FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gfranceschi
Staff
Staff
Article Id 189620
Purpose
This article describes how to configure SNMP to query via SNMP the information from different Vdoms from an interface of the management Vdom.

Expectations, Requirements
To query information for a specific Vdom, the SNMP manager must add the Vdom name to the SNMP get command after the community name. The community name and the Vdom name are separated with a dash. The syntax for this SNMP get command is:
snmpget -v2c -c <community_name>-<vdom_name> <address_ipv4> <OID>
<community_name> is the SNMP community name added to the FortiGate configuration. More than one community name can be added to a FortiGate SNMP configuration. The most commonly used community name is public.

<vdom_name> is the vdom_name to query.

<address_ipv4> is the IP address of the interface of the management Vdom that the SNMP manager queries.
<OID> is the object identifier for the MIB field.

The following SNMP get command gets the BGP information for the VDOM1.
snmpwalk -v2c -c TestCommunity-VDOM1 10.5.17.217 1.3.6.1.2.1.15
The community name is TestCommunity.
The IP address of the FortiGate management interface is 10.5.17.217.
The BGP information comes from Vdom VDOM1.

The BGP information (from RFC 1657) BGP4-MIB is OID 1.3.6.1.2.1.15.
Result:



Configuration
FortiGate Configuration:
The management vdom is root by default.
# config vdom
    edit root
    next
    edit VDOM1
    next
    edit VDOM2
    next
end

# config global

    config system interface
        edit "port1"
            set vdom "VDOM1"
            set ip 10.134.1.217 255.255.240.0

            set allowaccess ping
            set type physical
            set snmp-index 1
        next
        edit "mgmt"
            set vdom "root"
            set ip 10.5.17.217 255.255.240.0

            set allowaccess ping https ssh snmp http telnet
            set type physical
            set dedicated-to management
            set snmp-index 29
        next
        edit "vlan1-127"
            set vdom "VDOM1"
            set ip 10.127.1.217 255.255.240.0
            set allowaccess ping
            set snmp-index 41
            set interface "aux"
            set vlanid 127
        next
        edit "loop"
            set vdom "VDOM1"
            set ip 10.139.1.217 255.255.240.0
            set allowaccess ping
            set snmp-index 42
            set interface "port1"
            set vlanid 139
        next
    end
    config system snmp sysinfo
        set status enable

        set description "TestUnit3240C-217"
        set contact-info "tac@fortinet.com"
        set location "Sophia"
    end
    config system snmp community
        edit 1
            set name "TestCommunity"
            config hosts
                edit 1
                    set ip 10.5.0.0 255.255.0.0
                next
                edit 2
                    set ip 172.26.0.0 255.255.0.0
                next
            end
            set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change bgp-established bgp-backward-transition ha-member-up ha-member-down ent-conf-change av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open power-supply-failure faz-disconnect wc-ap-up wc-ap-down
        next
    end
end
 
# config vdom
    edit VDOM1
    config router bgp
        set as 65567
        set router-id 10.5.17.217
    config neighbor
        edit "10.134.1.218"
             set remote-as 65656
            set send-community6 disable
        next
    end
    config network
        edit 1
            set prefix 10.127.0.0 255.255.240.0
        next
        edit 2
            set prefix 10.139.1.216 255.255.255.252
        next
    end

    config redistribute "connected"
        set status enable
    end
end
end
end

Troubleshooting

Example and troubleshooting:

snmpget -v2c -c TestCommunity-VDOM1 10.5.17.217  iso.3.6.1.2.1.15.2.0

The OID  .1.3.6.1.2.1.15.2.0 is Name/OID: bgpLocalAs with the  Value (Integer): 65567.

FortiGate debug :

# diagnose  debug application snmpd -1

# di de en

snmpd: updating cache: idx_cache

snmpd: <msg> 56 bytes 172.26.143.40:36298 -> 10.5.17.217/10.5.17.217:161 (itf 2.2)

snmpd: checking if community "TestCommunity-VDOM1" is valid

snmpd: checking against community "TestCommunity"

snmpd: request 1(root)/2/172.26.143.40 != comm 1/0/10.5.0.0/255.255.0.0

snmpd: request 1(root)/2/172.26.143.40 == comm 1/0/172.26.0.0/255.255.0.0

snmpd: matched community "TestCommunity-VDOM1"

snmpd: get     : bgpLocalAs.0 -> (snmpd: bgppeer_cache_lookup:280 try to find key(rmt_addr_idx1=0.0.0.0) next=1 self=1 vd=2

snmpd: bgppeer_cache_lookup() fg_avl_min()

snmpd: bgppeer_cache_lookup:348 key(rmt_addr_idx1=0.0.0.0) next=1 self=1 vd=2 found: entry(rmt_addr_idx1=10.5.17.217 flags=0x1)

 

# diagnose sys vd list

system fib version=58

list virtual firewall info:

…/…

name=VDOM1 index=2 enabled use=25 rt_num=4 asym_rt=0 sip_helper=1, sip_nat_trace=1, mc_fwd=1, mc_ttl_nc=0, tpmc_sk_pl=0 ecmp=source-ip-based asym_rt6=0 rt6_num=13 strict_src_check=0 dns_log=1 ses_num=1 ses6_pkt_num=17417

        tree_flag=1 tree6_flag=1 nataf=0 traffic_log=1 extended_traffic_log=0 svc_depth=2

        log_neigh=0, deny_tcp_with_icmp=0 ses_denied_traffic=no tcp_no_syn_check=0

        fw_session_hairpin=no

        ipv4_rate=0, ipv6_rate=0

…/…

name=root index=0 enabled use=155 rt_num=46 asym_rt=0 sip_helper=1, sip_nat_trace=1, mc_fwd=1, mc_ttl_nc=0, tpmc_sk_pl=0 ecmp=source-ip-based asym_rt6=0 rt6_num=70 strict_src_check=0 dns_log=1 ses_num6_num=0 pkt_num=335247

        tree_flag=1 tree6_flag=1 nataf=0 traffic_log=1 extended_traffic_log=0 svc_depth=1

        log_neigh=0, deny_tcp_with_icmp=0 ses_denied_traffic=no tcp_no_syn_check=0

        fw_session_hairpin=no

        ipv4_rate=0, ipv6_rate=0

vf_count=7 vfe_count=48

Sniffer trace:



Related Articles

Note for configuring SNMP when using it with VDOM enabled.

Contributors