Skip to main content
chaithrar
Staff
chaithrar
Staff
December 2, 2015

Technical Tip: Configuring SNMP when VDOM is enabled

  • December 2, 2015
  • 0 replies
  • 53142 views

 

Description


This article describes how to check the prerequisites for using SNMP when VDOM is enabled.


Scope


FortiGate v7.2 and later with VDOM enabled.


Solution

 

While configuring the SNMP, the interface should be in the management VDOM to get the response from the Firewall to the SNMP Monitoring tool.

 

Note: Starting from FortiOS 7.6, SNMP queries to interfaces in non-management VDOMs are supported when the following setting is enabled:

 

config global
    config system snmp sysinfo
        set non-mgmt-vdom-query disable <- Enable.
end

 

Configuration:

 

GUI configuration:

SNMP agent can be configured in the GUI under System -> SNMP, under the Global VDOM.

 

Related article: Technical Tip: How to Configure FortiGate SNMP Agent for Monitoring.

 

CLI configuration: Set the intended VDOM to retrieve information for the SNMP v1/2 community or SNMPv3 user. Note that this command is only available in v7.2 and later:

 

SNMPv1/2:


config global

    config system snmp community
        edit <ID>
            set vdoms <your_VDOM>

        next

    end

end

 

SNMPv3:


config global
    config system snmp user
        edit <user>
            set vdoms <your_VDOM>

        next

    end

end

 

Other required configuration:

 

  1. Make sure that the interface where the polling is set belongs to the management VDOM and allows SNMP processing:

 

config global
    config system interface
        edit <SNMP_interface>
            append allowaccess snmp
            set vdom <management_VDOM>

        next

    end

end

 

  1. Make sure that the correct VDOM is selected as the management VDOM:

     

config global

    config system global
        set management-vdom <management_VDOM>
    end
end

 

Note: It will not be possible to SNMP query any VDOM that is not the management.

 

  1. If trusted hosts are configured in FortiGate, ensure the user belongs to the management_VDOM.

     

config system admin
    edit "test_user"
        set trusthost1 80.80.80.0 255.255.255.0  <----- IP from SNMP manager.
        set accprofile "super_admin_readonly"
        set vdom "root"   <----- Select the management VDOM.
    next
end

 

Troubleshooting.

Checking the current management VDOM:

 

config global
show full system global | grep management-vdom

 

Live diagnostics.

 

SSH1:


diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application snmpd -1
diagnose debug enable

 

SSH2:


diagnose sniffer packet any 'host <SNMPmanagerIP> and port 161' 6 0 l

 

Notes:

  • SSH1 and SSH2 are separate, simultaneous SSH connections.
  • While running v7.4 or earlier releases, an SNMP User with the VDOM Parameter configured cannot query an interface that does not belong to the management VDOM. Starting from FortiOS v7.6, an SNMPv3 user can send queries to a non-management interface. See this article: Technical Tip: How to perform queries using SNMPv3 to non-management VDOMs for details.

 

Related documents:

    Terms & ConditionsAccessibility statement