Skip to main content
mhdganji
mhdganji
Explorer III
April 21, 2023
Question

SNMP on a non-management interface

  • April 21, 2023
  • 3 replies
  • 5715 views

Hi

Struggling and troubleshooting for hours and found out that Fortigate (FortiOS 7.0.9) just responds to SNMP on its management VDOM interfaces. So:

 

1- Is there any way to force it to respond to SNMP requests received on interfaces which are not member of the Management VDOM (For security purpose I don't like this VDOM to be routed into internal network, just use if for Fortiguard)

 

2- How, using a VDOM link I can config the SNMP requests to be routed to the management VDOM. I built a /30 link between the internal VDOM and management VDOM. Should I make the management VDOM /30 IP to be reachable all through network to monitoring device? Is there a method to tell the device to route just SNMP packets to that IP? (Receive them on internal VDOM, route to management VDOM through the VDOM link, get the response and send it back to monitoring software)

 

Or maybe there are better ways to do this.

 

Thanks

3 replies

gfleming
Staff
gfleming
Staff
April 21, 2023

Yes just use a FW policy that allows only SNMP (UDP/161) from non-mgmt VDOM intf to inter-vdom link.

    mhdganji
    mhdganjiAuthor
    Explorer III
    April 21, 2023

    Hi,

    It did not work and as a matter of fact I wonder how it should work. The SNMP traffic reaches the non-management interface and the box itself decides that it should be sent to management interface, uses the rule and ... ?

    Let me say again that just switching the management vdom will put SNMP to work. Meanwhile maybe the pictures below be of any help. And BTW, I upgraded to FortiOS 7.2.

     

    P1.JPGP2.JPGP3.JPG

    gfleming
    Staff
    gfleming
    Staff
    April 24, 2023

    You need policy in root VDOM allowing traffic across the VDOM link. You need policy in management VDOM allowing traffic from the VDOM link to the relevant intf.

    You need routing set up to work properly across the VDOM links.

    Have you done all this?

      Chuchubi
      Chuchubi
      New Member
      January 8, 2024

      The above normally works for one device. But will this work for both devices in HA mode? I could manage to get this to work for only the primary device. If your in HA and doing active-active non-loadbalancing or loadbalancing it didn't work for me.

      Any suggestions?

      Terms & ConditionsAccessibility statement