Re: Fortinet Firewall Failover Monitoring (429 Views)
Reply
Respected Contributor
Bharath M R
Posts: 410
Registered: ‎03-10-2010
Message 1 of 6 (491 Views)

Fortinet Firewall Failover Monitoring

Hello,

 

                  We have NNMi 9.11 P4 on RHEL 5.4 .

 

Is it possible to monitor failover functionality for Firewall which are having same physical IP's.

and Virtual IP is also not configured.

 

Device Models : Fortinet Firewalls 610B & 800.

 

 

Please let me know if anybody have knowledge on this.

 

Thanks in Advance.

Thanks,
Bharath
Respected Contributor
mostafa_hassan
Posts: 265
Registered: ‎12-11-2011
Message 2 of 6 (476 Views)

Re: Fortinet Firewall Failover Monitoring

Hello Bharath ,

 

actually it can be done through the Traps if the device are configure and supporting to send such of failover traps to NNM

 

for the 2 FW ip address having Same can be solved if you changed the MGMt ip address on the devices to have such as loopback or virtual interfaces to manage the devices through and don't forget to exclude the Shared physical interface in the discovery

 

what you can do as the scenario below

Physical IP address 10.0.0.1

FW1 10.0.0.2

FW2 10.0.0.3

 

to test the failover functionality make the first down "FW1 Down" , in the mean time you can do the following to discover all the traps generated on the FW2 from the below command .

 

nnmtrapdump.ovpl -source FW2 >/tmp/trap.txt

 

Hence FW2 is the Hostname or the device name in NNM as configured .

Browse the trap.txt file for all the traps generated by Fw2 , and check if there are any trap for Failover activity like FW2 active or primary

 

it's easy to be checked from the trap varbind .

Note : kindly make sure that all the supported Mibs and Traps are loaded in NNM .

 

let me know if it's working with you or not .

All the best .
Saying Thanks by hitting Kudos :)

Regards
Mostafa Hassan
HP AIS NNM-NA-OO
CCNA-CCNP-ITIL-VCA-Cloud-VCA DataCenter
Respected Contributor
Bharath M R
Posts: 410
Registered: ‎03-10-2010
Message 3 of 6 (472 Views)

Re: Fortinet Firewall Failover Monitoring

Hi Hassan,

 

                Thank you very much for your  patience. Yes, that is the issue customer doesnt want to change the current IP addresses.  We can manage only through traps.

 

For NNMi to monitor redundancy, it supports only if the devices are HSRP/VRRP configured.

I will check with the customer and update.

 

What if we have the same physical IP's and Vitual IP , whether NNMi can monitor this ??

Thanks,
Bharath
Respected Contributor
mostafa_hassan
Posts: 265
Registered: ‎12-11-2011
Message 4 of 6 (470 Views)

Re: Fortinet Firewall Failover Monitoring

Hello ,

 

if you have the same physical IP address for the 2 devices , not sure it will discover both correctly i doubt ,

 

but if you have Virtual ip address and 2 physical Address , it will be quite easy to manage them .

 

For the Virtual ip address which represent the Cluster it will be active on one of the 2 devices , and the other device will have his physical ip address .

 

For NNMi to monitor redundancy, it supports only if the devices are HSRP/VRRP configured [Yes] out of the box events in NNM

 

All the best .
Saying Thanks by hitting Kudos :)

Regards
Mostafa Hassan
HP AIS NNM-NA-OO
CCNA-CCNP-ITIL-VCA-Cloud-VCA DataCenter
Frequent Advisor
Abhishek_
Posts: 92
Registered: ‎11-10-2011
Message 5 of 6 (465 Views)

Re: Fortinet Firewall Failover Monitoring

Not really*


There has to be a unique criteria by which each portion of the redundant configuration can be communicated with... An IP address thats the same is not unique so when NNMi polls the shared IP address , the chassis inventory wont match both portions of the HA cluster, just which ever was discoverd.
Advisor
a4nm
Posts: 18
Registered: ‎02-07-2012
Message 6 of 6 (429 Views)

Re: Fortinet Firewall Failover Monitoring

Can anyone explain the following Fortinet enhancements in 9.23:

 

QCCR1B110400
  Modified NNMi such that it discovers all the interfaces
  of Fortinet devices when in an HA configuration.

 QCCR1B94395
  NNMi has been changed such that NNMi discovers Fortinet
  HA members under cards (managed as a Card Redundancy
  Group).

 

Will they solve this issue?

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.