Description
This article describes how to configure SNMP to query via SNMP the information from different Vdoms from an interface of the management Vdom.
Scope
FortiGate.
Solution
To query information for a specific VDOM, the SNMP manager must add the VDOM name to the SNMP GET command after the community name. The community name and the Vdom name are separated with a dash. The syntax for this SNMP get command is:
snmpget -v2c -c <community_name>-<vdom_name> <address_ipv4> <OID>
- <community_name> is the SNMP community name added to the FortiGate configuration. More than one community name can be added to a FortiGate SNMP configuration. The most commonly used community name is public.
- <vdom_name> is the vdom_name to query.
- <address_ipv4> is the IP address of the management VDOM interface that the SNMP manager queries.
- <OID> is the object identifier for the MIB field.
The following SNMP get command gets the BGP information for the VDOM1:
snmpwalk -v2c -c TestCommunity-VDOM1 10.5.17.217 1.3.6.1.2.1.15
The community name is TestCommunity.
The IP address of the FortiGate management interface is 10.5.17.217.
The BGP information comes from Vdom VDOM1.
The BGP information (from RFC 1657) BGP4-MIB is OID 1.3.6.1.2.1.15.
Result:
Configuration
FortiGate Configuration:
The management vdom is root by default.
config vdom
edit root
next
edit VDOM1
next
edit VDOM2
next
end
config global
config system interface
edit "port1"
set vdom "VDOM1"
set ip 10.134.1.217 255.255.240.0
set allowaccess ping
set type physical
set snmp-index 1
next
edit "mgmt"
set vdom "root"
set ip 10.5.17.217 255.255.240.0
set allowaccess ping https ssh snmp http telnet
set type physical
set dedicated-to management
set snmp-index 29
next
edit "vlan1-127"
set vdom "VDOM1"
set ip 10.127.1.217 255.255.240.0
set allowaccess ping
set snmp-index 41
set interface "aux"
set vlanid 127
next
edit "loop"
set vdom "VDOM1"
set ip 10.139.1.217 255.255.240.0
set allowaccess ping
set snmp-index 42
set interface "port1"
set vlanid 139
next
end
config system snmp sysinfo
set status enable
set description "TestUnit3240C-217"
set contact-info "tac@fortinet.com"
set location "Sophia"
end
config system snmp community
edit 1
set name "TestCommunity"
config hosts
edit 1
set ip 10.5.0.0 255.255.0.0
next
edit 2
set ip 172.26.0.0 255.255.0.0
next
end
set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change bgp-established bgp-backward-transition ha-member-up ha-member-down ent-conf-change av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open power-supply-failure faz-disconnect wc-ap-up wc-ap-down
next
end
end
config vdom
edit VDOM1
config router bgp
set as 65567
set router-id 10.5.17.217
config neighbor
edit "10.134.1.218"
set remote-as 65656
set send-community6 disable
next
end
config network
edit 1
set prefix 10.127.0.0 255.255.240.0
next
edit 2
set prefix 10.139.1.216 255.255.255.252
next
end
config redistribute "connected"
set status enable
end
end
end
end
Troubleshooting:
Example and troubleshooting:
snmpget -v2c -c TestCommunity-VDOM1 10.5.17.217 iso.3.6.1.2.1.15.2.0The OID .1.3.6.1.2.1.15.2.0 is Name/OID: bgpLocalAs with the Value (Integer): 65567.
FortiGate debug :
diagnose debug application snmpd -1
diagnose de en
snmpd: updating cache: idx_cache
snmpd: <msg> 56 bytes 172.26.143.40:36298 -> 10.5.17.217/10.5.17.217:161 (itf 2.2)
snmpd: checking if community "TestCommunity-VDOM1" is valid
snmpd: checking against community "TestCommunity"
snmpd: request 1(root)/2/172.26.143.40 != comm 1/0/10.5.0.0/255.255.0.0
snmpd: request 1(root)/2/172.26.143.40 == comm 1/0/172.26.0.0/255.255.0.0
snmpd: matched community "TestCommunity-VDOM1"
snmpd: get : bgpLocalAs.0 -> (snmpd: bgppeer_cache_lookup:280 try to find key(rmt_addr_idx1=0.0.0.0) next=1 self=1 vd=2
snmpd: bgppeer_cache_lookup() fg_avl_min()
snmpd: bgppeer_cache_lookup:348 key(rmt_addr_idx1=0.0.0.0) next=1 self=1 vd=2 found: entry(rmt_addr_idx1=10.5.17.217 flags=0x1)
diagnose sys vd list
system fib version=58
list virtual firewall info:
…/…
name=VDOM1 index=2 enabled use=25 rt_num=4 asym_rt=0 sip_helper=1, sip_nat_trace=1, mc_fwd=1, mc_ttl_nc=0, tpmc_sk_pl=0 ecmp=source-ip-
based asym_rt6=0 rt6_num=13 strict_src_check=0 dns_log=1 ses_num=1 ses6_pkt_num=17417
tree_flag=1 tree6_flag=1 nataf=0 traffic_log=1 extended_traffic_log=0 svc_depth=2
log_neigh=0, deny_tcp_with_icmp=0 ses_denied_traffic=no tcp_no_syn_check=0
fw_session_hairpin=no
ipv4_rate=0, ipv6_rate=0
…/…
name=root index=0 enabled use=155 rt_num=46 asym_rt=0 sip_helper=1, sip_nat_trace=1, mc_fwd=1, mc_ttl_nc=0, tpmc_sk_pl=0 ecmp=source-ip- based asym_rt6=0 rt6_num=70 strict_src_check=0 dns_log=1 ses_num6_num=0 pkt_num=335247
tree_flag=1 tree6_flag=1 nataf=0 traffic_log=1 extended_traffic_log=0 svc_depth=1
log_neigh=0, deny_tcp_with_icmp=0 ses_denied_traffic=no tcp_no_syn_check=0
fw_session_hairpin=no
ipv4_rate=0, ipv6_rate=0
vf_count=7 vfe_count=48
Note:
In snmpd the function "rmt_as" is reused for both Local AS and Remote AS causing confusion while troubleshooting.
OfficeA # get router info bgp summary
VRF 0 BGP router identifier 10.199.186.1, local AS number 75400
BGP table version is 1
2 BGP AS-PATH entries
0 BGP community entries
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.10.1.1 4 65400 27 29 0 0 0 00:00:24 1
Total number of neighbors 1
SNMP Debug:
2025-07-16 08:29:05 snmpd: update bgppeer_cache: vfid=0(root) type=4 total=4 dumpped=4
2025-07-16 08:29:05 snmpd: bgppeer_cache: dump peer4 entry key(rmt_addr_idx1=10.10.1.1) loc_addr=10.10.1.3 flags=0x0 vd=1
rtr_id=192.219.1.3 state=6 adm_status=2 last_err=2/2 nego_ver=4 loc_port=179 rmt_port=24288 rmt_as=65400 in_updt=3 out_updt=2
in_tot_msg=28 out_tot_msg=32
fsm_est_trans=1 fsm_est_time=95 con_rtr_intvl=120 hold_time=180 keep_alive=60 min_as_orig_intvl=0 min_rt_advt_intv=30
in_updt_elapdt=94
2025-07-16 08:29:05 snmpd: bgppeer_cache: dump peer4 entry key(rmt_addr_idx1=0.0.0.0) loc_addr=0.0.0.0 flags=0x1 vd=1
rtr_id=10.199.186.1 state=1 adm_status=2 last_err=0/0 nego_ver=0 loc_port=179 rmt_port=0 rmt_as=75400 in_updt=0 out_updt=0
in_tot_msg=0 out_tot_msg=0
fsm_est_trans=0 fsm_est_time=0 con_rtr_intvl=120 hold_time=0 keep_alive=0 min_as_orig_intvl=0 min_rt_advt_intv=0
in_updt_elapdt=18022
2025-07-16 08:29:05 snmpd: bgppeer_cache: key(rmt_addr_idx1=0.0.0.0) next=0 self=1 vd=1 found: entry(rmt_addr_idx1=0.0.0.0
flags=0x1)
) -> 0
2025-07-16 08:29:05 snmpd: get-next: bgpVersion.1 -> () -> 4
2025-07-16 08:29:05 snmpd: get-next: bgpLocalAs -> (
2025-07-16 08:29:05 snmpd: bgppeer_cache: try to find key(rmt_addr_idx1=0.0.0.0) next=0 self=1 vd=1
2025-07-16 08:29:05 snmpd: bgppeer_cache: key(rmt_addr_idx1=0.0.0.0) next=0 self=1 vd=1 found: entry(rmt_addr_idx1=0.0.0.0
flags=0x1)
) -> 0
Sniffer trace:
Related articles:
Technical Tip: Configuring SNMP when VDOM is enabled
Technical Tip: SNMP monitoring of BGP and OSPF neighbors in multiple VDOMs
