This article describes how to configure SNMP to query via SNMP the information from different Vdoms from an interface of the management Vdom.
Expectations, Requirements
To query information for a specific Vdom, the SNMP manager must add the Vdom name to the SNMP get command after the community name. The community name and the Vdom name are separated with a dash. The syntax for this SNMP get command is:
snmpget -v2c -c <community_name>-<vdom_name> <address_ipv4> <OID><community_name> is the SNMP community name added to the FortiGate configuration. More than one community name can be added to a FortiGate SNMP configuration. The most commonly used community name is public.
<vdom_name> is the vdom_name to query.
<address_ipv4> is the IP address of the interface of the management Vdom that the SNMP manager queries.
<OID> is the object identifier for the MIB field.
The following SNMP get command gets the BGP information for the VDOM1.
snmpwalk -v2c -c TestCommunity-VDOM1 10.5.17.217 1.3.6.1.2.1.15The community name is TestCommunity.
The IP address of the FortiGate management interface is 10.5.17.217.
The BGP information comes from Vdom VDOM1.
The BGP information (from RFC 1657) BGP4-MIB is OID 1.3.6.1.2.1.15.
Result:
Configuration
FortiGate Configuration:
The management vdom is root by default.
# config vdom
edit root
next
edit VDOM1
next
edit VDOM2
next
end
# config global
config system interface
edit "port1"
set vdom "VDOM1"
set ip 10.134.1.217 255.255.240.0
set allowaccess ping
set type physical
set snmp-index 1
next
edit "mgmt"
set vdom "root"
set ip 10.5.17.217 255.255.240.0
set allowaccess ping https ssh snmp http telnet
set type physical
set dedicated-to management
set snmp-index 29
next
edit "vlan1-127"
set vdom "VDOM1"
set ip 10.127.1.217 255.255.240.0
set allowaccess ping
set snmp-index 41
set interface "aux"
set vlanid 127
next
edit "loop"
set vdom "VDOM1"
set ip 10.139.1.217 255.255.240.0
set allowaccess ping
set snmp-index 42
set interface "port1"
set vlanid 139
next
end
config system snmp sysinfo
set status enable
set description "TestUnit3240C-217"
set contact-info "tac@fortinet.com"
set location "Sophia"
end
config system snmp community
edit 1
set name "TestCommunity"
config hosts
edit 1
set ip 10.5.0.0 255.255.0.0
next
edit 2
set ip 172.26.0.0 255.255.0.0
next
end
set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change bgp-established bgp-backward-transition ha-member-up ha-member-down ent-conf-change av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open power-supply-failure faz-disconnect wc-ap-up wc-ap-down
next
end
end
# config vdom
edit VDOM1
config router bgp
set as 65567
set router-id 10.5.17.217
config neighbor
edit "10.134.1.218"
set remote-as 65656
set send-community6 disable
next
end
config network
edit 1
set prefix 10.127.0.0 255.255.240.0
next
edit 2
set prefix 10.139.1.216 255.255.255.252
next
end
config redistribute "connected"
set status enable
end
end
end
end
Troubleshooting
Example and troubleshooting:
snmpget -v2c -c TestCommunity-VDOM1 10.5.17.217 iso.3.6.1.2.1.15.2.0
The OID .1.3.6.1.2.1.15.2.0 is Name/OID: bgpLocalAs with the Value (Integer): 65567.FortiGate debug :
# diagnose debug application snmpd -1
# di de en
snmpd: updating cache: idx_cache
snmpd: <msg> 56 bytes 172.26.143.40:36298 -> 10.5.17.217/10.5.17.217:161 (itf 2.2)
snmpd: checking if community "TestCommunity-VDOM1" is valid
snmpd: checking against community "TestCommunity"
snmpd: request 1(root)/2/172.26.143.40 != comm 1/0/10.5.0.0/255.255.0.0
snmpd: request 1(root)/2/172.26.143.40 == comm 1/0/172.26.0.0/255.255.0.0
snmpd: matched community "TestCommunity-VDOM1"
snmpd: get : bgpLocalAs.0 -> (snmpd: bgppeer_cache_lookup:280 try to find key(rmt_addr_idx1=0.0.0.0) next=1 self=1 vd=2
snmpd: bgppeer_cache_lookup() fg_avl_min()
snmpd: bgppeer_cache_lookup:348 key(rmt_addr_idx1=0.0.0.0) next=1 self=1 vd=2 found: entry(rmt_addr_idx1=10.5.17.217 flags=0x1)
# diagnose sys vd list
system fib version=58
list virtual firewall info:
…/…
name=VDOM1 index=2 enabled use=25 rt_num=4 asym_rt=0 sip_helper=1, sip_nat_trace=1, mc_fwd=1, mc_ttl_nc=0, tpmc_sk_pl=0 ecmp=source-ip-based asym_rt6=0 rt6_num=13 strict_src_check=0 dns_log=1 ses_num=1 ses6_pkt_num=17417
tree_flag=1 tree6_flag=1 nataf=0 traffic_log=1 extended_traffic_log=0 svc_depth=2
log_neigh=0, deny_tcp_with_icmp=0 ses_denied_traffic=no tcp_no_syn_check=0
fw_session_hairpin=no
ipv4_rate=0, ipv6_rate=0
…/…
name=root index=0 enabled use=155 rt_num=46 asym_rt=0 sip_helper=1, sip_nat_trace=1, mc_fwd=1, mc_ttl_nc=0, tpmc_sk_pl=0 ecmp=source-ip-based asym_rt6=0 rt6_num=70 strict_src_check=0 dns_log=1 ses_num6_num=0 pkt_num=335247
tree_flag=1 tree6_flag=1 nataf=0 traffic_log=1 extended_traffic_log=0 svc_depth=1
log_neigh=0, deny_tcp_with_icmp=0 ses_denied_traffic=no tcp_no_syn_check=0
fw_session_hairpin=no
ipv4_rate=0, ipv6_rate=0
vf_count=7 vfe_count=48
Sniffer trace:
Related Articles