Fortinet black logo

New Features

Integration with carrier CPE management tools

Copy Link
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:831730
Download PDF

Integration with carrier CPE management tools

The following enhancements allow better integration with carrier CPE (customer premises equipment) management tools:

  • Add SNMP OIDs to collect the reason for a FortiGate reboot.

  • Add SNMP OIDs to collect traffic shaping profile and policy related configurations.

  • Add a description field on the modem interface that can be fetched over SNMP.

  • Bring a loopback or VLAN interface down when the link monitor fails.

  • Add DSCP and shaping class ID support on the link monitor probe.

  • Allow multiple link monitors with the same source and destination address, but different ports or protocols.

SNMP OIDs

Use the following SNMP OIDs to collect the reason for a FortiGate reboot:

  • FORTINET-FORTIGATE-MIB:fortinet.fnFortiGateMib.fgSystem.fgSystemInfo.fgSysUpTimeDetail 1.3.6.1.4.1.12356.101.4.1.22
  • FORTINET-FORTIGATE-MIB:fortinet.fnFortiGateMib.fgSystem.fgSystemInfo.fgSysRebootReason 1.3.6.1.4.1.12356.101.4.1.23

Use the following SNMP OIDs to collect traffic shaping profile and policy related configurations:

SNMP OID

Comments

Related FOS configuration

fgIntfBcCfgIfTable 1.3.6.1.4.1.12356.101.7.5.5.1

The OID index is interface's SNMP index.

The SNMP result matches config system interface with the ingress/egress shaping profile set.

fgIntfCfgSproTable 1.3.6.1.4.1.12356.101.7.5.5.2

The OID index has format: .<vdom_index>.<profile_index>.

The SNMP result matches the main configuration of config firewall shaping-profile.

fgIntfBcCfgSentTable 1.3.6.1.4.1.12356.101.7.5.5.3

The OID index has format: .<vdom_index>.<profile_index>.<class_id>.

The SNMP result matches config firewall shaping-profile > config shaping-entries.

fgIntfBcCfgSpolTable 1.3.6.1.4.1.12356.101.7.5.5.4

The OID index has format: .<vdom_index>.<policy_id>.

The SNMP result is matches config firewall shaping-policy.

CLI updates

To add a description on a modem interface:
  1. Configure the interface:
    config system interface
        edit "modem"
            set vdom "root"
            set mode pppoe
            set type physical
            set description "this the is modem"
            set snmp-index 37
        next
    end
  2. Run the SNMP walk in a third-party console:
    ubuntu90:~$ snmpwalk -v2c -cpublic 172.18.18.160 1.3.6.1.2.1 | grep odem
    iso.3.6.1.2.1.2.2.1.2.37 = STRING: "this is the modem"
    iso.3.6.1.2.1.31.1.1.1.1.37 = STRING: "modem"
    iso.3.6.1.2.1.47.1.1.1.1.7.4 = STRING: "modem"
To bring a loopback or VLAN interface down when the link monitor fails:
  1. Configure the interfaces:
    config system interface
        edit "loopback1"
            set vdom "root"
            set ip 1.2.3.4 255.255.255.255
            set type loopback
        next
        edit "port1"
            set fail-detect enable
            set fail-detect-option detectserver link-down
            set fail-alert-interfaces loopback1
        next
    end
  2. Configure the link monitor:
    config system link-monitor
        edit linkmon1
            set server 159.1.1.1
            set interface "port1"
            set gateway-ip 28.1.1.159
            set source-ip 28.1.1.160
        next
    end
To configure DSCP and a shaping class ID on a link monitor:
config system link-monitor
    edit "monitor1"
        set srcintf "port1"
        set server "8.8.8.8"
        set gateway-ip 172.16.200.254
        set source-ip 172.16.200.1
        set diffservcode <binary>
        set class-id <id>
        set service-detection {enable | disable}
    next
end

diffservcode <binary>

Enter the differentiated services code point (DSCP) in the IP header of the probe packet, 6 bits binary (000000 - 111111) .

class-id <id>

Enter the class ID (taken from config firewall traffic-class).

service-detection {enable | disable}

Set the service detection:

  • enable: only use monitor for service-detection
  • disable: monitor will update routes/interfaces on link failure

If the traffic generated by the probe matches the configured shaping traffic class, it will honor the priority, guaranteed bandwidth percentage, and maximum bandwidth percentage of the queue.

To configure multiple link monitors with the same source and destination address:
config system link-monitor
    edit "monitor1"
        set srcintf "port1"
        set server "159.1.1.1"
        set protocol twamp
        set port 81
        set gateway-ip 28.1.1.159
        set source-ip 28.1.1.160
    next
    edit "monitor2"
        set srcintf "port1"
        set server "159.1.1.1"
        set protocol twamp
        set port 82
        set gateway-ip 28.1.1.159
        set source-ip 28.1.1.160
        set service-detection enable
    next
end

In this example, different ports are used in each link monitor.

Integration with carrier CPE management tools

The following enhancements allow better integration with carrier CPE (customer premises equipment) management tools:

  • Add SNMP OIDs to collect the reason for a FortiGate reboot.

  • Add SNMP OIDs to collect traffic shaping profile and policy related configurations.

  • Add a description field on the modem interface that can be fetched over SNMP.

  • Bring a loopback or VLAN interface down when the link monitor fails.

  • Add DSCP and shaping class ID support on the link monitor probe.

  • Allow multiple link monitors with the same source and destination address, but different ports or protocols.

SNMP OIDs

Use the following SNMP OIDs to collect the reason for a FortiGate reboot:

  • FORTINET-FORTIGATE-MIB:fortinet.fnFortiGateMib.fgSystem.fgSystemInfo.fgSysUpTimeDetail 1.3.6.1.4.1.12356.101.4.1.22
  • FORTINET-FORTIGATE-MIB:fortinet.fnFortiGateMib.fgSystem.fgSystemInfo.fgSysRebootReason 1.3.6.1.4.1.12356.101.4.1.23

Use the following SNMP OIDs to collect traffic shaping profile and policy related configurations:

SNMP OID

Comments

Related FOS configuration

fgIntfBcCfgIfTable 1.3.6.1.4.1.12356.101.7.5.5.1

The OID index is interface's SNMP index.

The SNMP result matches config system interface with the ingress/egress shaping profile set.

fgIntfCfgSproTable 1.3.6.1.4.1.12356.101.7.5.5.2

The OID index has format: .<vdom_index>.<profile_index>.

The SNMP result matches the main configuration of config firewall shaping-profile.

fgIntfBcCfgSentTable 1.3.6.1.4.1.12356.101.7.5.5.3

The OID index has format: .<vdom_index>.<profile_index>.<class_id>.

The SNMP result matches config firewall shaping-profile > config shaping-entries.

fgIntfBcCfgSpolTable 1.3.6.1.4.1.12356.101.7.5.5.4

The OID index has format: .<vdom_index>.<policy_id>.

The SNMP result is matches config firewall shaping-policy.

CLI updates

To add a description on a modem interface:
  1. Configure the interface:
    config system interface
        edit "modem"
            set vdom "root"
            set mode pppoe
            set type physical
            set description "this the is modem"
            set snmp-index 37
        next
    end
  2. Run the SNMP walk in a third-party console:
    ubuntu90:~$ snmpwalk -v2c -cpublic 172.18.18.160 1.3.6.1.2.1 | grep odem
    iso.3.6.1.2.1.2.2.1.2.37 = STRING: "this is the modem"
    iso.3.6.1.2.1.31.1.1.1.1.37 = STRING: "modem"
    iso.3.6.1.2.1.47.1.1.1.1.7.4 = STRING: "modem"
To bring a loopback or VLAN interface down when the link monitor fails:
  1. Configure the interfaces:
    config system interface
        edit "loopback1"
            set vdom "root"
            set ip 1.2.3.4 255.255.255.255
            set type loopback
        next
        edit "port1"
            set fail-detect enable
            set fail-detect-option detectserver link-down
            set fail-alert-interfaces loopback1
        next
    end
  2. Configure the link monitor:
    config system link-monitor
        edit linkmon1
            set server 159.1.1.1
            set interface "port1"
            set gateway-ip 28.1.1.159
            set source-ip 28.1.1.160
        next
    end
To configure DSCP and a shaping class ID on a link monitor:
config system link-monitor
    edit "monitor1"
        set srcintf "port1"
        set server "8.8.8.8"
        set gateway-ip 172.16.200.254
        set source-ip 172.16.200.1
        set diffservcode <binary>
        set class-id <id>
        set service-detection {enable | disable}
    next
end

diffservcode <binary>

Enter the differentiated services code point (DSCP) in the IP header of the probe packet, 6 bits binary (000000 - 111111) .

class-id <id>

Enter the class ID (taken from config firewall traffic-class).

service-detection {enable | disable}

Set the service detection:

  • enable: only use monitor for service-detection
  • disable: monitor will update routes/interfaces on link failure

If the traffic generated by the probe matches the configured shaping traffic class, it will honor the priority, guaranteed bandwidth percentage, and maximum bandwidth percentage of the queue.

To configure multiple link monitors with the same source and destination address:
config system link-monitor
    edit "monitor1"
        set srcintf "port1"
        set server "159.1.1.1"
        set protocol twamp
        set port 81
        set gateway-ip 28.1.1.159
        set source-ip 28.1.1.160
    next
    edit "monitor2"
        set srcintf "port1"
        set server "159.1.1.1"
        set protocol twamp
        set port 82
        set gateway-ip 28.1.1.159
        set source-ip 28.1.1.160
        set service-detection enable
    next
end

In this example, different ports are used in each link monitor.