Configure SNMP

SNMP lets monitoring systems (PRTG, LibreNMS, Zabbix, fortigate-monitor, etc.) poll the FortiGate for stats — interface counters, sessions, CPU, memory, VPN status — and receive event traps. FortiGate supports SNMPv1, v2c, and v3.

Before You Start

• Your monitoring server's IP.
• A community string (v2c) or v3 user creds.
• Decide what counters / traps you want.

Steps

Enable SNMP globally

1. System → SNMP.
2. Toggle SNMP Agent = Enabled.
3. Fill in:
   • Description — e.g. Branch-1-FortiGate.
   • Location — e.g. Office Server Room.
   • Contact Info — admin email/phone.
4. OK.

Configure SNMPv2c community

1. SNMP v1/v2c → + Create New.
2. Fill in:
   • Community Name — random string (treat like a password).
   • Hosts — add monitoring server IPs and their interfaces.
   • Queries → v2c — set port 161 (default).
   • Enabled — Yes.
   • Traps — if you want event traps (alerts on state changes), enable and set the trap port (usually 162).
3. OK.

Configure SNMPv3 (more secure)

1. SNMP v3 → + Create New.
2. Fill in:
   • Username — e.g. monitor.
   • Security Level:
     • noAuthNoPriv — no auth, no encryption (don't use).
     • authNoPriv — auth only.
     • authPriv — auth + encryption (recommended).
   • Authentication Protocol — SHA1 or SHA256.
   • Authentication Password — strong.
   • Privacy Protocol — AES128 or AES256.
   • Privacy Password — strong (different from auth).
   • Notification Hosts — monitoring server IPs.
3. OK.

Allow SNMP on the interface

1. Network → Interfaces → interface used by monitoring server.
2. Administrative Access → check SNMP.
3. OK.

📸 Screenshot needed

System → SNMP → SNMP v1/v2c create form filled with a community + hosts.

CLI Equivalent

config system snmp sysinfo
    set status enable
    set description "Branch-1-FortiGate"
    set location "Office Server Room"
    set contact-info "admin@example.com"
end

config system snmp community
edit 1
    set name "monitor-community"
    config hosts
        edit 1
            set ip 10.0.0.20 255.255.255.255
        next
    end
    set events ...    # which events to trap
next
end

# Allow SNMP on interface:
config system interface
edit "internal"
    append allowaccess snmp
next
end

Verify

From the monitoring server:

snmpwalk -v2c -c <community> <fortigate-ip> 1.3.6.1.2.1.1.1.0
# Returns sysDescr — should show FortiGate description.

snmpwalk -v2c -c <community> <fortigate-ip> .1.3.6.1.4.1.12356
# Walks Fortinet's enterprise OID tree.

For v3:

snmpwalk -v3 -l authPriv -u monitor -a SHA -A <authpass> -x AES -X <privpass> <fortigate-ip> 1.3.6.1.2.1.1.1.0

Useful FortiGate OIDs

• CPU usage: .1.3.6.1.4.1.12356.101.4.1.3.0
• Memory used: .1.3.6.1.4.1.12356.101.4.1.4.0
• Active sessions: .1.3.6.1.4.1.12356.101.4.1.8.0
• Interface stats: standard IF-MIB (.1.3.6.1.2.1.2.2.1.*)
• VPN tunnel status: .1.3.6.1.4.1.12356.101.12.2.2.*

Most monitoring systems have FortiGate templates pre-built — import and you're done.

Common Issues

• Timeout. Interface doesn't permit SNMP, or firewall (FortiGate's own or upstream) blocks UDP/161.
• Wrong community returns nothing. Case-sensitive; double-check string.
• v3 auth fails. Username/password/protocol mismatch. Use snmpwalk -v3 ... -L f to log auth detail.
• Traps don't reach monitoring. Trap host UDP/162 unreachable from FortiGate side.
• Counter wraps. 32-bit counters wrap on busy interfaces. Use 64-bit counter OIDs (IF-MIB has both).

Related Pages

• Configure a Network Interface
• Send Logs to a Syslog Server