配置FortiGate的SNMP---特殊场景HA环境下,并且拥有独立管理接口的HA:



HA独立管理口的配置,请参考HA独立管理口的章节,使用的同样的一个拓扑图。本章节将关注点放置于如何配置和使用SNMP上。

1.在HA独立管理接口上开启SNMP的允许访问(包括主防火墙的mgmt和备防火墙的mgmt)



2.开启SNMP的总开关


3.配置SNMP v2的属性,比如配置SNMP v2的SNMP属性为Fortinet123#,建议不要使用通用的public,容易被探测和攻击,同时也建议关闭SNMP v1


4.配置SNMP v3,配置SNMP v3的用户名为fortinet,认证算法选择SHA1,密码为forti3389,加密算法选择为AES,密码为forti5566。




这个时候去测试SNMP会发现SNMP是无法成功获取到的:


在FortiGate上抓包查看具体情况: 
FGT101E_Master_379 # diagnose sniffer packet any "host 192.168.91.21 and port 161" 4  // 抓包发现数据有IN 无OUT,防火墙没有响应这个SNMP的请求
interfaces=[any]
filters=[host 192.168.91.21 and port 161]
3.916641 mgmt in 192.168.91.125.2486 -> 192.168.91.21.161: udp 47
8.915985 mgmt in 192.168.91.125.2486 -> 192.168.91.21.161: udp 47
13.915973 mgmt in 192.168.91.125.2486 -> 192.168.91.21.161: udp 47
18.916014 mgmt in 192.168.91.125.2486 -> 192.168.91.21.161: udp 47
23.916028 mgmt in 192.168.91.125.2486 -> 192.168.91.21.161: udp 47
^
5 packets received by filter
0 packets dropped by kernel
FGT101E_Master_379 #    // debug flow查一下原因
FGT101E_Master_379 # diagnose debug flow filter addr  192.168.91.21
FGT101E_Master_379 # diagnose debug flow filter  proto 17
FGT101E_Master_379 # diagnose debug flow filter dport 161
FGT101E_Master_379 # diagnose debug flow show function-name enable
show function name
FGT101E_Master_379 # diagnose debug flow show  iprope enable
show trace messages about iprope
FGT101E_Master_379 # diagnose debug flow trace start 10
FGT101E_Master_379 # diagnose debug enable    
FGT101E_Master_379 # id=20085 trace_id=10 func=print_pkt_detail line=5618 msg="vd-vsys_hamgmt:0 received a packet(proto=17, 192.168.91.125:2633->192.168.91.21:161) from mgmt. "
id=20085 trace_id=10 func=init_ip_session_common line=5788 msg="allocate a new session-000c43e8"
id=20085 trace_id=10 func=iprope_dnat_check line=4951 msg="in-[mgmt], out-[]"
id=20085 trace_id=10 func=iprope_dnat_check line=4964 msg="result: skb_flags-02000001, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=10 func=vf_ip_route_input_common line=2595 msg="find a route: flag=84000000 gw-192.168.91.21 via vsys_hamgmt"
id=20085 trace_id=10 func=iprope_in_check line=415 msg="in-[mgmt], out-[], skb_flags-02000001, vid-0"
id=20085 trace_id=10 func=__iprope_check line=2149 msg="gnum-100011, check-3f026cfc"
id=20085 trace_id=10 func=iprope_policy_group_check line=4414 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=20085 trace_id=10 func=__iprope_check line=2149 msg="gnum-100001, check-3f0252f4"
id=20085 trace_id=10 func=iprope_policy_group_check line=4414 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=20085 trace_id=10 func=__iprope_check line=2149 msg="gnum-10000e, check-3f0252f4"
id=20085 trace_id=10 func=__iprope_check_one_policy line=1901 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=10 func=__iprope_check_one_policy line=1901 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=10 func=__iprope_check_one_policy line=1901 msg="checked gnum-10000e policy-4294967295, ret-matched, act-accept"
id=20085 trace_id=10 func=__iprope_check_one_policy line=2120 msg="policy-4294967295 is matched, act-drop"   // 被丢弃,vd-vsys_hamgmt里面被丢弃的。
id=20085 trace_id=10 func=__iprope_check line=2168 msg="gnum-10000e check result: ret-matched, act-drop, flag-00000000, flag2-00000000"
id=20085 trace_id=10 func=iprope_policy_group_check line=4414 msg="after check: ret-matched, act-drop, flag-00000000, flag2-00000000"
id=20085 trace_id=10 func=__iprope_check line=2149 msg="gnum-10000f, check-3f0252f4"
id=20085 trace_id=10 func=__iprope_check_one_policy line=1901 msg="checked gnum-10000f policy-4294967295, ret-matched, act-accept"
id=20085 trace_id=10 func=__iprope_check_one_policy line=2120 msg="policy-4294967295 is matched, act-accept"
id=20085 trace_id=10 func=__iprope_check line=2168 msg="gnum-10000f check result: ret-matched, act-accept, flag-00000000, flag2-00000000"
id=20085 trace_id=10 func=iprope_policy_group_check line=4414 msg="after check: ret-matched, act-accept, flag-00000000, flag2-00000000"
 
FGT101E_Master_379 # diagnose debug  application snmpd -1  //即便可以匹配到属性值,也不会有SNMP的回应
Debug messages will be on for 30 minutes.
FGT101E_Master_379 # diagnose debug  enable 
FGT101E_Master_379 # snmpd: <msg> 46 bytes 192.168.91.125:30725 -> 192.168.91.21/192.168.91.21:161 (itf 6.6)
snmpd: checking if community "Fortinet123#" is valid
snmpd: updating cache: vdom_idx_map_cache
snmpd: updating vdom idx mapping
snmpd: Creating vdom_idx_cache for root
snmpd: Vdom created kernel-index=0, snmp-index=1, name=root
snmpd: checking against community "Fortinet123#"
snmpd: request 1(root)/6/192.168.91.125 != comm 1/0/192.168.90.7/255.255.255.255
snmpd: request 1(root)/6/192.168.91.125 == comm 1/0/192.168.91.125/255.255.255.255
snmpd: matched community "Fortinet123#"
snmpd: get-next: system.3 -> () -> 0
snmpd: </msg> 0
SNMP获取失败的原因是什么呢?
原因就是因为存在HA独立管理口,HA独立管理口其实认为是一个独立的VDOM,vsys_hamgmt,默认的SNMP处理是ROOT这个VDOM进行处理的,而不是vsys_hamgmt,因此SNMP请求HA的独立管理口是不行的。
这个时候如果是请求的是root vdom里面的业务接口,非HA独立管理口的话,就没啥问题的,此问题仅仅出现在请求HA独立管理口的SNMP的情况下。

因此为了满足这种场景下的SNMP使用需求,在SNMP的配置下有一个命令来适配HA独立管理口的使用,具体可以参考KB文档的说明:
https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD34731&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=158998598&stateId=1%200%20159000476%27)
https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD40203&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=158998598&stateId=1%200%20159000476%27)

4.关键的一步,配置snmp主机的ha-direct enable,这样SNMP才可以通过HA独立管理口获取到数据。(只支持命令行配置) 
FGT101E_Master_379 # config system snmp community   // SNMP v2新增配置
FGT101E_Master_379 (1) # config hosts 
FGT101E_Master_379 (hosts) # edit 1 
FGT101E_Master_379 (1) # set  ha-direct enable 
FGT101E_Master_379 (1) # next 
FGT101E_Master_379 (hosts) # edit 2 
FGT101E_Master_379 (2) # set ha-direct enable 
FGT101E_Master_379 (2) # next 
FGT101E_Master_379 (hosts) # edit 3 
FGT101E_Master_379 (3) # set  ha-direct enable 
FGT101E_Master_379 (3) # 
FGT101E_Master_379 (3) # next 
FGT101E_Master_379 (hosts) # end
FGT101E_Master_379 (1) # show 
config system snmp community
    edit 1
        set name "Fortinet123#"
        config hosts
            edit 1
                set ip 192.168.90.7 255.255.255.255
                set ha-direct enable
            next
            edit 2
                set ip 192.168.91.125 255.255.255.255
                set ha-direct enable
            next
            edit 3
                set ip 192.168.91.0 255.255.255.0
                set ha-direct enable
            next
        end
        set query-v1-status disable
    next 
end
FGT101E_Master_379 (1) # end
FGT101E_Master_379 # 

FGT101E_Master_379 # config system snmp  user   // SNMP v3新增配置
FGT101E_Master_379 (user) # edit fortinet 
FGT101E_Master_379 (fortinet) # set ha-direct  enable 
FGT101E_Master_379 (fortinet) # show 
config system snmp user
    edit "fortinet"
        set notify-hosts 192.168.90.7 192.168.91.125 192.168.91.254
        set ha-direct enable
        set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change fm-conf-change bgp-established bgp-backward-transition ha-member-up ha-member-down ent-conf-change av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open power-supply-failure faz-disconnect wc-ap-up wc-ap-down fswctl-session-up fswctl-session-down load-balance-real-server-down per-cpu-high
        set security-level auth-priv
        set auth-pwd ENC MTAwNG2U70/eePNhi1N3/u4q6FSRuv2ebcPGgqV+yxRuFtKxFilE6SmYZfpMvYOQBU4InxdTXnlIeYdMguMT8x7Hsqz/Q+3G2DWXlmtJohv0RukHWQK4nkY/aYKCnujZkKGGyPxDKysAj4LDkR1CazeJkMKtVgGyoPF2WEjbPEt6PijsUZ67cDptDDzqnABzQFUemw==
        set priv-pwd ENC MTAwNFIePySDQu7hqz+SFic3AUQ+1G4HX5er9qOeMxFTkZ8I7DnW+rw3XYNwgSfQtHuWEwTZGmztt6kUYUaT+oxLSdLG/RqU/3wbbE1/m4MH64bSYZgd+c+Pks8S44UPmGBdQeewwpwQi7xHmL/y9Gyv+t7Wb6ge0WS3dQFe971Vp7n4evJgU51EK90Cnt7TjNX0lQ==
    next
end
FGT101E_Master_379 (fortinet) # end
FGT101E_Master_379 #

Net-SNMP SNMP V2结果验证:
[Tue Aug 11 15:28:55 root@centos7~#snmpwalk -v2c -c Fortinet123# 192.168.91.21 .1.3.6.1.4.1.12356.101.4.1.1.0  // 主防火墙结果验证
SNMPv2-SMI::enterprises.12356.101.4.1.1.0 = STRING: "v6.2.4,build1112,200511 (GA)"
[Tue Aug 11 15:28:56 root@centos7~#
[Tue Aug 11 15:28:57 root@centos7~#snmpwalk -v2c -c Fortinet123# 192.168.91.21 1.3.6.1.2.1.1.3.0
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (94369138) 10 days, 22:08:11.38
[Tue Aug 11 15:29:02 root@centos7~#
[Tue Aug 11 15:29:02 root@centos7~#snmpwalk -v2c -c Fortinet123# 192.168.91.21 .1.3.6.1.4.1.12356.100.1.1.1.0
SNMPv2-SMI::enterprises.12356.100.1.1.1.0 = STRING: "FG101E4Q17000379"
[Tue Aug 11 15:29:06 root@centos7~#
[Tue Aug 11 15:29:06 root@centos7~#
[Tue Aug 11 15:29:15 root@centos7~#
[Tue Aug 11 15:29:15 root@centos7~#
[Tue Aug 11 15:29:15 root@centos7~#snmpwalk -v2c -c Fortinet123# 192.168.91.22 .1.3.6.1.4.1.12356.101.4.1.1.0  // 备防火墙结果验证
SNMPv2-SMI::enterprises.12356.101.4.1.1.0 = STRING: "v6.2.4,build1112,200511 (GA)"
[Tue Aug 11 15:29:16 root@centos7~#
[Tue Aug 11 15:29:17 root@centos7~#snmpwalk -v2c -c Fortinet123# 192.168.91.22 1.3.6.1.2.1.1.3.0
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (93667021) 10 days, 20:11:10.21
[Tue Aug 11 15:29:21 root@centos7~#
[Tue Aug 11 15:29:21 root@centos7~#snmpwalk -v2c -c Fortinet123# 192.168.91.22 .1.3.6.1.4.1.12356.100.1.1.1.0
SNMPv2-SMI::enterprises.12356.100.1.1.1.0 = STRING: "FG101E4Q17000045"
[Tue Aug 11 15:29:25 root@centos7~#

Net-SNMP SNMP V3结果验证:
[Thu Aug 06 11:56:06 root@centos7~#service snmpd  stop
Stopping snmpd (via systemctl):                            [  OK  ]
[Thu Aug 06 11:56:20 root@centos7~#
[Thu Aug 06 12:00:52 root@centos7~#
[Thu Aug 06 12:01:01 root@centos7~#net-snmp-config --create-snmpv3-user -ro -a SHA -A forti3389 -x AES -X forti5566 fortinet 
adding the following line to /var/lib/net-snmp/snmpd.conf:
   createUser fortinet SHA "forti3389" AES forti5566
adding the following line to /etc/snmp/snmpd.conf:
   rouser fortinet
[Thu Aug 06 12:01:09 root@centos7~#
[Thu Aug 06 12:01:10 root@centos7~#chkconfig snmpd on
Note: Forwarding request to 'systemctl enable snmpd.service'.
Created symlink from /etc/systemd/system/multi-user.target.wants/snmpd.service to /usr/lib/systemd/system/snmpd.service.
[Thu Aug 06 12:01:30 root@centos7~#service snmpd start
Starting snmpd (via systemctl):                            [  OK  ]
[Thu Aug 06 12:01:36 root@centos7~#
[Tue Aug 11 15:37:22 root@centos7~#snmpwalk -v3 -u fortinet -l authPriv -a SHA -A forti3389 -x AES -X forti5566 192.168.91.21 .1.3.6.1.4.1.12356.100.1.1.1.0 // 主防火墙
SNMPv2-SMI::enterprises.12356.100.1.1.1.0 = STRING: "FG101E4Q17000379"
[Tue Aug 11 15:37:23 root@centos7~#snmpwalk -v3 -u fortinet -l authPriv -a SHA -A forti3389 -x AES -X forti5566 192.168.91.22 .1.3.6.1.4.1.12356.100.1.1.1.0 // 备防火墙
SNMPv2-SMI::enterprises.12356.100.1.1.1.0 = STRING: "FG101E4Q17000045"
[Tue Aug 11 15:37:27 root@centos7~#
Net-SNMP v3参考链接:https://www.thegeekdiary.com/centos-rhel-6-install-and-configure-snmpv3/
SNMP v2和SNMP v3的SNMP查询都正常。 
这个时候SNMP的查询就OK了,那么现在考虑另外一个问题,SNMP的Trap是否也OK呢?我们抓包看一下SNMP Trap的情况:
FGT101E_Master_379 #  diagnose sniffer packet any "port 162" 4  // SNMP Trap端口为UDP 162
interfaces=[any]
filters=[port 162]
3.251708 wan2 out 101.100.1.21.162 -> 192.168.90.7.162: udp 236   // 数据是从WAN2发送出去的,不是从HA独立管理口发送出去的???为什么???这不是我们想要的结果。这样很可能是不通的。
3.252519 wan2 out 101.100.1.21.162 -> 192.168.91.125.162: udp 236
3.253168 wan2 out 101.100.1.21.162 -> 192.168.90.7.162: udp 261
3.253748 wan2 out 101.100.1.21.162 -> 192.168.91.125.162: udp 261
3.254687 wan2 out 101.100.1.21.162 -> 192.168.90.7.162: udp 237
3.255216 wan2 out 101.100.1.21.162 -> 192.168.91.125.162: udp 237
3.255732 wan2 out 101.100.1.21.162 -> 192.168.90.7.162: udp 262
3.256242 wan2 out 101.100.1.21.162 -> 192.168.91.125.162: udp 262
关于SNMP Trap问题在HA独立管理口上的发送,就涉及到另外一个问题了,SNMP Trap发送默认是从root VDOM发送的,而独立管理口是一个类似于隐藏的独立VDOM“vd-vsys_hamgmt”,如果想要使用vd-vsys_hamgmt的接口主动发送syslog、FAZ、SNMP、Radius等等,则需要开启HA下面的“set ha-direct enable ”: 
FGT101E_Master_379 # config system ha 
FGT101E_Master_379 (ha) # set ha-direct 
enable     Enable using ha-mgmt interface for syslog, SNMP, remote authentication (RADIUS), FortiAnalyzer, FortiManager and FortiSandbox.
disable    Disable using ha-mgmt interface for syslog, SNMP, remote authentication (RADIUS), FortiAnalyzer, FortiManager and FortiSandbox.
FGT101E_Master_379 (ha) # set ha-direct enable 
FGT101E_Master_379 (ha) # show 
config system ha
    set group-name "FGT-101E"
    set mode a-p
    set password ENC dqoJWL3+PgbcGUpAPBYJVU6yqEtBt06iTvwLh77Im8vDvmcrW/77FzWsT53skiivg7cvK70yGHufX9tjteUAGgLfo6DGSHqjtfxtRFzZeyJlWLDbeMr88lBlaxuXdtF9oMqTr0VUiJK/dzqHW2L76UgFPOV1O11oqWlpxC4fcDILsEIW3y62qklMFi3LpWeokc+wbA==
    set hbdev "ha1" 0 "ha2" 0 
    set session-pickup enable
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "mgmt"
            set gateway 192.168.91.254
        next
    end
    set override disable
    set priority 150
    set monitor "fortilink" "wan1" "wan2" 
    set ha-direct enable
end
FGT101E_Master_379 (ha) # end
FGT101E_Master_379 #
FGT101E_Master_379 # config system snmp  community 
FGT101E_Master_379 (community) # edit 1 
FGT101E_Master_379 (1) # config hosts 
FGT101E_Master_379 (hosts) # edit 1 
FGT101E_Master_379 (1) # set ha-direct enable  //SNMP v2 hosts下面的ha-direct需要重新配置,或者确认此配置生效。
FGT101E_Master_379 (1) # next 
FGT101E_Master_379 (hosts) # edit 2 
FGT101E_Master_379 (2) # set ha-direct enable
FGT101E_Master_379 (2) # next 
FGT101E_Master_379 (hosts) # edit 3
FGT101E_Master_379 (3) # set ha-direct enable
FGT101E_Master_379 (3) # 
FGT101E_Master_379 (3) # next 
FGT101E_Master_379 (hosts) # show 
config hosts
    edit 1
        set ip 192.168.90.7 255.255.255.255
        set ha-direct enable
    next
    edit 2
        set ip 192.168.91.125 255.255.255.255
        set ha-direct enable
    next
    edit 3
        set ip 192.168.91.0 255.255.255.0
        set ha-direct enable
    next
end
FGT101E_Master_379 (hosts) # end
FGT101E_Master_379 (1) # end
FGT101E_Master_379 # config system snmp  user 
FGT101E_Master_379 (user) # edit fortinet 
FGT101E_Master_379 (fortinet) # set ha-direct  enable  //包括SNMP V3的 config system snmp  user 下也需要重新敲“set ha-direct enable”,或确认配置生效。
FGT101E_Master_379 (fortinet) # show 
config system snmp user
    edit "fortinet"
        set notify-hosts 192.168.90.7 192.168.91.125 192.168.91.254
        set ha-direct enable
        set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change fm-conf-change bgp-established bgp-backward-transition ha-member-up ha-member-down ent-conf-change av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open power-supply-failure faz-disconnect wc-ap-up wc-ap-down fswctl-session-up fswctl-session-down load-balance-real-server-down per-cpu-high
        set security-level auth-priv
        set auth-pwd ENC MTAwNG2U70/eePNhi1N3/u4q6FSRuv2ebcPGgqV+yxRuFtKxFilE6SmYZfpMvYOQBU4InxdTXnlIeYdMguMT8x7Hsqz/Q+3G2DWXlmtJohv0RukHWQK4nkY/aYKCnujZkKGGyPxDKysAj4LDkR1CazeJkMKtVgGyoPF2WEjbPEt6PijsUZ67cDptDDzqnABzQFUemw==
        set priv-pwd ENC MTAwNFIePySDQu7hqz+SFic3AUQ+1G4HX5er9qOeMxFTkZ8I7DnW+rw3XYNwgSfQtHuWEwTZGmztt6kUYUaT+oxLSdLG/RqU/3wbbE1/m4MH64bSYZgd+c+Pks8S44UPmGBdQeewwpwQi7xHmL/y9Gyv+t7Wb6ge0WS3dQFe971Vp7n4evJgU51EK90Cnt7TjNX0lQ==
    next
end
FGT101E_Master_379 (fortinet) # end
FGT101E_Master_379 # 
FGT101E_Master_379 # diagnose sys session filter  dport 162
FGT101E_Master_379 # diagnose sys session clear 
FGT101E_Master_379 # diagnose sniffer packet any "port 162" 4  // 此时再抓包就会发现SNMP Trap使用了mgmt独立管理口发送发送
interfaces=[any]
filters=[port 162]
18.065230 mgmt out 192.168.91.21.162 -> 192.168.90.7.162: udp 121
18.065857 mgmt out 192.168.91.21.162 -> 192.168.91.125.162: udp 121
18.065927 mgmt out 192.168.91.21.162 -> 192.168.90.7.162: udp 146
18.066251 mgmt out 192.168.91.21.162 -> 192.168.91.125.162: udp 146
23.092665 mgmt out 192.168.91.21.162 -> 192.168.90.7.162: udp 237
23.093736 mgmt out 192.168.91.21.162 -> 192.168.91.125.162: udp 237
23.094466 mgmt out 192.168.91.21.162 -> 192.168.90.7.162: udp 262
23.095187 mgmt out 192.168.91.21.162 -> 192.168.91.125.162: udp 262
Mib-Browser上查看Trap Console上线的Trap信息:


命令行配置汇总,同时指出独立管理的SNMP 查询和Trap: 
config system interface
    edit "mgmt"
        set allowaccess ping https ssh snmp http
    next
end
config system snmp sysinfo
    set status enable
    set description "Fortinet_BeiJing_LAB_FGT101E"
    set contact-info "kmliu@fortinet.com"
    set location "China_BeiJing_Lab"
end
config system snmp community
    edit 1
        set name "Fortinet123#"
        config hosts
            edit 1
                set ip 192.168.90.7 255.255.255.255
                set ha-direct enable
            next
            edit 2
                set ip 192.168.91.125 255.255.255.255
                set ha-direct enable
            next
            edit 3
                set ip 192.168.91.0 255.255.255.0
                set ha-direct enable
            next
        end
        set query-v1-status disable
        set trap-v1-status disable
        set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change fm-conf-change bgp-established bgp-backward-transition ha-member-up ha-member-down ent-conf-change av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open power-supply-failure faz-disconnect wc-ap-up wc-ap-down fswctl-session-up fswctl-session-down load-balance-real-server-down device-new per-cpu-high
    next
end
config system snmp user
    edit "fortinet"
        set notify-hosts 192.168.90.7 192.168.91.125 192.168.91.254
        set ha-direct enable
        set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change fm-conf-change bgp-established bgp-backward-transition ha-member-up ha-member-down ent-conf-change av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open power-supply-failure faz-disconnect wc-ap-up wc-ap-down fswctl-session-up fswctl-session-down load-balance-real-server-down per-cpu-high
        set security-level auth-priv
        set auth-pwd ENC MTAwNG2U70/eePNhi1N3/u4q6FSRuv2ebcPGgqV+yxRuFtKxFilE6SmYZfpMvYOQBU4InxdTXnlIeYdMguMT8x7Hsqz/Q+3G2DWXlmtJohv0RukHWQK4nkY/aYKCnujZkKGGyPxDKysAj4LDkR1CazeJkMKtVgGyoPF2WEjbPEt6PijsUZ67cDptDDzqnABzQFUemw==
        set priv-pwd ENC MTAwNFIePySDQu7hqz+SFic3AUQ+1G4HX5er9qOeMxFTkZ8I7DnW+rw3XYNwgSfQtHuWEwTZGmztt6kUYUaT+oxLSdLG/RqU/3wbbE1/m4MH64bSYZgd+c+Pks8S44UPmGBdQeewwpwQi7xHmL/y9Gyv+t7Wb6ge0WS3dQFe971Vp7n4evJgU51EK90Cnt7TjNX0lQ==
    next
end
config system ha
    set group-name "FGT-101E"
    set mode a-p
    set password ENC dqoJWL3+PgbcGUpAPBYJVU6yqEtBt06iTvwLh77Im8vDvmcrW/77FzWsT53skiivg7cvK70yGHufX9tjteUAGgLfo6DGSHqjtfxtRFzZeyJlWLDbeMr88lBlaxuXdtF9oMqTr0VUiJK/dzqHW2L76UgFPOV1O11oqWlpxC4fcDILsEIW3y62qklMFi3LpWeokc+wbA==
    set hbdev "ha1" 0 "ha2" 0 
    set session-pickup enable
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "mgmt"
            set gateway 192.168.91.254
        next
    end
    set override disable
    set priority 151
    set monitor "fortilink" "wan1" "wan2" 
    set ha-direct enable
end
当然如果使用HA独立管理VDOM,就不存在以上这些问题了,这种场景下更加推荐使用HA独立管理VDOM(见HA的相关章节),将管理VDOM设置为独立管理VDOM,这样和普通的SNMP配置没有什么区别了。以上内容都是由于一个特殊的HA独立管理口而需要特殊的配置“set ha-direct enable”,其实是非常不方便的,从设计上讲,如果需要独立管理HA的设备,同时又需要通过独立管理接口获取SNMP的话,从顶层设计上就应该设计成HA独立管理VDOM的方式会比较好。

可以参考的kb文档:
https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD40203&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=159624490&stateId=1%200%20159622767%27)
https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD41027&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=159624490&stateId=1%200%20159622767%27)

SNMP的排错,如果SNMP不行怎么办? 
1.抓包,确认SNMP UDP 161的通信是正常的,正常SNMP是有去有回的。
# diagnose sniffer packet any "port 161 and host 192.168.90.3" 4

2.通过第一步抓包看到SNMP流量有去有回了,但是SNMP还是失败,则开启SNMP进程的debug,查看具体原因:
HUB2-ShangHai # diagnose debug application  snmpd -1
HUB2-ShangHai # diagnose debug enable

比如,最常见的错误“community”不匹配,比如,管理员配置了可信任主机,但是没有包括SNMP的IP地址等等...:
HUB2-ShangHai # snmpd: updating cache: idx_cache
snmpd: <msg> 47 bytes 192.168.90.254:44539 -> 200.1.1.1/200.1.1.1:161 (itf 3.3)
snmpd: checking if community "Fortinet123#2" is valid
snmpd: updating cache: vdom_idx_map_cache
snmpd: updating vdom idx mapping
snmpd: Creating vdom_idx_cache for root
snmpd: Vdom created kernel-index=0, snmp-index=1, name=root
snmpd: checking against community "Fortinet123#"
snmpd: vdom name mismatch
snmpd: checking against community "FortiManager"
snmpd: name mismatch.
snmpd: failed to match community "Fortinet123#2"
snmpd: </msg> 0

3.是否存在管理员可信任主机的配置,需要包括SNMP的IP地址才可以,否则SNMP获取将不可用。
FGT101E_Master_379 # config system admin 
FGT101E_Master_379 (admin) # show 
config system admin
    edit "admin"
        set trusthost1 192.168.91.254 255.255.255.255   // 存在管理员可信任主机,但是不包括SNMP的IP地址。
        set accprofile "super_admin"
        set vdom "root"
        set password ENC SH2m46wbTSEUOglCBtoYmS/ax6YJpPO6iQU7OY1RdbWYE4pe11yof65xP/peWU=
    next
end
FGT101E_Master_379 (admin) # end
FGT101E_Master_379 # diagnose sniffer packet any "port 161" 4
interfaces=[any]
filters=[port 161]
3.196294 mgmt in 192.168.91.125.3842 -> 192.168.91.21.161: udp 46    // SNMP将不再回复数据,只有IN,没有OUT,不回包的状态。
8.196752 mgmt in 192.168.91.125.3842 -> 192.168.91.21.161: udp 46
13.196785 mgmt in 192.168.91.125.3842 -> 192.168.91.21.161: udp 46
18.196741 mgmt in 192.168.91.125.3842 -> 192.168.91.21.161: udp 46
^C
4 packets received by filter
0 packets dropped by kernel
FGT101E_Master_379 # 
FGT101E_Master_379 # config system admin 
FGT101E_Master_379 (admin) # edit admin 
FGT101E_Master_379 (admin) # set trusthost2 192.168.91.125/24
FGT101E_Master_379 (admin) # set trusthost2 192.168.91.125/32    // 把SNMP的IP地址添加到管理员可信任主机中。
FGT101E_Master_379 (admin) # show 
config system admin
    edit "admin"
        set trusthost1 192.168.91.254 255.255.255.255
        set trusthost2 192.168.91.125 255.255.255.255
        set accprofile "super_admin"
        set vdom "root"
        set password ENC SH2m46wbTSEUOglCBtoYmS/ax6YJpPO6iQU7OY1RdbWYE4pe11yof65xP/peWU=
    next
end
FGT101E_Master_379 (admin) # end
FGT101E_Master_379 # diagnose sniffer packet any "port 161" 4
interfaces=[any]
filters=[port 161]
2.837199 mgmt in 192.168.91.125.3870 -> 192.168.91.21.161: udp 46    // SNMP就可以正常获取数据了。实际的部署中也要特别关注管理员可信任主机这个点,很容易被忽略掉。
2.837949 mgmt out 192.168.91.21.161 -> 192.168.91.125.3870: udp 51
6.083550 mgmt in 192.168.91.125.3871 -> 192.168.91.21.161: udp 45
6.084284 mgmt out 192.168.91.21.161 -> 192.168.91.125.3871: udp 283
6.092138 mgmt in 192.168.91.125.3871 -> 192.168.91.21.161: udp 49
6.094511 mgmt out 192.168.91.21.161 -> 192.168.91.125.3871: udp 203
^C
6 packets received by filter
0 packets dropped by kernel
FGT101E_Master_379 #

img_18584.jpg img_31001.jpg 2018-12-17_150540.png 2018-12-17_151015.png 2018-12-17_151652.png 2018-12-17_151916.png 2018-12-17_152109.png