Skip to content

Configure SNMP

SNMP lets monitoring systems (PRTG, LibreNMS, Zabbix, fortigate-monitor, etc.) poll the FortiGate for stats — interface counters, sessions, CPU, memory, VPN status — and receive event traps. FortiGate supports SNMPv1, v2c, and v3.

Before You Start

  • Your monitoring server's IP.
  • A community string (v2c) or v3 user creds.
  • Decide what counters / traps you want.

Steps

Enable SNMP globally

  1. System → SNMP.
  2. Toggle SNMP Agent = Enabled.
  3. Fill in:
    • Description — e.g. Branch-1-FortiGate.
    • Location — e.g. Office Server Room.
    • Contact Info — admin email/phone.
  4. OK.

Configure SNMPv2c community

  1. SNMP v1/v2c → + Create New.
  2. Fill in:
    • Community Name — random string (treat like a password).
    • Hosts — add monitoring server IPs and their interfaces.
    • Queries → v2c — set port 161 (default).
    • Enabled — Yes.
    • Traps — if you want event traps (alerts on state changes), enable and set the trap port (usually 162).
  3. OK.

Configure SNMPv3 (more secure)

  1. SNMP v3 → + Create New.
  2. Fill in:
    • Username — e.g. monitor.
    • Security Level:
      • noAuthNoPriv — no auth, no encryption (don't use).
      • authNoPriv — auth only.
      • authPriv — auth + encryption (recommended).
    • Authentication Protocol — SHA1 or SHA256.
    • Authentication Password — strong.
    • Privacy Protocol — AES128 or AES256.
    • Privacy Password — strong (different from auth).
    • Notification Hosts — monitoring server IPs.
  3. OK.

Allow SNMP on the interface

  1. Network → Interfaces → interface used by monitoring server.
  2. Administrative Access → check SNMP.
  3. OK.

📸 Screenshot needed

System → SNMP → SNMP v1/v2c create form filled with a community + hosts.

CLI Equivalent

config system snmp sysinfo
    set status enable
    set description "Branch-1-FortiGate"
    set location "Office Server Room"
    set contact-info "admin@example.com"
end

config system snmp community
edit 1
    set name "monitor-community"
    config hosts
        edit 1
            set ip 10.0.0.20 255.255.255.255
        next
    end
    set events ...    # which events to trap
next
end

# Allow SNMP on interface:
config system interface
edit "internal"
    append allowaccess snmp
next
end

Verify

From the monitoring server:

snmpwalk -v2c -c <community> <fortigate-ip> 1.3.6.1.2.1.1.1.0
# Returns sysDescr — should show FortiGate description.

snmpwalk -v2c -c <community> <fortigate-ip> .1.3.6.1.4.1.12356
# Walks Fortinet's enterprise OID tree.

For v3:

snmpwalk -v3 -l authPriv -u monitor -a SHA -A <authpass> -x AES -X <privpass> <fortigate-ip> 1.3.6.1.2.1.1.1.0

Useful FortiGate OIDs

  • CPU usage: .1.3.6.1.4.1.12356.101.4.1.3.0
  • Memory used: .1.3.6.1.4.1.12356.101.4.1.4.0
  • Active sessions: .1.3.6.1.4.1.12356.101.4.1.8.0
  • Interface stats: standard IF-MIB (.1.3.6.1.2.1.2.2.1.*)
  • VPN tunnel status: .1.3.6.1.4.1.12356.101.12.2.2.*

Most monitoring systems have FortiGate templates pre-built — import and you're done.

Common Issues

  • Timeout. Interface doesn't permit SNMP, or firewall (FortiGate's own or upstream) blocks UDP/161.
  • Wrong community returns nothing. Case-sensitive; double-check string.
  • v3 auth fails. Username/password/protocol mismatch. Use snmpwalk -v3 ... -L f to log auth detail.
  • Traps don't reach monitoring. Trap host UDP/162 unreachable from FortiGate side.
  • Counter wraps. 32-bit counters wrap on busy interfaces. Use 64-bit counter OIDs (IF-MIB has both).