Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
syordanov
Staff
Staff

Created on ‎08-23-2024 08:15 AM Edited on ‎02-27-2025 08:07 AM By Moderator

Article Id 335112

Technical Tip: How to perform queries using SNMPv3 to non-management VDOMs

Description This article describes how to perform queries using SNMPv3 to non-management VDOMs.
Scope FortiGate v7.6.0, SNMPv3.
Solution

When FortiGate is configured in multi-VDOM mode, SNMP queries can only be performed for a management VDOM.

FortiOS v7.6.0 introduced a new feature that allows non-management VDOMs to answer SNMPv3 queries.

 

snmpv3_KB.PNG

 

The root VDOM is acting as a management VDOM. The vdom_1 is a non-management VDOM. Port wan1 with IP address 10.191.20.48 belongs to vdom_1.

 

When the SNMP station performs an SNMPv3 query, FortiGate does not respond.

FortiOS 7.6.0 GA introduced a new feature that allows to do SNMPv3 queries to non-management VDOM, this can be adjusted using the following CLI commands:

 

config global

    config system snmp sysinfo

        set non-mgmt-vdom-query enable

end

 

The default value for 'non-mgmt-vdom-query' is disabled. Once enabled, non-management VDOMs can respond to SNMPv3 queries. Keep in mind that the 'snmp' needs to be allowed under the interface which the SNMP station queries.

 

config system interface
    edit "wan1"
        set vdom "vdom_1"
        set ip 10.191.20.48 255.255.240.0
        set allowaccess ping https ssh snmp http telnet
        set type physical
        set role wan
        set snmp-index 3
    next
end

 

Before the change:

 

diagnose sniffer packet any " host 10.191.19.9" 4
interfaces=[any]
filters=[ host 10.191.19.9]
2.897778 wan1 in 10.191.19.9.51772 -> 10.191.20.48.161: udp 42
3.898823 wan1 in 10.191.19.9.51772 -> 10.191.20.48.161: udp 42
4.899998 wan1 in 10.191.19.9.51772 -> 10.191.20.48.161: udp 42
5.901203 wan1 in 10.191.19.9.51772 -> 10.191.20.48.161: udp 42

 

After implementing the change:

 

diagnose sniffer packet any " host 10.191.19.9" 4
interfaces=[any]
filters=[ host 10.191.19.9]
2.079355 wan1 in 10.191.19.9.40236 -> 10.191.20.48.161: udp 64
2.079424 wan1 out 10.191.20.48.161 -> 10.191.19.9.40236: udp 127
2.080096 wan1 in 10.191.19.9.40236 -> 10.191.20.48.161: udp 129
2.080124 wan1 out 10.191.20.48.161 -> 10.191.19.9.40236: udp 141

 

For troubleshooting, collect the below debug command output:

Putty1:

 

diagnose debug application snmpd -1
diagnose debug console timestamp enable

diagnose debug enable

 

To disable debug after logs collection :

 

diagnose debug disable

diagnose debug reset

 

Putty2:

 

diagnose sniffer packet any "port 161 or port 162" 6 0 l

 

Related document:

Non-management VDOMs perform queries using SNMP v3 
1466
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.