Home

FortiSwitch SNMP Configuration: The Complete Guide for Network Administrators

.

Configuring SNMP (Simple Network Management Protocol) on Fortinet FortiSwitch devices presents unique challenges that have frustrated many network administrators. Unlike standalone network equipment, FortiSwitch units managed by FortiGate firewalls require a specialized approach that accounts for the FortiLink management architecture. This comprehensive guide synthesizes information from official documentation, community forums, and real-world implementation experiences to provide network professionals with a complete roadmap for successful FortiSwitch SNMP deployment.

The complexity arises because FortiSwitch SNMP operates as a read-only implementation, with SNMP v1 and v2c managers limited to querying system information and receiving traps. Administrators must navigate through firewall policies, access controls, and interface configurations that differ significantly from standard SNMP setups. Recent community discussions, including a notable Reddit thread from November 2024, reveal that even experienced technicians struggle with enabling SNMP on FortiLink interfaces, particularly when the FortiLink is already active.

This article distills critical information from multiple authoritative sources including official Fortinet documentation (versions 7.6.5 and 7.0.8), community troubleshooting guides, integration documents from FortiNAC, and practical implementation blogs to create a definitive reference for FortiSwitch SNMP configuration.

Understanding FortiSwitch SNMP Architecture

Core Components and Limitations

FortiSwitch SNMP implementation has several architectural constraints that administrators must understand before deployment. According to official Fortinet documentation, the managed FortiSwitch SNMP is strictly read-only, meaning SNMP managers cannot make configuration changes through SNMP protocols. This implementation supports both SNMP v1 and v2c for queries and trap reception, but write capabilities are intentionally excluded for security purposes.

A critical limitation is the maximum host constraint—each FortiSwitch unit can send traps to a maximum of 8 hosts only. This ceiling requires careful planning in larger network environments where multiple monitoring systems might need trap data. Additionally, all SNMP communication flows through the FortiLink interface, which creates both a centralized management advantage and potential bottleneck considerations for network monitoring traffic.

FortiSwitch units update their CPU and memory statistics every 30 seconds—an immutable interval that cannot be adjusted. This fixed update frequency impacts how frequently monitoring systems can obtain current performance metrics from the switches.

Essential Pre-Configuration Requirements

Before beginning SNMP configuration, several foundational elements must be in place:

  • MIB Files: Administrators must compile Fortinet and FortiSwitch Management Information Base (MIB) files, which provide the SNMP manager with necessary context to interpret trap, event, and query messages from the FortiSwitch SNMP agent. These files are available for download through the FortiGate interface at System > Config > SNMP > Settings.

  • Network Accessibility: The monitoring system must have network access to the FortiLink interface, which may involve routing configuration if the SNMP manager resides in a different subnet than the FortiSwitch management network.

  • Firewall Policy Planning: Since all SNMP traffic traverses the FortiGate, appropriate firewall policies must be created to permit SNMP polling and trap communication between monitoring systems and the FortiSwitch units.

Step-by-Step Configuration Guide

Global vs. Local Configuration Approaches

FortiSwitch SNMP can be configured at two distinct levels: globally (applying to all managed switches) or locally (applying to individual switches). The global approach ensures consistency across the switching infrastructure but may not accommodate devices with unique monitoring requirements.

For most environments, starting with global configuration is recommended. However, as noted in implementation guides, administrators can override global settings for specific switches when necessary. This hierarchical approach provides both standardization and flexibility.

Critical Configuration Steps

  1. Firewall Policy Configuration: A firewall policy must be created on the FortiGate to allow SNMP traffic through the FortiLink interface. This step is essential yet frequently overlooked, as mentioned in community troubleshooting posts where administrators couldn't enable SNMP on active FortiLink interfaces.

    config firewall policy   edit <policy_ID>     set name <policy_name>     set srcintf <FortiGate port to SNMP server>     set dstintf <FortiLink port to FortiSwitch>     set action accept     set srcaddr "all"     set dstaddr "all"     set schedule "always"     set service "SNMP"   next end

  2. Access Control Configuration: SNMP must be added to the appropriate allowaccess settings depending on your network architecture:

    • For standard deployments: Add SNMP to internal-allowaccess
    • For layer-3 networks with out-of-band management: Add SNMP to mgmt-allowaccess
    config switch-controller security-policy local-access   edit "default"     set internal-allowaccess ping https ssh snmp   next end

  3. SNMP Community Configuration: Define the SNMP community string and specify which hosts can query the switch and receive traps:

    config switch-controller snmp-community   edit 1     set name "your-community-string"     config hosts       edit 1         set ip <NMS_IP_address>       next     end     set query-v2c-status enable     set trap-v2c-status enable     set events cpu-high mem-low log-full intf-ip ent-conf-change   next end

  4. System Information Configuration: Set basic SNMP system details for identification in monitoring systems:

    config switch-controller snmp-sysinfo   set status enable   set description "Core Switch - Data Center Rack A"   set contact-info "netops@company.com"   set location "Data Center A, Row 3" end

Port Configuration Reference

Port Type Default Port Configurable Range Purpose
SNMP Query Port 161 0-65535 SNMP get requests from managers
SNMP Trap Local Port 162 0-65535 Source port for traps from switch
SNMP Trap Remote Port 162 0-65535 Destination port for traps to manager

Advanced SNMP Features and Integrations

SNMPv3 Configuration for Enhanced Security

For environments requiring higher security, FortiSwitch supports SNMPv3 with authentication and encryption options. Starting in FortiSwitchOS 7.0.0, administrators can configure SNMPv3 users with varying security levels:

config switch-controller snmp-user   edit "snmpv3-admin"     set queries enable     set query-port 161     set security-level auth-priv     set auth-proto sha256     set auth-pwd <authentication_password>     set priv-proto aes256     set priv-pwd <encryption_password>   next end

Available security levels include:

  • auth-priv: Authentication and encryption (most secure)
  • auth-no-priv: Authentication without encryption
  • no-auth-no-priv: No authentication or encryption (similar to v2c)

MAC Address Change Traps (FortiOS 7.6.0+)

A significant enhancement in FortiOS 7.6.0 is the ability to configure SNMP traps for layer-2 MAC address changes. This feature enables real-time monitoring of MAC address movements, additions, and deletions—critical for security monitoring and network troubleshooting.

To enable MAC address change traps:

  1. Add the l2mac event to your SNMP community configuration
  2. Enable MAC event logging on switch ports (for ports with static access mode):
config switch-controller managed-switch   edit <FortiSwitch_serial_number>   config ports     edit port10       set log-mac-event enable     next   end next end

Integration with Network Monitoring Systems

FortiSwitch SNMP integrates with enterprise monitoring platforms like LogicMonitor, Auvik, and FortiNAC. The FortiNAC integration guide emphasizes that SNMP serves as a primary method for endpoint connectivity notification, working alongside syslog and RADIUS for comprehensive network visibility.

When integrating with FortiNAC, specific requirements include:

  • FortiNAC version 9.2.7+ for MAC notification trap support
  • FortiOS 7.2+ for full feature compatibility
  • Valid IP addresses (not 169.x.x.x link-local) for switches sending SNMP traps

Key SNMP OIDs for FortiSwitch Monitoring

Essential Performance and Status OIDs

Three critical OIDs were added in FortiOS 7.0.1 to report FortiSwitch port status, CPU, and memory statistics:

OID Description Example Query
1.3.6.1.4.1.12356.101.24.1.1.1.11 Percentage of CPU being used snmpwalk -v2c -c community 172.16.200.1 1.3.6.1.4.1.12356.101.24.1.1.1.11.2.8.17000032
1.3.6.1.4.1.12356.101.24.1.1.1.12 Percentage of memory being used snmpwalk -v2c -c community 172.16.200.1 1.3.6.1.4.1.12356.101.24.1.1.1.12.2.8.17000032
1.3.6.1.4.1.12356.101.24.2.1.1.6 Managed FortiSwitch port status (up/down) snmpwalk -v2c -c community 172.16.200.1 1.3.6.1.4.1.12356.101.24.2.1.1.6.2.8.17000032.1

These OIDs require FortiSwitchOS 7.0.0 or higher and properly configured FortiLink and SNMP on the FortiGate device.

Threshold-Based Trapping

FortiSwitch can generate traps based on configurable thresholds for system resources:

config switch-controller snmp-trap-threshold   set trap-high-cpu-threshold 80   set trap-low-memory-threshold 80   set trap-log-full-threshold 90 end

Default thresholds are set at 80% for high CPU and low memory conditions, and 90% for log fullness. These thresholds can be adjusted globally or overridden for specific switches.

Troubleshooting Common SNMP Issues

A common issue documented in community forums involves the inability to modify allowaccess settings on an active FortiLink interface. The solution, confirmed by multiple sources, requires CLI configuration since the GUI restricts these changes on active FortiLink interfaces.

The Tindale.io implementation guide clarifies that SNMP does work over the default 169.254.0.0/16 link-local network, contrary to some assumptions. However, your Network Management System (NMS) must have routing access to this network space if using the default addressing.

Connectivity Verification Checklist

When SNMP queries fail, follow this systematic troubleshooting approach:

  1. Verify firewall policies: Ensure policies exist allowing SNMP traffic (UDP 161/162) from your NMS to the FortiLink interface
  2. Check access controls: Confirm SNMP is included in the internal-allowaccess setting for your security policy
  3. Validate community configuration: Ensure the community string matches between your NMS and FortiSwitch configuration
  4. Test network connectivity: Verify the NMS can reach the FortiSwitch management IP (ping test)
  5. Confirm SNMP service status: Check that SNMP sysinfo status is enabled globally and/or locally

Community-Tested Solutions

Based on real-world implementations shared in the Reddit community and technical blogs, several approaches have proven effective:

  • When facing persistent SNMP connectivity issues, some administrators have successfully implemented a dedicated management VLAN for SNMP traffic, separating monitoring traffic from regular FortiLink communication
  • For complex environments, configuring SNMP locally on problem switches rather than relying solely on global settings has resolved inconsistent monitoring
  • Implementing SNMPv3 even when not strictly required for security has sometimes resolved v2c compatibility issues with certain monitoring systems

Best Practices for FortiSwitch SNMP Deployment

Security Considerations

While FortiSwitch SNMP is read-only, proper security measures remain essential:

  1. Use unique community strings: Avoid default public/private strings
  2. Implement ACLs: Restrict SNMP access to specific management hosts only
  3. Consider SNMPv3: For sensitive environments, implement authentication and encryption
  4. Regularly review configurations: Periodically audit SNMP settings as part of security reviews
  5. Segment monitoring traffic: When possible, use dedicated management networks for SNMP

Performance Optimization

To ensure SNMP monitoring doesn't impact switch performance:

  • Schedule intensive SNMP walks during off-peak hours
  • Adjust polling intervals based on criticality—more frequent for core devices, less for edge switches
  • Utilize traps for alerting rather than constant polling for state changes
  • Monitor the impact of SNMP on FortiGate CPU when managing large switch fabrics

Documentation Strategy

Maintain comprehensive documentation including:

  • Community strings and associated access controls
  • Trap destinations and thresholds
  • Custom OIDs being monitored
  • Integration points with NMS and SIEM systems
  • Change history for SNMP configuration modifications

Frequently Asked Questions

Why can't I enable SNMP access on my FortiLink interface?

This common issue occurs because the GUI restricts modifications to allowaccess settings on active FortiLink interfaces. The solution requires using the CLI to configure SNMP access through the switch-controller security-policy local-access command. As confirmed in community discussions, once FortiLink is enabled, certain interface modifications must be performed via command line rather than the web interface.

What's the difference between global and local SNMP configuration?

Global configuration applies settings to all managed FortiSwitch units from the FortiGate, ensuring consistency across your switching infrastructure. Local configuration allows you to override global settings for specific switches by entering their serial number in the managed-switch configuration. This is useful for switches with unique monitoring requirements or when troubleshooting specific devices.

Can I use SNMPv3 with FortiSwitch?

Yes, FortiSwitch supports SNMPv3 starting from FortiSwitchOS 7.0.0. You can configure SNMPv3 users with authentication (MD5, SHA variants) and privacy (DES, AES variants) protocols. The configuration is done through the switch-controller snmp-user command, where you can set security levels ranging from no-auth-no-priv (similar to v2c) to auth-priv (authenticated and encrypted).

What are the most important OIDs for monitoring FortiSwitch performance?

The three essential OIDs added in FortiOS 7.0.1 are: CPU usage (1.3.6.1.4.1.12356.101.24.1.1.1.11), memory usage (1.3.6.1.4.1.12356.101.24.1.1.1.12), and port status (1.3.6.1.4.1.12356.101.24.2.1.1.6). These require FortiSwitchOS 7.0.0+ and properly configured FortiLink and SNMP. FortiSwitch updates CPU/memory stats every 30 seconds, which cannot be adjusted.

How do MAC address change traps work in FortiOS 7.6.0+?

Starting in FortiOS 7.6.0, you can configure SNMP traps to monitor layer-2 MAC address changes (additions, moves, deletions) on FortiSwitch ports. This is configured by adding the l2mac event to your SNMP community and enabling log-mac-event on individual ports. Note that this applies only to dynamic MAC addresses on ports without static access mode configuration.