Monitor FortiGate firewalls

Automate the monitoring and management of your Cisco FortiGate infrastructure to provide visibility and help ensure service availability.

Ensure that services dependent on your firewall are available:

• Monitor VPN tunnels: to guarantee connectivity between sites. Monitor the tunnel status, bandwidth usage, and information about completed phases. View user sessions on remote access tunnels.
• Monitor High Availability: Detect failovers and keep track of FortiGate high availability status.
• Monitor Virtual Domain (VDOM): Monitor virtual domains of FortiGate firewall devices.

Out-of-the-box alerts

• High Availability on Fortigate Firewall is not up for Fortigate.
• High Availability on Fortigate Firewall is not in sync
• Site-to-Site (L2L) VPN tunnel down for Fortigate

Out-of-the-box reports

• VPN Site-to-Site Tunnel History - Last 30 Days
• VPN Remote Access Tunnel History - Last 30 Days

Requirements

Fortinet FortiGate firewalls are supported from FortiOS 6.4.0 and above. See SNMP polling extensions to support new OIDs 6.4.2.

Monitor VPN tunnels

Get basic visibility to your nodes so that you can troubleshoot tunnels with issues.

1. Log in to the SolarWinds Platform Web Console.
2. On the Summary view, locate and click your FortiGate firewall node to go to the Node Details view.
3. Click the Site-to-Site VPN or remote access VPN icon in the subviews menu on the left side of the SolarWinds Platform Web Console.

Add tunnels for monitoring

When adding FortiGate nodes for monitoring, all available Site-to-Site tunnels are listed in the List Resources step. See Add a single node for monitoring.

By default, only up tunnels are selected for monitoring. If you want to monitor a tunnel that is currently down, select it manually.

To change monitored Site-to-Site tunnels for a node, go to the Node Details widget and click List Resources. Adjust the Site-to-Site tunnels to be monitored.

Tunnel status

The Site-to-Site VPN tunnel status reflects the success or failure of the following phases.

• In phase 1, a secure communication channel between VPN peers is set up. This includes encryption, authentication, and key exchange parameters. If phase 1 fails, the tunnel cannot be established.

• In phase two, the actual data transfer parameters (encryption, hashing algorithms for traffic) are negotiated. This phase defines what traffic is allowed through the channel.

Phase 1 status	Phase 2 status	Tunnel status
Up	All Up	Up
Up	Up and Down	Up
Unknown	All Down	Down

Polling

FortiGate node status is polled every two minutes. Statistics are polled every ten minutes.

You can change the polling frequencies by editing the node. See Edit node properties.

Site-to-Site VPN

Site-to-Site VPN provides information about office-to-office tunnels.

Review the list of Site-to-Site VPN tunnels on the device. Use the search and filter options to find a Site-to-Site VPN tunnel and see more details.

Click the star icon to add a Site-to-Site VPN tunnel to favorites that are featured on the Node Details - Summary view.

Status information

• If the tunnel is down, see the information about the last phase completed successfully.

• For up tunnels, see the encryption, hashing info, in and out traffic, and the duration of the tunnel.

Remote access VPN

On the Remote access VPN subview, you can see a list of remote access tunnels, with the user name and tunnel duration details.

By default, non-existent or dead tunnels are removed after thirty days.

Search for tunnels, or filter results to find specific tunnels.

Monitor high availability

To monitor high availability for your FortiGate nodes, go to the Node Details view and click the Platform submenu and review the High Availability widget.

Enable monitoring high availability

When adding FortiGate nodes for monitoring, select High Availability Information in the List Resources step. See Add a single node for monitoring.

To enable high availability monitoring on already monitored FortiGate nodes, go to the Node Details widget and click List Resources. Ensure that the High Availability Information box is selected.

High availability (HA) modes

Polling high availability is enabled only when FortiGate is configured in Active-Passive or Active-Active modes. It is disabled in standalone deployments.

Active-Passive (A-P)

• One FortiGate firewall operates as active, while the other remains in standby mode.

• If the primary device encounters an issue, the secondary device automatically takes over.

• Polling occurs when the firewall is configured in Active-Passive mode.

Active-Active (A-A)

• Both FortiGate firewalls actively process traffic for load balancing.

• Polling occurs when the firewall is configured in Active-Active mode.

Standalone

• A single FortiGate unit operates independently without redundancy.

• Polling does not occur in standalone mode.

Monitor virtual domains

To monitor virtual domains (VDOMs) on your FortiGate nodes, go to the Node Details view and click the Platform submenu. You can review monitored virtual domains on the node in the Virtual Domains widget.

Enable monitoring virtual domains

When adding FortiGate nodes for monitoring, all available virtual domains are listed in the List Resources step. See Add a single node for monitoring.

To change monitored virtual domains for a node, go to the Node Details widget and click List Resources. Adjust the virtual domains to be monitored.

Widgets

• Site-to-Site VPN Health Overview

• Favorite Site-to-Site VPN

• Platform Summary

• High Availability for FortiGate firewalls

• Virtual Domains for FortiGate