IPsec site2site SNMP monitoring

Author
Jirka
Gold Member
  • Total Posts : 159
  • Scores: 7
  • Reward points: 0
  • Joined: 2014/07/09 11:34:53
  • Location: Czech Republic
  • Status: offline
2014/07/09 11:36:59 (permalink)
0

IPsec site2site SNMP monitoring

Hello friends,

we have a PRTG Network Monitor for monitoring our and customers network. One of customers have a Fortigate 100D unit and we want need monitoring IPsec Site2Site tunnels traffic using SNMP.
Fortigate is configured and set up and we already monitored CPU, MEM, LAN&WAN iface, but we can´t find OID for IPsec VPN tunnels.

Its possible?

Thank you.

Regards
#1

3 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 5546
    • Scores: 357
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    RE: IPsec site2site SNMP monitoring 2014/07/10 03:00:44 (permalink)
    0
    What do you want to monitor? The number of VPN counts ? Traffic over a VPB etc?

    If you do route-based vpn aka interface-mode, than you can graph traffic in/out like any other interface.

    If you want to graph number of sslvpn/ipsec users, the mibs are in the fortinet-mib files.

    FORTINET-FORTIGATE-MIB
    FORTINET-CORE-MIB

    You will have todo some trial and error and testing. Start by snmpwalk at oid .1.3.6.1.4.1.12356.101.12.2.3.1

    YMMV across fortios and models.


    PCNSE 
    NSE 
    StrongSwan  
    #2
    Jirka
    Gold Member
    • Total Posts : 159
    • Scores: 7
    • Reward points: 0
    • Joined: 2014/07/09 11:34:53
    • Location: Czech Republic
    • Status: offline
    RE: IPsec site2site SNMP monitoring 2014/07/10 07:03:01 (permalink)
    0
    Hello,
    Unfortunately, if you run snmpwalk with your OID (.1.3.6.1.4.1.12356.101.12.2.3.1). give me this error:

    Paessler SNMP Tester 5.0 (Beta11)
    10.7.2014 16:02:19 (1 ms) : Device: 195.144.97.26
    10.7.2014 16:02:19 (1 ms) : SNMP V1
    10.7.2014 16:02:19 (2 ms) : Walk 1.3.6.1.4.1.12356.101.12.2.3.1
    10.7.2014 16:02:19 (3 ms) : Error: -2007


    Of course, both MIB files Fortinet-FortiGate-MIB I imported as a template but there is not OID for the IPsec tunnels traffic. I only have a sensor on the number of currently registered IPsec tunnels, bud i need monitored traffic.
    And yes, i use only route-base VPN.

    Am I doing something wrong?

    Thanks
    < Message edited by sigmasoftcz -- 7/10/2014 7:08:36 AM >
    #3
    emnoc
    Expert Member
    • Total Posts : 5546
    • Scores: 357
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    RE: IPsec site2site SNMP monitoring 2014/07/10 07:41:04 (permalink)
    0
    if it' s only traffic than find the interface Index;

    snmpwalk -c blahbahbah -v2c x.x.x. ifIndex

    snmpwalk -c blahbahbah -v2c x.x.x. alias

    And the OID I mention b4 works fine for me;

    SNMPv2-SMI::enterprises.12356.101.12.2.3.1.1.1 = INTEGER: 2
    SNMPv2-SMI::enterprises.12356.101.12.2.3.1.2.1 = Counter32: 0
    SNMPv2-SMI::enterprises.12356.101.12.2.3.1.3.1 = Counter32: 0
    SNMPv2-SMI::enterprises.12356.101.12.2.3.1.4.1 = Counter32: 0
    SNMPv2-SMI::enterprises.12356.101.12.2.3.1.5.1 = Counter32: 2
    SNMPv2-SMI::enterprises.12356.101.12.2.3.1.6.1 = Counter32: 0
    SNMPv2-SMI::enterprises.12356.101.12.2.3.1.7.1 = Counter32: 0

    but like I mention B4 YMMV with oids being consistence thruout fortios.

    Please use a midtree viewer or depot for the MIB relations;

    e.g


    1.3.6.1.4.1.12356.101.12.2 = fgVpnTables
    http://www.mibdepot.com/cgi-bin/getmib3.cgi?win=mib_a&r=fortinet&f=fortinet-fortigate-mib&v=v2&t=tree


    PCNSE 
    NSE 
    StrongSwan  
    #4
    Jump to:
    © 2020 APG vNext Commercial Version 5.5