Fortigate firewalls in Active/Passive with VDOMs
This is a question you’d direct at people with fortigate knowledge :)
It’s likely you poll them individually, but I have no idea, I’ve not seen a Fortinet device for a decade.
Adam.
From: observium observium-bounces@observium.org On Behalf Of Scooby Doo via observium Sent: 19 August 2020 14:36 To: observium@observium.org Cc: Scooby Doo scooby2@mail.com Subject: [Observium] Fortigate firewalls in Active/Passive with VDOMs
How to use Observium to properly poll 2 Fortigate firewalls in Active/Passive when using VDOMs? Should Fortigates be polled individualy devices?
Vielen Dank,
Claus
Hallo Claus,
Some of our larger FG firewalls are in HA and these devices are polled by Observium as a single unit.
Now you mention it, I haven't found a way to alert when an FG in HA fails over; something that works well with Cisco ASA devices: "status_descr match *primary*"
Hope this helps.
MfG
Darren
On Thu, 20 Aug 2020 at 20:52, Adam Armstrong via observium < observium@observium.org> wrote:
This is a question you’d direct at people with fortigate knowledge J
It’s likely you poll them individually, but I have no idea, I’ve not seen a Fortinet device for a decade.
Adam.
*From:* observium observium-bounces@observium.org *On Behalf Of *Scooby Doo via observium *Sent:* 19 August 2020 14:36 *To:* observium@observium.org *Cc:* Scooby Doo scooby2@mail.com *Subject:* [Observium] Fortigate firewalls in Active/Passive with VDOMs
How to use Observium to properly poll 2 Fortigate firewalls in Active/Passive when using VDOMs? Should Fortigates be polled individualy devices?
Vielen Dank,
Claus _______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
We might not be collecting the right indicators, or we might need some custom method of coalescing multiple indicators to make an up/down decision on. We do this for some other devices like netscaler.
I’m not familiar with what fortigate reports though 😊
Adam.
From: Storer, Darren darren.storer@gmail.com Sent: 21 August 2020 21:16 To: Observium observium@observium.org Cc: Adam Armstrong adama@observium.org; Scooby Doo scooby2@mail.com Subject: Re: [Observium] Fortigate firewalls in Active/Passive with VDOMs
Hallo Claus,
Some of our larger FG firewalls are in HA and these devices are polled by Observium as a single unit.
Now you mention it, I haven't found a way to alert when an FG in HA fails over; something that works well with Cisco ASA devices: "status_descr match *primary*"
Hope this helps.
MfG
Darren
On Thu, 20 Aug 2020 at 20:52, Adam Armstrong via observium <observium@observium.org mailto:observium@observium.org > wrote:
This is a question you’d direct at people with fortigate knowledge :)
It’s likely you poll them individually, but I have no idea, I’ve not seen a Fortinet device for a decade.
Adam.
From: observium <observium-bounces@observium.org mailto:observium-bounces@observium.org > On Behalf Of Scooby Doo via observium Sent: 19 August 2020 14:36 To: observium@observium.org mailto:observium@observium.org Cc: Scooby Doo <scooby2@mail.com mailto:scooby2@mail.com > Subject: [Observium] Fortigate firewalls in Active/Passive with VDOMs
How to use Observium to properly poll 2 Fortigate firewalls in Active/Passive when using VDOMs? Should Fortigates be polled individualy devices?
Vielen Dank,
Claus
_______________________________________________ observium mailing list observium@observium.org mailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Hi Adam,
After all this time, guess what I have just discovered under "Status"?
[image: image.png]
...FG HA status was there all along (blush).
Thanks again
Darren
On Sat, 22 Aug 2020 at 01:43, adama--- via observium < observium@observium.org> wrote:
We might not be collecting the right indicators, or we might need some custom method of coalescing multiple indicators to make an up/down decision on. We do this for some other devices like netscaler.
I’m not familiar with what fortigate reports though 😊
Adam.
*From:* Storer, Darren darren.storer@gmail.com *Sent:* 21 August 2020 21:16 *To:* Observium observium@observium.org *Cc:* Adam Armstrong adama@observium.org; Scooby Doo scooby2@mail.com *Subject:* Re: [Observium] Fortigate firewalls in Active/Passive with VDOMs
Hallo Claus,
Some of our larger FG firewalls are in HA and these devices are polled by Observium as a single unit.
Now you mention it, I haven't found a way to alert when an FG in HA fails over; something that works well with Cisco ASA devices: "status_descr match *primary*"
Hope this helps.
MfG
Darren
On Thu, 20 Aug 2020 at 20:52, Adam Armstrong via observium < observium@observium.org> wrote:
This is a question you’d direct at people with fortigate knowledge J
It’s likely you poll them individually, but I have no idea, I’ve not seen a Fortinet device for a decade.
Adam.
*From:* observium observium-bounces@observium.org *On Behalf Of *Scooby Doo via observium *Sent:* 19 August 2020 14:36 *To:* observium@observium.org *Cc:* Scooby Doo scooby2@mail.com *Subject:* [Observium] Fortigate firewalls in Active/Passive with VDOMs
How to use Observium to properly poll 2 Fortigate firewalls in Active/Passive when using VDOMs? Should Fortigates be polled individualy devices?
Vielen Dank,
Claus
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
This seems to just be showing the mode. Will it allow you to alert of the state is not correct?
Sent from BlueMail
On 25 Aug 2020, 01:26, at 01:26, "Storer, Darren" darren.storer@gmail.com wrote:
Hi Adam,
After all this time, guess what I have just discovered under "Status"?
[image: image.png]
...FG HA status was there all along (blush).
Thanks again
Darren
On Sat, 22 Aug 2020 at 01:43, adama--- via observium < observium@observium.org> wrote:
We might not be collecting the right indicators, or we might need
some
custom method of coalescing multiple indicators to make an up/down
decision
on. We do this for some other devices like netscaler.
I’m not familiar with what fortigate reports though 😊
Adam.
*From:* Storer, Darren darren.storer@gmail.com *Sent:* 21 August 2020 21:16 *To:* Observium observium@observium.org *Cc:* Adam Armstrong adama@observium.org; Scooby Doo
*Subject:* Re: [Observium] Fortigate firewalls in Active/Passive with VDOMs
Hallo Claus,
Some of our larger FG firewalls are in HA and these devices are
polled by
Observium as a single unit.
Now you mention it, I haven't found a way to alert when an FG in HA
fails
over; something that works well with Cisco ASA devices: "status_descr match *primary*"
Hope this helps.
MfG
Darren
On Thu, 20 Aug 2020 at 20:52, Adam Armstrong via observium < observium@observium.org> wrote:
This is a question you’d direct at people with fortigate knowledge J
It’s likely you poll them individually, but I have no idea, I’ve not
seen
a Fortinet device for a decade.
Adam.
*From:* observium observium-bounces@observium.org *On Behalf Of
*Scooby
Doo via observium *Sent:* 19 August 2020 14:36 *To:* observium@observium.org *Cc:* Scooby Doo scooby2@mail.com *Subject:* [Observium] Fortigate firewalls in Active/Passive with
VDOMs
How to use Observium to properly poll 2 Fortigate firewalls in Active/Passive when using VDOMs? Should Fortigates be polled
individualy
devices?
Vielen Dank,
Claus
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Hi Adam,
The HA status is being checked now and I’ve requested a slot for a failover test - I’ll let you know how it goes.
Regards
Darren PS. I don’t think I really addressed Claus’ question, as we don’t run traffic on the passive node prior to failover; a number of sites do this to load balance.
On Tue, 25 Aug 2020 at 01:45, Adam Armstrong via observium < observium@observium.org> wrote:
This seems to just be showing the mode. Will it allow you to alert of the state is not correct?
Sent from BlueMail http://www.bluemail.me/r?b=15997
On 25 Aug 2020, at 01:26, "Storer, Darren" darren.storer@gmail.com wrote:
Hi Adam,
After all this time, guess what I have just discovered under "Status"?
[image: image.png]
...FG HA status was there all along (blush).
Thanks again
Darren
On Sat, 22 Aug 2020 at 01:43, adama--- via observium <
observium@observium.org> wrote:
We might not be collecting the right indicators, or we might need some custom method of coalescing multiple indicators to make an up/down decision on. We do this for some other devices like netscaler.
I’m not familiar with what fortigate reports though 😊
Adam.
*From:* Storer, Darren darren.storer@gmail.com *Sent:* 21 August 2020 21:16 *To:* Observium observium@observium.org *Cc:* Adam Armstrong adama@observium.org; Scooby Doo <scooby2@mail.com
*Subject:* Re: [Observium] Fortigate firewalls in Active/Passive with VDOMs
Hallo Claus,
Some of our larger FG firewalls are in HA and these devices are polled by Observium as a single unit.
Now you mention it, I haven't found a way to alert when an FG in HA fails over; something that works well with Cisco ASA devices: "status_descr match *primary*"
Hope this helps.
MfG
Darren
On Thu, 20 Aug 2020 at 20:52, Adam Armstrong via observium < observium@observium.org> wrote:
This is a question you’d direct at people with fortigate knowledge J
It’s likely you poll them individually, but I have no idea, I’ve not seen a Fortinet device for a decade.
Adam.
*From:* observium observium-bounces@observium.org *On Behalf Of *Scooby Doo via observium *Sent:* 19 August 2020 14:36 *To:* observium@observium.org *Cc:* Scooby Doo scooby2@mail.com *Subject:* [Observium] Fortigate firewalls in Active/Passive with VDOMs
How to use Observium to properly poll 2 Fortigate firewalls in Active/Passive when using VDOMs? Should Fortigates be polled individualy devices?
Vielen Dank,
Claus
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list
observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list
observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Hi Adam,
Yes, you were quite right, the HA status just shows that the FortiGate FW nodes are configured in HA but do not reflect whether failover has taken place... :-(
Thanks
Darren
On Tue, 25 Aug 2020 at 02:30, Storer, Darren darren.storer@gmail.com wrote:
Hi Adam,
The HA status is being checked now and I’ve requested a slot for a failover test - I’ll let you know how it goes.
Regards
Darren PS. I don’t think I really addressed Claus’ question, as we don’t run traffic on the passive node prior to failover; a number of sites do this to load balance.
On Tue, 25 Aug 2020 at 01:45, Adam Armstrong via observium < observium@observium.org> wrote:
This seems to just be showing the mode. Will it allow you to alert of the state is not correct?
Sent from BlueMail http://www.bluemail.me/r?b=15997
On 25 Aug 2020, at 01:26, "Storer, Darren" darren.storer@gmail.com wrote:
Hi Adam,
After all this time, guess what I have just discovered under "Status"?
[image: image.png]
...FG HA status was there all along (blush).
Thanks again
Darren
On Sat, 22 Aug 2020 at 01:43, adama--- via observium <
observium@observium.org> wrote:
We might not be collecting the right indicators, or we might need some custom method of coalescing multiple indicators to make an up/down decision on. We do this for some other devices like netscaler.
I’m not familiar with what fortigate reports though 😊
Adam.
*From:* Storer, Darren darren.storer@gmail.com *Sent:* 21 August 2020 21:16 *To:* Observium observium@observium.org *Cc:* Adam Armstrong adama@observium.org; Scooby Doo < scooby2@mail.com> *Subject:* Re: [Observium] Fortigate firewalls in Active/Passive with VDOMs
Hallo Claus,
Some of our larger FG firewalls are in HA and these devices are polled by Observium as a single unit.
Now you mention it, I haven't found a way to alert when an FG in HA fails over; something that works well with Cisco ASA devices: "status_descr match *primary*"
Hope this helps.
MfG
Darren
On Thu, 20 Aug 2020 at 20:52, Adam Armstrong via observium < observium@observium.org> wrote:
This is a question you’d direct at people with fortigate knowledge J
It’s likely you poll them individually, but I have no idea, I’ve not seen a Fortinet device for a decade.
Adam.
*From:* observium observium-bounces@observium.org *On Behalf Of *Scooby Doo via observium *Sent:* 19 August 2020 14:36 *To:* observium@observium.org *Cc:* Scooby Doo scooby2@mail.com *Subject:* [Observium] Fortigate firewalls in Active/Passive with VDOMs
How to use Observium to properly poll 2 Fortigate firewalls in Active/Passive when using VDOMs? Should Fortigates be polled individualy devices?
Vielen Dank,
Claus
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list
observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list
observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Hi Darren,
For Fortgate clusters, we added following custom OIDs :
Fortinet HA Sync Status 1 .1.3.6.1.4.1.12356.101.13.2.1.1.12.1 (fgHaStatsSyncStatus.1)
Fortinet HA Sync Status 2 .1.3.6.1.4.1.12356.101.13.2.1.1.12.2 (fgHaStatsSyncStatus.2)
These indicate whether the device (fgHaStatsSyncStatus.1) and the other device (fgHaStatsSyncStatus.2) are in sync , but also does not indicate failover. We monitor if fgHaStatsSyncStatus.2 is != 1 in clusters, this means the other member is out of sync.
We ended up monitoring the dedicated replication ports for up/down status. Not great, but works for our case. If a device hangs with the port up, well ... hopefully the crash blows snmp away as well so you get to know.
Hope this can help you further ;0
Le mar. 25 mai 2021, à 09 h 02, Storer, Darren via observium < observium@observium.org> a écrit :
Hi Adam,
Yes, you were quite right, the HA status just shows that the FortiGate FW nodes are configured in HA but do not reflect whether failover has taken place... :-(
Thanks
Darren
On Tue, 25 Aug 2020 at 02:30, Storer, Darren darren.storer@gmail.com wrote:
Hi Adam,
The HA status is being checked now and I’ve requested a slot for a failover test - I’ll let you know how it goes.
Regards
Darren PS. I don’t think I really addressed Claus’ question, as we don’t run traffic on the passive node prior to failover; a number of sites do this to load balance.
On Tue, 25 Aug 2020 at 01:45, Adam Armstrong via observium < observium@observium.org> wrote:
This seems to just be showing the mode. Will it allow you to alert of the state is not correct?
Sent from BlueMail http://www.bluemail.me/r?b=15997
On 25 Aug 2020, at 01:26, "Storer, Darren" darren.storer@gmail.com wrote:
Hi Adam,
After all this time, guess what I have just discovered under "Status"?
[image: image.png]
...FG HA status was there all along (blush).
Thanks again
Darren
On Sat, 22 Aug 2020 at 01:43, adama--- via observium <
observium@observium.org> wrote:
We might not be collecting the right indicators, or we might need some custom method of coalescing multiple indicators to make an up/down decision on. We do this for some other devices like netscaler.
I’m not familiar with what fortigate reports though 😊
Adam.
*From:* Storer, Darren darren.storer@gmail.com *Sent:* 21 August 2020 21:16 *To:* Observium observium@observium.org *Cc:* Adam Armstrong adama@observium.org; Scooby Doo < scooby2@mail.com> *Subject:* Re: [Observium] Fortigate firewalls in Active/Passive with VDOMs
Hallo Claus,
Some of our larger FG firewalls are in HA and these devices are polled by Observium as a single unit.
Now you mention it, I haven't found a way to alert when an FG in HA fails over; something that works well with Cisco ASA devices: "status_descr match *primary*"
Hope this helps.
MfG
Darren
On Thu, 20 Aug 2020 at 20:52, Adam Armstrong via observium < observium@observium.org> wrote:
This is a question you’d direct at people with fortigate knowledge J
It’s likely you poll them individually, but I have no idea, I’ve not seen a Fortinet device for a decade.
Adam.
*From:* observium observium-bounces@observium.org *On Behalf Of *Scooby Doo via observium *Sent:* 19 August 2020 14:36 *To:* observium@observium.org *Cc:* Scooby Doo scooby2@mail.com *Subject:* [Observium] Fortigate firewalls in Active/Passive with VDOMs
How to use Observium to properly poll 2 Fortigate firewalls in Active/Passive when using VDOMs? Should Fortigates be polled individualy devices?
Vielen Dank,
Claus
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list
observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list
observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Hi Ahmed,
Thanks so much, that's really very helpful of you.
Once I can arrange a test window, I'll try monitoring fgHaStatsSyncStatus.2 and then force a failover.
Thanks again!
Darren
On Tue, 25 May 2021 at 15:17, Ahmed Rahal via observium < observium@observium.org> wrote:
Hi Darren,
For Fortgate clusters, we added following custom OIDs :
Fortinet HA Sync Status 1 .1.3.6.1.4.1.12356.101.13.2.1.1.12.1 (fgHaStatsSyncStatus.1)
Fortinet HA Sync Status 2 .1.3.6.1.4.1.12356.101.13.2.1.1.12.2 (fgHaStatsSyncStatus.2)
These indicate whether the device (fgHaStatsSyncStatus.1) and the other device (fgHaStatsSyncStatus.2) are in sync , but also does not indicate failover. We monitor if fgHaStatsSyncStatus.2 is != 1 in clusters, this means the other member is out of sync.
We ended up monitoring the dedicated replication ports for up/down status. Not great, but works for our case. If a device hangs with the port up, well ... hopefully the crash blows snmp away as well so you get to know.
Hope this can help you further ;0
Le mar. 25 mai 2021, à 09 h 02, Storer, Darren via observium < observium@observium.org> a écrit :
Hi Adam,
Yes, you were quite right, the HA status just shows that the FortiGate FW nodes are configured in HA but do not reflect whether failover has taken place... :-(
Thanks
Darren
On Tue, 25 Aug 2020 at 02:30, Storer, Darren darren.storer@gmail.com wrote:
Hi Adam,
The HA status is being checked now and I’ve requested a slot for a failover test - I’ll let you know how it goes.
Regards
Darren PS. I don’t think I really addressed Claus’ question, as we don’t run traffic on the passive node prior to failover; a number of sites do this to load balance.
On Tue, 25 Aug 2020 at 01:45, Adam Armstrong via observium < observium@observium.org> wrote:
This seems to just be showing the mode. Will it allow you to alert of the state is not correct?
Sent from BlueMail http://www.bluemail.me/r?b=15997
On 25 Aug 2020, at 01:26, "Storer, Darren" darren.storer@gmail.com wrote:
Hi Adam,
After all this time, guess what I have just discovered under "Status"?
[image: image.png]
...FG HA status was there all along (blush).
Thanks again
Darren
On Sat, 22 Aug 2020 at 01:43, adama--- via observium <
observium@observium.org> wrote:
We might not be collecting the right indicators, or we might need some custom method of coalescing multiple indicators to make an up/down decision on. We do this for some other devices like netscaler.
I’m not familiar with what fortigate reports though 😊
Adam.
*From:* Storer, Darren darren.storer@gmail.com *Sent:* 21 August 2020 21:16 *To:* Observium observium@observium.org *Cc:* Adam Armstrong adama@observium.org; Scooby Doo < scooby2@mail.com> *Subject:* Re: [Observium] Fortigate firewalls in Active/Passive with VDOMs
Hallo Claus,
Some of our larger FG firewalls are in HA and these devices are polled by Observium as a single unit.
Now you mention it, I haven't found a way to alert when an FG in HA fails over; something that works well with Cisco ASA devices: "status_descr match *primary*"
Hope this helps.
MfG
Darren
On Thu, 20 Aug 2020 at 20:52, Adam Armstrong via observium < observium@observium.org> wrote:
This is a question you’d direct at people with fortigate knowledge J
It’s likely you poll them individually, but I have no idea, I’ve not seen a Fortinet device for a decade.
Adam.
*From:* observium observium-bounces@observium.org *On Behalf Of *Scooby Doo via observium *Sent:* 19 August 2020 14:36 *To:* observium@observium.org *Cc:* Scooby Doo scooby2@mail.com *Subject:* [Observium] Fortigate firewalls in Active/Passive with VDOMs
How to use Observium to properly poll 2 Fortigate firewalls in Active/Passive when using VDOMs? Should Fortigates be polled individualy devices?
Vielen Dank,
Claus
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list
observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list
observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
-- Ahmed Rahal Administrateur de Systèmes / Systems Administrator *Fibrenoire* - www.fibrenoire.ca A: 550 , avenue Beaumont, bureau 320, Montréal (Québec) H3N 1V1 arahal@fibrenoire.ca Twitter: @fibrenoire _______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
participants (6)
-
Adam Armstrong -
adama@observium.org
-
Ahmed Rahal -
DerBeWie -
Scooby Doo -
Storer, Darren