Fortigate SNMP Notes – Part 1


As systems get more complex so is the need for better monitoring, fortunately the tools to do this keep getting better but I often find I need to revisit stable technologies and re-implement them to address a need. In this case I needed to re-visit the SNMP interface counters in our Fortigate Firewalls and since SNMP is available I reviewed my older blog posts and decided they needed revamping for the later OS versions. This post will be referring to v5.0.0 of the Fortigate Firewall software, the concepts will be the same for other Fortigates but the MIB definitions and ASN numbering will most likely be different (as I discovered when I tried to apply some of the commands detailed in my earlier blog post!).

First, a quick dump of the MIB groupings using the “fortinet.fn” tag which is the start of the ASN-1 definition, I’m after Packet counts eventually so they will be buried inside the MIB tree structure.

mibs]# grep fortinet.fn FORTINET-FORTIGATE-MIB.mib

– fortinet.fnFortiGateMib.fgModel
– fortinet.fnFortiGateMib.fgTraps
– fortinet.fnFortiGateMib.fgVirtualDomain
– fortinet.fnFortiGateMib.fgVirtualDomain.fgVdInfo
– fortinet.fnFortiGateMib.fgVirtualDomain.fgVdTables
– fortinet.fnFortiGateMib.fgVirtualDomain.fgVdTables.fgVdTable
– fortinet.fnFortiGateMib.fgVirtualDomain.fgVdTables.fgVdTpTable
– fortinet.fnFortiGateMib.fgSystem
– fortinet.fnFortiGateMib.fgSystem.fgSystemInfo
– fortinet.fnFortiGateMib.fgSystem.fgSoftware
– fortinet.fnFortiGateMib.fgSystem.fgHwSensors
– fortinet.fnFortiGateMib.fgSystem.fgProcessors
– fortinet.fnFortiGateMib.fgSystem.fgProcessorModules
– fortinet.fnFortiGateMib.fgSystem.fgSystemInfoAdvanced
– fortinet.fnFortiGateMib.fgSystem.fgSystemInfoAdvanced.fgSysInfoAdvMem
– fortinet.fnFortiGateMib.fgSystem.fgSystemInfoAdvanced.fgSysInfoAdvSessions
– fortinet.fnFortiGateMib.fgFirewall
– fortinet.fnFortiGateMib.fgFirewall.fgFwPolicies
– fortinet.fnFortiGateMib.fgFirewall.fgFwPolicies.fgFwPolTables.fgFwPolStatsTable
– fortinet.fnFortiGateMib.fgFirewall.fgFwPolicies.fgFwPolTables.fgFwPol6StatsTable
– fortinet.fnFortiGateMib.fgFirewall.fgFwUsers
– fortinet.fnFortiGateMib.fgMgmt
– fortinet.fnFortiGateMib.fgMgmt.fgAdmin.fgAdminOptions
– fortinet.fnFortiGateMib.fgMgmt.fgAdmin.fgAdminTables
– fortinet.fnFortiGateMib.fgMgmt.fgAdmin.fgMgmtTrapObjects
– fortinet.fnFortiGateMib.fgIntf
– fortinet.fnFortiGateMib.fgAntivirus
– fortinet.fnFortiGateMib.fgAntivirus.fgAvTrapObjects
– fortinet.fnFortiGateMib.fgIps
– fortinet.fnFortiGateMib.fgIps.fgIpsTrapObjects
– fortinet.fnFortiGateMib.fgApplications
– fortinet.fnFortiGateMib.fgApplications.fgWebfilter.fgWebfilterTables.fgWebfilterStatsTable
– fortinet.fnFortiGateMib.fgApplications.fgWebfilter.fgWebfilterTables.fgFortiGuardStatsTable
– fortinet.fnFortiGateMib.fgApplications.fgAppProxyHTTP
– fortinet.fnFortiGateMib.fgApplications.fgAppProxySMTP
– fortinet.fnFortiGateMib.fgApplications.fgAppProxyPOP3
– fortinet.fnFortiGateMib.fgApplications.fgAppProxyIMAP
– fortinet.fnFortiGateMib.fgApplications.fgAppProxyNNTP
– fortinet.fnFortiGateMib.fgApplications.fgAppProxyIM
– fortinet.fnFortiGateMib.fgApplications.fgAppProxySIP
– fortinet.fnFortiGateMib.fgApplications.fgAppScanUnit
– fortinet.fnFortiGateMib.fgApplications.fgAppVoIP
– fortinet.fnFortiGateMib.fgApplications.fgAppP2P
– fortinet.fnFortiGateMib.fgApplications.fgAppP2P.fgAppP2PStatsTable
– fortinet.fnFortiGateMib.fgApplications.fgAppP2P.fgAppP2PProtoTable
– fortinet.fnFortiGateMib.fgApplications.fgAppIM
– fortinet.fnFortiGateMib.fgApplications.fgAppProxyFTP
– fortinet.fnFortiGateMib.fgApplications.fgAppExplicitProxy
– fortinet.fnFortiGateMib.fgApplications.fgAppExplicitProxy.fgExplicitProxyInfo
– fortinet.fnFortiGateMib.fgApplications.fgAppExplicitProxy.fgExplicitProxyStatsTable
– fortinet.fnFortiGateMib.fgApplications.fgAppExplicitProxy.fgExplicitProxyScanStatsTable
– fortinet.fnFortiGateMib.fgApplications.fgAppExplicitProxy.fgExplicitProxyScriptStatsTable
– fortinet.fnFortiGateMib.fgApplications.fgAppExplicitProxy.fgExplicitProxyFilterStatsTable
– fortinet.fnFortiGateMib.fgApplications.fgAppWebCache
– fortinet.fnFortiGateMib.fgApplications.fgAppWebCache.fgWebCacheInfo
– fortinet.fnFortiGateMib.fgApplications.fgAppWebCache.fgWebCacheDiskStatsTable
– fortinet.fnFortiGateMib.fgApplications.fgAppWanOpt
– fortinet.fnFortiGateMib.fgApplications.fgAppWanOpt.fgWanOptInfo
– fortinet.fnFortiGateMib.fgApplications.fgAppWanOpt.fgWanOptStatsTable
– fortinet.fnFortiGateMib.fgApplications.fgAppWanOpt.fgWanOptHistoryStatsTable
– fortinet.fnFortiGateMib.fgApplications.fgAppWanOpt.fgWanOptTrafficStatsTable
– fortinet.fnFortiGateMib.fgApplications.fgAppWanOpt.fgWanOptDiskStatsTable
– fortinet.fnFortiGateMib.fgInetProto
– fortinet.fnFortiGateMib.fgInetProto.fgInetProtoTables.fgIpSessTable
– fortinet.fnFortiGateMib.fgInetProto.fgInetProtoTables.fgIpSessStatsTable
– fortinet.fnFortiGateMib.fgInetProto.fgInetProtoTables.fgIp6SessStatsTable
– fortinet.fnFortiGateMib.fgVpn
– fortinet.fnFortiGateMib.fgVpn.fgVpnInfo
– fortinet.fnFortiGateMib.fgVpn.fgVpnTables
– fortinet.fnFortiGateMib.fgVpn.fgVpnTables.fgVpnDialupTable
– fortinet.fnFortiGateMib.fgVpn.fgVpnTables.fgVpnTunTable
– fortinet.fnFortiGateMib.fgVpn.fgVpnTables.fgVpnSslStatsTable
– fortinet.fnFortiGateMib.fgVpn.fgVpnTables.fgVpnSslTunnelTable
– fortinet.fnFortiGateMib.fgVpn.fgVpnTrapObjects
– fortinet.fnFortiGateMib.fgHighAvailability
– fortinet.fnFortiGateMib.fgHighAvailability.fgHaInfo
– fortinet.fnFortiGateMib.fgHighAvailability.fgHaTables
– fortinet.fnFortiGateMib.fgHighAvailability.fgHaTrapObjects
– fortinet.fnFortiGateMib.fgMibConformance
– fortinet.fnFortiGateMib.fgTraps
– fortinet.fnFortiGateMib.fgMibConformance

After a quick check and a grep of the MIB file for PktCount, I find that the “fortinet.fnFortiGateMib.fgFirewall.fgFwPolicies.fgFwPolTables.fgFwPolStatsTable” entry has the counts for each policy there is also an IPv6 counter table as well. To verify I run the snmpwalk command using that MIB entry:

localhost#snmpwalk -v2c -c public -m ALL 192.168.1.254 enterprises.fortinet.fnFortiGateMib.fgFirewall.fgFwPolicies.fgFwPolTables.fgFwPolStatsTable

The output shows the following (one line per defined policy):

Undefined OBJECT (fgFcSwName): At line 5456 in /usr/share/snmp/mibs/FORTINET-FORTIGATE-MIB.mib
Undefined OBJECT (fgFcSwSerial): At line 5456 in /usr/share/snmp/mibs/FORTINET-FORTIGATE-MIB.mib
FORTINET-FORTIGATE-MIB::fgFwPolID.1.3 = INTEGER: 3
FORTINET-FORTIGATE-MIB::fgFwPolID.1.4 = INTEGER: 4
FORTINET-FORTIGATE-MIB::fgFwPolID.1.5 = INTEGER: 5
FORTINET-FORTIGATE-MIB::fgFwPolID.1.9 = INTEGER: 9

FORTINET-FORTIGATE-MIB::fgFwPolID.1.102 = INTEGER: 102
FORTINET-FORTIGATE-MIB::fgFwPolID.1.103 = INTEGER: 103
FORTINET-FORTIGATE-MIB::fgFwPolID.1.104 = INTEGER: 104
FORTINET-FORTIGATE-MIB::fgFwPolID.1.105 = INTEGER: 105
FORTINET-FORTIGATE-MIB::fgFwPolPktCount.1.3 = Counter32: 5422851
FORTINET-FORTIGATE-MIB::fgFwPolPktCount.1.4 = Counter32: 72155045
FORTINET-FORTIGATE-MIB::fgFwPolPktCount.1.5 = Counter32: 2018201
FORTINET-FORTIGATE-MIB::fgFwPolPktCount.1.9 = Counter32: 202148105

FORTINET-FORTIGATE-MIB::fgFwPolPktCount.1.102 = Counter32: 113785
FORTINET-FORTIGATE-MIB::fgFwPolPktCount.1.103 = Counter32: 94793
FORTINET-FORTIGATE-MIB::fgFwPolPktCount.1.104 = Counter32: 1132
FORTINET-FORTIGATE-MIB::fgFwPolPktCount.1.105 = Counter32: 12969
FORTINET-FORTIGATE-MIB::fgFwPolByteCount.1.3 = Counter32: 1053016935
FORTINET-FORTIGATE-MIB::fgFwPolByteCount.1.4 = Counter32: 2523286850
FORTINET-FORTIGATE-MIB::fgFwPolByteCount.1.5 = Counter32: 1515645813
FORTINET-FORTIGATE-MIB::fgFwPolByteCount.1.9 = Counter32: 2959503223

FORTINET-FORTIGATE-MIB::fgFwPolByteCount.1.96 = Counter32: 19139016
FORTINET-FORTIGATE-MIB::fgFwPolByteCount.1.97 = Counter32: 46970555
FORTINET-FORTIGATE-MIB::fgFwPolByteCount.1.98 = Counter32: 188415104
FORTINET-FORTIGATE-MIB::fgFwPolByteCount.1.99 = Counter32: 1403920424

What the output tells us is that there are Byte and Packet counts for every defined policy, not per physical interface.

To track all my outbound traffic I logged into the Fortigate and under “Policies” I did a lookup for all policies that send traffic to the Wan1 interface which is my main link. I found 3 policies, 57,94 and 96. So if I do a lookup on these three policies I can get the byte count and if I check each minute, then the current byte count minus the last byte count gives me the bytes per minute going outbound.

The command to get the bytes becomes:

snmpwalk -v2c -m ALL -c public 192.168.1.1 enterprises.fortinet.fnFortiGateMib.fgFirewall.fgFwPolicies.fgFwPolTables.fgFwPolStatsTable.fgFwPolStatsEntry.fgFwPolByteCount.1.94
FORTINET-FORTIGATE-MIB::fgFwPolByteCount.1.94 = Counter32: 1262674051

For policy 96, the output is:

FORTINET-FORTIGATE-MIB::fgFwPolByteCount.1.96 = Counter32: 19139360

For policy 57, the output is:

FORTINET-FORTIGATE-MIB::fgFwPolByteCount.1.57 = Counter32: 2889114186

 So all we need to do is add these together and we have the total!

I’ll be sending that data to my monitoring system using RabbitMQ and graphing it in “grafana” via our graphite/carbon/whisper metrics gathering system.

Relevant Links