User Guide

Getting started
- Part 1: Add your infrastructure to FortiMonitor
- Part 2: Monitoring
- Part 3: Alert Timelines
- Part 4: Visualization
- Part 5: Team Management
- Part 6: Reports
- Part 7: CounterMeasures
- Supported browsers
Infrastructure Map
Instance Details page
- Assign Alert Timelines
- Create an Instance Group
My Account
- Can I see what changes have been made to my account and by whom?
- Manage email preferences
Dashboards
- Dashboard widgets
- Clone a widget
- Topology Maps
  - Create and save views
Monitoring
- Add monitoring to an existing server
- Tags
- Monitoring locations
  - Specifying confirmation check locations
  - Global monitoring network
    - Checker IP changes
- Advanced monitoring features
  - Compound metrics
  - Force a DNS update after an IP address change
- Monitoring policies
- Monitoring guides
  - MySQL monitoring
  - Redis monitoring
Templates
- Default templates
- Configure a template
- Apply server templates
- Template pattern matching
- Disassociate a template from multiple instances
Cloud monitoring
- AWS
- Azure
  - Azure App Service
- Cisco Meraki
- Kubernetes
  - Kubernetes Details page
Application monitoring
- Get started with Application Monitoring
- Add an Application
Path monitoring
SD-WAN application monitoring
- FortiGate and OnSight configuration for SD-WAN synthetic monitoring
- Set up SD-WAN application monitoring
Security Fabric
- Fabric Tunnel connected to FortiMonitor cloud (FortiOS 7.0 and newer)
- Fabric 7.x OnSight proxy
- Fabric 6.x Integration
- Fabric integration via FortiManager proxy
Network device monitoring
NetFlow monitoring
- Estimator mode
VMware
Network checks
- Network service checks
- Synthetic Monitoring
  - HTTP
  - HTTPS
- Browser synthetic (multistep) check
  - Available multistep commands
- JavaScript synthetic
  - Set up a JavaScript synthetic check environment
- Configure incident alert and response time thresholds
- Limit the number of confirmations for an outage
- Dynamic variables
FortiMonitor Agent
- Install the FortiMonitor Agent
- Add FortiMonitor Agent checks
- FortiMonitor Agent Security
- Windows Agent auto-update
- Add plugins to a blacklist
- Add metrics using Windows Performance Monitor
- Prepare a FortiMonitor Agent for server imaging/cloning
- Rebuild the FortiMonitor Agent metadata
- IP matching
- Start or end Maintenance from the FortiMonitor Linux Agent
- Migrate configuration to FortiMonitor Agent
- Troubleshooting the FortiMonitor Agent
- Automate the Agent installation
  - Use the FortiMonitor Agent manifest file
  - Remove an instance automatically
- Custom metrics and incidents
- Application plugins
Endpoint Agent
- Add a Windows Endpoint FortiMonitor Agent
- Add a MacOS Agent
CounterMeasures
- Linux CounterMeasures
  - Standard Linux CounterMeasure actions
  - Custom Linux CounterMeasure actions
- Windows CounterMeasures
  - Standard Windows CounterMeasure Actions
  - Custom Windows CounterMeasures actions
- OnSight-based CounterMeasures
- CounterMeasures security
- CounterMeasures Slack integration
OnSight vCollector
- One-liner installer
- OnSight virtual image installation
- OnSight AMI installation
- OnSight for Azure installation
- Automate the OnSight deployment
- Monitor a device that has not been discovered with OnSight
- OnSight discovery
- Upgrading the OnSight
- Manage and configure your OnSight vCollector
- OnSight custom metrics
- Additional setup and helpful tips
SNMP
- SNMP traps
- SNMP polling
- Configure SNMP alert thresholds
- SNMP troubleshooting
Alerting
- Alert Timelines
- Email
- SMS
- Integrations
- Limit the number of confirmation checks for an outage
- Set up an On-Call schedule
- Multiple server outages
- Notification for an individual service on a server
- Long-running incidents
Incident Hub
- View incident details
- Incident Solutions
- Create an incident using email
Reports
- Create a report
- Public status pages
- Exporting Metric Reports for long duration time periods
Maintenance Schedules
- Maintenance history
API
- API keys
- View the API library
- Custom incidents using API
- Postman
Users, Groups, and Authentication
- Add users to your account
  - Access control
  - Create a Group
- Single sign-on (SSO)
Multi-tenancy
- Manage subtenants
- Manage a multi-tenant environment
  - Multi-tenant dashboards
- White label options
Mobile app
- Acknowledging incidents and other actions
NCM
- NCM installation and initial configuration
- NCM Supported Devices
- Backup
  - Backup filters
- Search syntax help
- Mass Config Push
  - Device mode table
  - VT100 Control / Command sequences
- Device variables
- NCM Slack configuration
- System login
- Discovery
- Scheduling
- User security and access roles
- Sensitive data stripping
FAQ
- Data Retention and Compliance
Get support

Home FortiMonitor 24.2.0 User Guide

24.2.0

FortiGate and OnSight configuration for SD-WAN synthetic monitoring

This article provides the steps on how to set up an OnSight for SD-WAN synthetic monitoring.

Prerequisites

An OnSight vCollector.
Security Fabric must be configured in FortiMonitor.
SD-WAN must be configured on the FortiGate device.
The OnSight needs a reserved IP for each of the FortiGate's WAN interfaces. Reserved IPs will automatically be assigned to the host when enabling SD-WAN synthetic monitoring. You do not need to assign them manually.
These need to exist within the same subnet as the primary OnSight IP and not already in use by another device.
The Admin profile used in the Security Fabric setup must have the read permission on firewall addresses.

This guide will use the following objects and addresses. In the example below, we are using 10.10.10.11 and 10.10.10.12. Substitute your chosen IPs in the details below.

SD-WAN Device	OnSight Agent IP	Firewall Address	SD-WAN Rule	SD-WAN Member ID	SD-WAN Zone
WAN1(port1)	10.10.10.11	FMR_IP1	Manual (#1)	1	virtual-wan-link
WAN2(port2)	10.10.10.12	FMR_IP2	Manual (#2)	2	virtual-wan-link

Note: While this example is presented using two underlays, it can be extended to use three or more.

High-level configuration steps

This section provides the high-level configuration steps which must be done in the correct order.

Initial steps

Install an OnSight vCollector.
Onboard the FortiGate and configure Security Fabric. Note that SD-WAN must be configured on the FortiGate.

FortiGate configuration

Create new firewall address objects for each OnSight agent monitored IP
1. Referenced in the table above as FMR_IP1, and FMR_IP2.
Create SD-WAN rules to manually steer traffic from each On-sight agent to its respective WAN port
Add the firewall addresses to the firewall policy

The following sections explain the high-level configuration steps in detail.

FortiGate configuration

This section details the steps on how to configure FortiGate.

Configure firewall objects

Create a firewall address object for each OnSight agent IP.

Log in to FortiGate.
Launch the CLI console. If you need more information on how to use the CLI console, see Using the CLI.
Configure firewall objects for each WAN connection and the OnSight's default IP.
In this example, The IP addresses 10.10.10.11, and 10.10.10.12 are used. Replace them with the correct OnSight IPs. Similarly, you can also replace FMR_IP1 and FMR_IP2 with your own values.
From the CLI, enter the following command:

config firewall address

edit "FMR_IP1"

set subnet 10.10.10.11 255.255.255.255

edit "FMR_IP2"

set subnet 10.10.10.12 255.255.255.255

end

Create SD-WAN rules

SD-WAN rules must first be set up to use SD-WAN synthetic monitoring. A specific IP address is needed for each WAN connection.

In this step we will create a manual SD-WAN rule to steer each OnSight IPs monitoring traffic through its respective WAN underlay.

OnSight monitoring traffic will be marked using the agent-exclusive command. This command marks traffic as FortiMonitor health checks.
Each OnSight firewall object will be manually steered to its respective WAN underlay.

Launch the CLI console.
Enter the following command to create the SD-WAN rules:

config system sdwan

config service

edit 1

set dst "all"

set src "FMR_IP1"

set priority-members 1

set agent-exclusive enable

edit 2

set dst "all"

set src "FMR_IP2"

set priority-members 2

set agent-exclusive enable

end

Note: The command set agent-exclusive enable is a FortiOS dependency of 7.2.4 or later.

In this example, rules 1 and 2 are used but you may configure any available rule ID.

The Source (src) and Destination (dst) parameters are used to identify traffic. If the traffic is from a specific source address ,its associated SD-WAN rule will be used. See SD-WAN rules overview for more information.

Note that the SD-WAN rules created for SD-WAN synthetic monitoring must be set to the highest priority. You can do this by dragging the rules to the top of the list.

Add the firewall addresses to the firewall policy

Add FMR_IP1 and FMR_IP2 to the Firewall policy from the OnSight to virtual-wan-link, so that the traffic from OnSight can travel to the internet.

Incoming interface - The interface connected to the OnSight.
Source - Add FMR_IP1 and FMR_IP2. If the Source is All, there is no need to add the addresses.

FortiMonitor configuration

Enable SD-WAN synthetic monitoring

Once the configuration on the FortiGate has been completed:

Go to Monitoring > Infra setting > Fabric then run a rediscovery on the fabric integration.

Rediscovery module performs the following:
- Retrieves the firewall address information including the FortiMonitor IP, OnSight agent IPs, and SD-WAN rules.
- Validates the values.
- If there are no issues, the SD-WAN synthetic monitoring menu option will be enabled.
- After enabling SD-WAN synthetic monitoring. the OnSight will then assign the additional IP addresses.
Open the FortiGate details page in the Control Panel.
Click SD-WAN Synthetic Monitor.
On the modal that appears, click Enable SDWAN Synthetic Monitor.

Add SD-WAN monitoring to an application

Go to Monitoring > Application.
Select the application where you want to add SD-WAN monitoring.
Select Locations.
Select Add Locations > SD-WAN Devices.
In the Source SD-WANs drop-down field, select the FortiGate you configured.
Click Save.

Data should begin to flow in about 5-10 minutes.

FortiGate and OnSight configuration for SD-WAN synthetic monitoring

This article provides the steps on how to set up an OnSight for SD-WAN synthetic monitoring.

Prerequisites

An OnSight vCollector.
Security Fabric must be configured in FortiMonitor.
SD-WAN must be configured on the FortiGate device.
The OnSight needs a reserved IP for each of the FortiGate's WAN interfaces. Reserved IPs will automatically be assigned to the host when enabling SD-WAN synthetic monitoring. You do not need to assign them manually.
These need to exist within the same subnet as the primary OnSight IP and not already in use by another device.
The Admin profile used in the Security Fabric setup must have the read permission on firewall addresses.

This guide will use the following objects and addresses. In the example below, we are using 10.10.10.11 and 10.10.10.12. Substitute your chosen IPs in the details below.

SD-WAN Device	OnSight Agent IP	Firewall Address	SD-WAN Rule	SD-WAN Member ID	SD-WAN Zone
WAN1(port1)	10.10.10.11	FMR_IP1	Manual (#1)	1	virtual-wan-link
WAN2(port2)	10.10.10.12	FMR_IP2	Manual (#2)	2	virtual-wan-link

Note: While this example is presented using two underlays, it can be extended to use three or more.

High-level configuration steps

This section provides the high-level configuration steps which must be done in the correct order.

Initial steps

Install an OnSight vCollector.
Onboard the FortiGate and configure Security Fabric. Note that SD-WAN must be configured on the FortiGate.

FortiGate configuration

Create new firewall address objects for each OnSight agent monitored IP
1. Referenced in the table above as FMR_IP1, and FMR_IP2.
Create SD-WAN rules to manually steer traffic from each On-sight agent to its respective WAN port
Add the firewall addresses to the firewall policy

FortiMonitor configuration

Enable SD-WAN synthetic monitoring
Add SD-WAN monitoring to an application

The following sections explain the high-level configuration steps in detail.

FortiGate configuration

This section details the steps on how to configure FortiGate.

Configure firewall objects

Create a firewall address object for each OnSight agent IP.

Log in to FortiGate.
Launch the CLI console. If you need more information on how to use the CLI console, see Using the CLI.
Configure firewall objects for each WAN connection and the OnSight's default IP.
In this example, The IP addresses 10.10.10.11, and 10.10.10.12 are used. Replace them with the correct OnSight IPs. Similarly, you can also replace FMR_IP1 and FMR_IP2 with your own values.
From the CLI, enter the following command:

config firewall address

edit "FMR_IP1"

set subnet 10.10.10.11 255.255.255.255

edit "FMR_IP2"

set subnet 10.10.10.12 255.255.255.255

end

Create SD-WAN rules

SD-WAN rules must first be set up to use SD-WAN synthetic monitoring. A specific IP address is needed for each WAN connection.

In this step we will create a manual SD-WAN rule to steer each OnSight IPs monitoring traffic through its respective WAN underlay.

OnSight monitoring traffic will be marked using the agent-exclusive command. This command marks traffic as FortiMonitor health checks.
Each OnSight firewall object will be manually steered to its respective WAN underlay.

Launch the CLI console.
Enter the following command to create the SD-WAN rules:

config system sdwan

config service

edit 1

set dst "all"

set src "FMR_IP1"

set priority-members 1

set agent-exclusive enable

edit 2

set dst "all"

set src "FMR_IP2"

set priority-members 2

set agent-exclusive enable

end

Note: The command set agent-exclusive enable is a FortiOS dependency of 7.2.4 or later.

In this example, rules 1 and 2 are used but you may configure any available rule ID.

Note that the SD-WAN rules created for SD-WAN synthetic monitoring must be set to the highest priority. You can do this by dragging the rules to the top of the list.

Add the firewall addresses to the firewall policy

Add FMR_IP1 and FMR_IP2 to the Firewall policy from the OnSight to virtual-wan-link, so that the traffic from OnSight can travel to the internet.

Incoming interface - The interface connected to the OnSight.
Source - Add FMR_IP1 and FMR_IP2. If the Source is All, there is no need to add the addresses.

FortiMonitor configuration

Enable SD-WAN synthetic monitoring

Once the configuration on the FortiGate has been completed:

Go to Monitoring > Infra setting > Fabric then run a rediscovery on the fabric integration.

Rediscovery module performs the following:
- Retrieves the firewall address information including the FortiMonitor IP, OnSight agent IPs, and SD-WAN rules.
- Validates the values.
- If there are no issues, the SD-WAN synthetic monitoring menu option will be enabled.
- After enabling SD-WAN synthetic monitoring. the OnSight will then assign the additional IP addresses.
Open the FortiGate details page in the Control Panel.
Click SD-WAN Synthetic Monitor.
On the modal that appears, click Enable SDWAN Synthetic Monitor.

Add SD-WAN monitoring to an application

Go to Monitoring > Application.
Select the application where you want to add SD-WAN monitoring.
Select Locations.
Select Add Locations > SD-WAN Devices.
In the Source SD-WANs drop-down field, select the FortiGate you configured.
Click Save.

Data should begin to flow in about 5-10 minutes.