So FortiGate don't do an OID for failover of their firewalls but they do a send an SNMP Trap. I've undertaken to create a log analyser (LA) query that when it triggers will currently send an eMail to myself. This works.
The LA rule currently looks for a specific set of SNMP Trap IDs (is that the right word?). Four of them at present which are: fmTrapHASwitch, fgTrapHaStateChange, fgTrapHaHBFail and fgTrapHaMemberDown. I almost certainly need to narrow this down to just one, possibly two. So, as a side query when this log rule triggers, aside form trawling through the traps, is there a quick way to identify which keyword triggered the rule?
But more importantly, I need to restrict the number of alerts (or eMails) prior to turning this into an alert that pushes live data into our ticketing tool, as the last such one generated >50 eMails.
In looking at this, the only way I can think of but don't know how to implement are:
- a time based alert where if the alert triggers, it doesn't re-trigger for another X minutes/hours which is crude or
- a do not alert again until the first alert is acknowledged
- hopefully it goes without saying that if a different Fortigatre FW fails, then it would re-trigger.
As above though, I don't know where to start in configuring this or even if I can?
Or is there a better approach or even, has someone already successfully created a means to alert on a Fortigate failover event?
