Troubleshooting Tip: FortiGate dropping SNMP polling packets (default port 161)
| Description | This article describes the solution when FortiGate drops SNMP polling packets despite having the correct configuration. |
| Scope | FortiGate. |
| Solution | Symptom: This article assumes that SNMP configurations (v1/v2/v3) are intact and SNMP is enabled on required interfaces. When SNMP is enabled on required interfaces, ensure it's listening on required port (default port UDP:161)
This can be validated by reviewing local-in-policy found under Policy & Objects -> Local in policy (if it is not visible, enable this option under System -> Feature Visibility).
Alternatively, this can also be validated via the CLI by using the diagnose firewall iprope list 10000f command.
This example output confirms port 7 (index 19) is listening on UDP:161. Despite the output above (assuming SNMP configurations are intact), debug flow output shows that FortiGate is still dropping the packet.
[...] 2026-02-03 15:45:06 id=65308 trace_id=258 func=__iprope_check_one_policy line=2243 msg="policy-4294967295 is matched, act-drop" 2026-02-03 15:45:05 id=65308 trace_id=257 func=fw_local_in_handler line=606 msg="iprope_in_check() check failed on policy 0, drop [...]
It means that FortiGate cannot match a policy to this incoming traffic, so it is dropped.
For more information, see Troubleshooting Tip: Debug flow messages 'iprope_in_check() check failed, drop' - 'Denied by forward policy check' - 'reverse path check fail, drop' - 'iprope_in_check() check failed on policy 0, drop'.
The symptom above is observed when the trusted host is configured under all admin users.
If the trusted host is configured for all administrator accounts, the IP address of the SNMP manager must be included in the trusted host list of at least one administrator account. Alternatively, there must be at least one administrator account with no trusted host restriction configured.
config system admin
For VDOM-enabled devices, this configuration must be applied on a per-VDOM basis. For example, if an administrator account with a trusted host configuration exists only under the root VDOM, and if the interface being polled also belongs to the 'root' VDOM, but if there are administrator accounts without trusted host configurations under VDOM 'B': SNMP polling will fail.
In this scenario, the required trusted host configuration must be applied under the root VDOM for SNMP polling to function correctly.
Another possible reason for SNMP failing on a multi-VDOM setup is that the target interface should be part of the management VDOM to get a response from the FortiGate to the SNMP Monitoring tool. Starting from FortiOS v7.6, SNMP queries can work on a non-management VDOM interface. For more details, refer to Technical Tip: How to perform queries using SNMPv3 to non-management VDOMs. |
