the object identifier for the MIB field.

The following SNMP example command gets the HA status table for the primary unit.

 
For version 4.0.x or 5.0.x:

  snmpget -v2c -c public 10.10.10.1  1.3.6.1.4.1.12356.1.100.6

For version 6.0.x:

  snmpget -v2c -c public 10.10.10.1  1.3.6.1.4.1.12356.101.13.2.1

The community name is public.
The IP address of the FortiGate interface is 10.10.10.1.
The HA status table MIB field is fgHaStatsTable and the OID for this MIB field being 1.3.6.1.4.1.12356.1.100.6 for version 4.0.x or 5.0.x  or
1.3.6.1.4.1.12356.101.13.2.1 for version 6.0.

To get configuration status information for a specific cluster unit (for the primary unit or for any subordinate unit), the SNMP manager must add the serial number of the cluster unit to the SNMP get command after the community name. The community name and the serial number are separated with a dash. The syntax for this SNMP get command is:

  snmpget -v2c -c <community_name>-<fgt_serial> <address_ipv4> <OID>

<community_name> is an SNMP community name added to the FortiGate configuration. You can add more than one community name to a FortiGate SNMP configuration. All units in the cluster have the same community name. The most commonly used community name is public.

<fgt_serial> is the serial number of any cluster member. For example, FGT4002803033172. You can specify the serial number of any cluster unit, including the primary unit, to get information for that unit.

<address_ipv4> is the IP address of the FortiGate HA Master that the SNMP manager connects to.

<OID> is the object identifier for the MIB field.

If the serial number matches the serial number of a subordinate unit, the SNMP get request is sent over the HA heartbeat link to the subordinate unit. After processing the request, the subordinate unit sends the reply back over the HA heartbeat link back to the primary unit. The primary unit then forwards the response back to the SNMP manager.

If the serial number matches the serial number of the primary unit, the SNMP get request is processed by the primary unit. You can actually add a serial number to the commuity name of any SNMP get request. But normally you only need to do this for getting information from a subordiate unit.

To get the HA status table for a subordinate unit:

The following SNMP get command gets the HA status table for a subordinate unit in a FortiGate-5001SX cluster.

For version 4.0.x or 5.0.x:

snmpget -v2c -c public-FG50012205-----0 10.10.10.1 1.3.6.1.4.1.12356.1.100.6

For version 6.0.x:

snmpget -v2c -c public-FGVM020000-----8 10.10.10.1 1.3.6.1.4.1.12356.101.13.1

The subordinate unit has serial number FG50012205-----0.
The community name is public.
The IP address of the FortiGate interface is 10.10.10.1.
The HA status table MIB field is fnHaStatsTable and the OID for this MIB field is 1.3.6.1.4.1.12356.1.100.6 for version 4.0.x of 5.0.x  or 1.3.6.1.4.1.12356.101.13.2.1 for version 6.0.

FortiGate SNMP recognizes the community name with syntax <community_name>-<fgt_serial>. When the primary unit receives an SNMP get request that includes the community name followed by serial number, the FGCP extracts the serial number from the request. Then the primary unit redirects the SNMP get request to the cluster unit with that serial number. If the serial number matches the serial number of the primary unit, the SNMP get is processed by the primary unit.

To be able to use the SNMP get command to display system information for any cluster unit you need to know each cluster unit serial number. If you do not have the serial numbers available, you can use the following SNMP command syntax to get all cluster unit serial numbers through fnHaStatsSerial MIB OID or its numerical OID

The following SNMP get command uses the MIB field name to get all cluster unit serial numbers. IP address of the FortiGate HA Master being 10.10.10.1.

For version 4.0.x or 5.0.x:

snmpwalk -v2c -c public 10.10.10.1 fnHaStatsSerial
snmpwalk -v2c -c public 10.10.10.1 1.3.6.1.4.1.12356.1.100.6.1.2

.1.3.6.1.4.1.12356.1.100.6.1.2.1 = STRING: "FG50012205-----2"
.1.3.6.1.4.1.12356.1.100.6.1.2.2 = STRING: "FG50012205-----0"

For version 6.0.x:

snmpwalk -v2c -c public 10.10.10.1 fgHaStatsSerial
snmpwalk -v2c -c public 10.10.10.1 1.3.6.1.4.1.12356.101.13.2.1.1.2

.1.3.6.1.4.1.12356.101.13.2.1.1.2.1 = STRING: "FGVM020000-----6"
.1.3.6.1.4.1.12356.101.13.2.1.1.2.2 = STRING: "FGVM020000-----8"