Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
chaithrar
Staff
Staff

Created on ‎12-02-2015 11:44 AM Edited on ‎09-11-2024 01:29 AM By Moderator

Article Id 194853

Technical Tip: Configuring SNMP when VDOM is enabled

 

Description


This article describes how to check the prerequisite for using SNMP when VDOM is enabled.


Scope


Any FortiGate that has VDOM enabled.


Solution

 

While configuring the SNMP, the interface should be in the management VDOM to get the response from the Firewall to the SNMP Monitoring tool. 

 

Configuration.

In FortiOS 7.2+, make sure the intended VDOM is included for polling in the SNMP v1/2 or SNMPv3 setting:

 

SNMPv1/2:


config global

    config system snmp community
        edit <ID>
            set vdoms <your_VDOM>
end

 

SNMPv3:


config global
    config system snmp user
        edit <user>
            set vdoms <your_VDOM>
end

 

Make sure the interface allows SNMP processing and belongs to the VDOM allowed for polling:

 

config global
    config system interface
        edit <SNMP_interface>
            append allowaccess snmp
                set vdom <your_VDOM>
end

 

 

The two-step check includes:

 

  1. Make sure that the interface where the polling is set belongs to the management VDOM and allows SNMP processing:

 

config global
    config system interface
        edit <SNMP_interface>
            append allowaccess snmp
                set vdom <management_VDOM>
end

 

  1. Make sure that the correct VDOM is selected as management VDOM:

     

    config global

        config system global
            set management-vdom <management_VDOM>
    end 

     

  2. If trusted hosts are configured in FortiGate, make sure that the user belongs to the management_VDOM.

     

config system admin
    edit "test_user"
        set trusthost1 80.80.80.0 255.255.255.0  <----- Ip from SNMPmanager.
        set accprofile "super_admin_readonly"
        set vdom "root"   <---- Select the management VDOM.
    next
end

 

Troubleshooting.

 

Checking the current management VDOM:

 

config global
show full system global | grep management-vdom

 

Live diagnostics.

 

SSH1:


diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application snmpd -1
diagnose debug enable

 

SSH2:


diagnose sniffer packet any 'host <SNMPmanagerIP> and port 161' 6 0 l

 

Note.

SSH1 and SSH2 are separate simultaneous SSH connections.

 

Note.

While running FortiOS 7.4 or earlier releases, a SNMP User with the VDOM Parameter configured cannot query an interface that does not belong to the management VDOM. While there has been enhancements in later versions, starting from FortiOS 7.6, a SNMP user can send queries to non-management interface over SNMPv3 protocol, see Technical Tip: How to perform queries usning SNMPv3 to non-management VDOMs for details. 

Labels:
38737
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.