FortiCache 4.0.1 Administration Guide

Configuration

This section provides features for configuring and viewing advanced network settings, such as HA cluster and interface settings, SNMPv1/v2 and v3, FortiGuard Web Filtering settings, replacement messages, and messaging servers. This section describes:

l High availability l SNMP settings l Replacement messages l FortiGuard settings l Disk management l Features l Features

High availability

FortiCache HA provides a system management solution which synchronizes configuration changes among the clustering members. You can fine tune the performance of the HA cluster to change how a cluster forms and shares information among clustering members.

The HA heartbeat keeps cluster units communicating with each other. The heartbeat consists of hello packets that are sent at regular intervals by the heartbeat interface of all cluster units. These hello packets describe the state of the cluster unit and are used by other cluster units to keep all the units synchronized.

HA heartbeat packets are non-TCP packets that use Ethertype values 0x8890, 0x8891, and 0x8890. The default time interval between HA heartbeats is 200 ms.

Your FortiCache can be configured as a Standalone unit or you can pair multiple FortiCache devices in an ActiveActive HA cluster for load balancing and failover protection. To configure HA and cluster settings, or to view the cliuster member list, select System > Config > HA.

Configure the following settings:

Mode Enter the mode. Select Standalone or Active-Active from the drop-down menu.
Device Priority You can set a different device priority to each cluster member to control the order in which cluster units become the primary unit when the primary unit fails. The device with the highest device priority becomes the primary unit.

The default value is 128.

Cluster Settings  
Group Name Use the group name to identify the cluster.
Password Enter a password to identify the HA cluster. The maximum password length is 15 characters. The password must be the same for all cluster FortiCache units before the FortiCache units can form the HA cluster.

The default is no password. When the cluster is operating, you can add a password, if required. Two clusters on the same network must have different passwords.

Port Monitor Select the specific ports to monitor.
Heartbeat Interface Select to enable or disable the HA heartbeat communication for each interface in the cluster, then set the heartbeat interface priority. The heartbeat interface with the highest priority processes all heartbeat traffic. You must select at least one heartbeat interface. If the interface functioning as the heartbeat fails, the heartbeat is transferred to another interface configured as an Heartbeat interface. If heartbeat communication is interrupted, the cluster stops processing traffic. Priority ranges from 0 to 512.

SNMP settings

The Simple Network Management Protocol (SNMP) allows you to monitor hardware on your network. You can configure the hardware, such as the FortiCache SNMP agent, to report system information and traps.

SNMP traps alert you to events that happen, such as a log disk becoming full, or a virus being detected. These traps are sent to the SNMP managers. An SNMP manager (or host) is typically a computer running an application that can read the incoming traps and event messages from the agent, and send out SNMP queries to the SNMP agents. A FortiManager unit can act as an SNMP manager to one or more FortiCache units.

By using an SNMP manager, you can access SNMP traps and data from any FortiCache interface configured for

SNMP management access. Part of configuring an SNMP manager is to list it as a host in a community on the FortiCache unit it will be monitoring. Otherwise, the SNMP monitor will not receive any traps from, and be unable to query, that FortiCache unit.

When using SNMP, you must also ensure you have added the correct Management Information Base (MIB) files to the unit, regardless of whether or not your SNMP manager already includes standard and private MIBs in a ready to use, compiled database. A MIB is a text file that describes a list of SNMP data objects used by the SNMP manager. See for more information.

The FortiCache SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP managers have read-only access to FortiCache system information through queries, and can receive trap messages from the unit.

The FortiCache SNMP v3 implementation includes support for queries, traps, authentication, and privacy. Authentication and encryption are configured in the CLI.

SNMP configuration

Before a remote SNMP manager can connect to the FortiCache agent, you must configure one or more FortiCache interfaces to accept SNMP connections. Interfaces are configured in System > Network > Interface, see Interfaces on page 22.

The following are SNMP configuration settings in System > Config > SNMP.

Configure the following settings:

SNMP Agent Enable the FortiCache SNMP agent.
Description Enter descriptive information about the unit. The description can be up to 35 characters long.
Location Enter the physical location of the unit. The system location description can be up to 35 characters long.
Contact Enter the contact information for the person responsible for this unit. The contact information can be up to 35 characters.
Apply Saves changes made to the description, location, and contact information.
SNMP v1/v2c Lists the communities for SNMP v1/v2c. From within this section you can create, edit or remove SNMP communities.
Create New Creates a new SNMP community. When you select Create New, you are automatically redirected to the New SNMP Community page. See .
Edit Modifies settings within an SNMP community. When you select Edit, you are automatically redirected to the Edit SNMP Community page.
Delete Removes an SNMP community from the list.

To remove multiple SNMP communities from the list, select all the rows you want removed, then select Delete.

To remove all communities from the list, select the check box in the check box column and then select Delete.

Community Name The name of the community.
Queries Indicates whether queries protocols (v1 and v2c) are enabled or disabled. A green checkmark indicates that queries are enabled; a gray x indicates that queries are disabled. If one query is disabled and another one enabled, there will still be a green checkmark.
Traps Indicates whether trap protocols (v1 and v2c) are enabled or disabled. A green checkmark indicates that traps are enabled; a gray x indicates that traps are disabled. If one query is disabled and another one enabled, there will still be a green checkmark.
Enable Select the check box to enable or disable the community.
SNMP v3 Lists the SNMPv3 users. From within this section, you can edit, create or remove an SNMPv3 user.
Create New Creates a new SNMPv3 user. When you select Create New, you are automatically redirected the Create New SNMPv3 User page.
Edit Modifies settings within the SNMPv3 user. When you select Edit, you are automatically redirected to the Edit SNMPv3 User page.
Delete Removes an SNMPv3 user from the page.

To remove multiple SNMPv3 users from the list, select all the rows you want removed, then select Delete.

To remove all users from the list, select the check box in the check box column and then select Delete.

User Name The name of the SNMPv3 user.
Security Level The security level of the user.
Notification Host The IP address or addresses of the host.
Queries Indicates whether queries are enabled or disabled. A green checkmark indicates that queries are enabled; a gray x indicates that queries are disabled.
FortiCache SNMP MIB Download the FortiCache MIB file by selecting Download FortiCache MIB File. See Fortinet MIBs on page 36.

SNMP agent

The FortiCache SNMP agent must be enabled before configuring other SNMP options. Enter information about the FortiCache unit to identify it so that when your SNMP manager receives traps from the FortiCache unit, you will know which unit sent the information.

To configure the SNMP agent:

  1. Go to System > Config > SNMP.
  2. Enable the SNMP agent by selecting Enable in the SNMP Agent
  3. Enter a descriptive name for the agent and the location of the FortiCache unit
  4. Enter a contact or administrator for the SNMP Agent or FortiCache unit.
  5. Select Apply.

To configure the SNMP agent with the CLI:

Enter the following CLI commands:

config system snmp sysinfo set status enable set contact-info <contact_information> set description <description_of_FortiCache> set location <FortiCache_location>

end

Manage SNMP communities

An SNMP community is a grouping of devices for network administration purposes. Within that SNMP community, devices can communicate by sending and receiving traps and other information. One device can belong to multiple communities, such as one administrator terminal monitoring both a firewall SNMP and a printer SNMP community.

Add SNMP communities to your FortiCache unit so that SNMP managers can view system information and receive SNMP traps. You can add up to three SNMP communities. Each community can have a different configuration for SNMP queries and traps, and can be configured to monitor the FortiCache unit for a different set of events. You can also add the IP addresses of up to 8 SNMP managers to each community.

Selecting Create New on the SNMP v1/v2c table opens the New SNMP Community page, which provides settings for configuring a new SNMP community. Selecting a community from the list opens the Edit SNMP Community page.

Configure the following settings:

 

Community Name Enter a name to identify the SNMP community.
Hosts Settings for configuring the hosts of an SNMP community.
IP Address / Netmask Enter the IP address / netmask of the SNMP managers that can use the settings in this SNMP community to monitor the unit.

You can also set the IP address to 0.0.0.0 to so that any SNMP manager can use this SNMP community.

Interface Optionally select the name of the interface that this SNMP manager uses to connect to the unit. You only have to select the interface if the SNMP manager is not on the same subnet as the unit. This can occur if the SNMP manager is on the Internet or behind a router.
Delete Removes an SNMP manager from the list within the Hosts section.
Add Select to add a blank line to the Hosts list. You can add up to eight SNMP managers to a single community.
Queries Settings for configuring ports for both v1 and v2c.
Protocol The SNMP protocol.
Port Enter the port number (161 by default) that the SNMP managers in this community use for SNMP v1 and SNMP v2c queries to receive configuration information from the unit.

The SNMP client software and the unit must use the same port for queries

Enable Select to activate queries for the SNMP version.
Traps Settings for configuring local and remote ports for both v1 and v2c.
Protocol The SNMP protocol.
Local Enter the remote port numbers (162 by default) that the unit uses to send SNMP v1 or SNMP v2c traps to the SNMP managers in this community.

The SNMP client software and the unit must use the same port for traps.

Remote Enter the remote port number (162 by default) that the unit uses to send SNMP traps to the SNMP managers in this community.

The SNMP client software and the unit must use the same port for traps.

Enable Select to activate traps for each SNMP version.
SNMP Event Enable each SNMP event for which the unit should send traps to the SNMP managers in this community. Notes:

l The CPU Overusage traps sensitivity is slightly reduced, by spreading values out over 8 polling cycles. This prevents sharp spikes due to CPU intensive short-term events such as changing a policy. l The PowerSupply Failure event trap is available only on some models.

l The AMC interfaces enterbypass mode event trap is available only on models that support AMC modules.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.