FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
syordanov
Staff
Staff
Article Id 335112
Description This article describes how to perform queries using SNMPv3 to non-management VDOMs
Scope 7.6.0, SNMPv3
Solution

When FortiGate is configured in multi-VDOM mode, SNMP queries can only be performed for a management VDOM.

FortiOS 7.6.0 introduced a new feature which allows non-management VDOMs to answer SNMPv3 queries .

 

snmpv3_KB.PNG

The root VDOM is acting as a management VDOM. The vdom_1 is non-management VDOM. Port wan1 with IP address 10.191.20.48 belongs to vdom_1.

 

When the SNMP station performs an SNMPv3 query, FortiGate does not respond.

FortiOS 7.6.0 GA introduced a new feature which allows to do an SNMPv3 queries to non-management VDOM, this can be adjusted using the following CLI commands:

 

config global

        config system snmp sysinfo

        set non-mgmt-vdom-query enable

end

 

The default value for 'non-mgmt-vdom-query' is disabled. Once enabled, non-management VDOMs can respond to SNMPv3 queries. Keep in mind that the 'snmp' needs to be allowed under the interface which the SNMP station queries.

 

config system interface
        edit "wan1"
         set vdom "vdom_1"
         set ip 10.191.20.48 255.255.240.0
         set allowaccess ping https ssh snmp http telnet
         set type physical
         set role wan
         set snmp-index 3
    next
end

 

Before the change:

 

diagnose sniffer packet any " host 10.191.19.9" 4
interfaces=[any]
filters=[ host 10.191.19.9]
2.897778 wan1 in 10.191.19.9.51772 -> 10.191.20.48.161: udp 42
3.898823 wan1 in 10.191.19.9.51772 -> 10.191.20.48.161: udp 42
4.899998 wan1 in 10.191.19.9.51772 -> 10.191.20.48.161: udp 42
5.901203 wan1 in 10.191.19.9.51772 -> 10.191.20.48.161: udp 42

 

After implementing the change:

 

diagnose sniffer packet any " host 10.191.19.9" 4
interfaces=[any]
filters=[ host 10.191.19.9]
2.079355 wan1 in 10.191.19.9.40236 -> 10.191.20.48.161: udp 64
2.079424 wan1 out 10.191.20.48.161 -> 10.191.19.9.40236: udp 127
2.080096 wan1 in 10.191.19.9.40236 -> 10.191.20.48.161: udp 129
2.080124 wan1 out 10.191.20.48.161 -> 10.191.19.9.40236: udp 141