FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
chaithrar
Staff
Staff
Article Id 194853

 

Description


This article describes how to check the prerequisite for using SNMP when VDOM is enabled.


Scope


Any FortiGate that has VDOM enabled.


Solution

 

While configuring the SNMP, the interface should be in the management VDOM to get the response from the Firewall to the SNMP Monitoring tool. 

 

Configuration

In FortiOS 7.2+, make sure the intended VDOM is included for polling in SNMP v1/2 or SNMPv3 setting:

 

SNMPv1/2:


config global

config system snmp community
    edit <ID>
        set vdoms <your_VDOM>
end

 

SNMPv3:


config global
config system snmp user
    edit <user>
        set vdoms <your_VDOM>
end

 

Make sure the interface allows SNMP processing and belongs to the VDOM you allowed for polling:

 

config global
config system interface
    edit <SNMP_interface>
        append allowaccess snmp
            set vdom <your_VDOM>
end

 

 

The two-step check includes:

 

1) Make sure that the interface where the polling is set belongs to the management VDOM and allows SNMP processing:

 

config global
config system interface
    edit <SNMP_interface>
        append allowaccess snmp
            set vdom <management_VDOM>
end

 

2) Make sure that the correct VDOM is selected as management VDOM:

 

config global

config system global
    set management-vdom <management_VDOM>
end 


3)If trusted hosts are configured in Fortigate, make sure that the user belongs to the management_VDOM


config system admin
    edit "test_user"
        set trusthost1 80.80.80.0 255.255.255.0  <----- Ip from SNMPmanager.
        set accprofile "super_admin_readonly"
        set vdom "root"   <---- select the management VDOM
    next
end

 

 

Troubleshooting

 

Checking the current management VDOM:

 

config global
show full system global | grep management-vdom

 

Live diagnostics.

 

SSH1:


diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application snmpd -1
diagnose debug enable

 

SSH2:


diagnose sniffer packet any 'host <SNMPmanagerIP> and port 161' 6 0 l

 

Note.

SSH1 and SSH2 are separate simultaneous SSH connections.

 

Note.

An SNMP User with the VDOM Parameter configured cannot query an interface that does not belong to the management VDOM. In other words, only the management VDOM allows SNMP queries, a non-management VDOM cannot be used for SNMP queries.