David Lee

Fortigate missing interfaces

Recommended Posts

Recently we have seen a number of issues whith Fortigate not showing interface datasources.

 

With the release of  FortiOS 5.4.1 Fortigate changed the behaviour of the description oid. This results in Logicmonitor being unable to discover the interfaces.

The SNMP get value for the interface description now returns the value from "set description " instead of the interface name.

You must  add descriptions to each interface using these CLI commands:

config system interface

edit

set description “<int>”

end

Once completed, forcing Active Discovery will resolve the issue.

 

 

 

 

Share this post


Link to post
Share on other sites

I did some core research.  Let's define what we are talking about for Fortigate firewalls:

1. Name.  This is the official conical name as it appears in the config.  Under normal conditions it can't be changed.

2. Alias.  This is the SET ALIAS command under the config of the interface.  It shows up in parenthesis in the GUI next to the conical name. 

3. Description.  This is the SET DESCRIPTION command under the config of the interface.  It is labeled "Comments" in the GUI.  

There does seem to be a change in how these three things post to SNMP on newer firmware.  I have to leave for the day but will post more info tomorrow.

 

 

Share this post


Link to post
Share on other sites

I tested this on a v5.2.12 device and found:

ifTable:ifDescr     Returns Conical Name (never NULL)
ifXTable:ifName     Returns Conical Name (never NULL)
ifXTable:ifAlias    Returns Alias (sometimes NULL)

This seems consistent with all other network equipment that I've used and also consistent with the intent in RFC 2863.  It's unclear what the IETF originally wanted to see in ifDescr but stuffing the Conical Name in there seems appropriate.  The ifXTable:ifName was definitely intended to receive the Conical Name (based on my reading.)  

I then tested with v5.4.6:

ifTable:ifDescr     Returns Description (almost always NULL)
ifXTable:ifName     Returns Conical Name (never NULL)
ifXTable:ifAlias    Returns Alias (sometimes NULL)

The problem that LM is finding is the SET DESCRIPTION syntax is very rarely used.  It's not prominent in the GUI and it's CLI syntax that is generally never used.  That creates a lot of Fortigate firewalls that have NULL for the ifDescr, which causes the normal snmp64_If- datasource to fail "sometimes."

I say "sometimes" because we have plenty of 5.4 firewalls where LM reads the interfaces perfectly fine.  

Share this post


Link to post
Share on other sites

Dan,

Thanks for the extra information, another quicker fix would be to clone the snmp64_if and change the discovery type from value to wildcard. This will then work where the normal one fails, but instead of a name interfaces will show the oid value. 

 

I.E. instead of FastEthernet 0/4 it might show 17. so not as intuitive to undertstand which interface is which

Edited by David Lee

Share this post


Link to post
Share on other sites
Guest
You are commenting as a guest. If you have an account, please sign in.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoticons maximum are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.