Technical Tip: SNMP stops showing data for fgAvVirusDetected event.

ametkola · ‎03-26-2025

Description

The article below describes an issue after the firmware update of the FortiGate on v7.4.6. The SNMP server stops showing data for the event: fgAvVirusDetected with OID .1.3.6.1.4.1.12356.101.8.2.1.1.1

Scope

FortiGate.

Solution

The following configuration is implemented for SNMP using the Checkmk server.

config system snmp sysinfo
set status enable
set description "Firewall"
set contact-info "admin"
set append-index enable
end
config system snmp community
edit 1
    set name "public"
    set status disable
      config hosts
         edit 1
            set ip 10.10.10.0 255.255.255.255
            set ha-direct enable
            set host-type trap
         next
    end
   set query-v1-status disable
   set query-v2c-status disable
   set trap-v1-status disable
   set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change fm-conf-change bgp-established bgp-backward-transition ha-member-up ha-member-down ent-conf-change av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open faz-disconnect wc-ap-up wc-ap-down fswctl-session-up fswctl-session-down load-balance-real-server-down per-cpu-high
   next
end

The SNMP server says that fgAvVirusDetected is not present. Using the SNMP debug the outputs will show a failure getting the status of fgAvStatsEntry.

diagnose deb reset
diagnose deb console timestamp ena
diagnose debug application snmpd -1
diagnose debug flow show console enable
diagnose debug en

To stop the debug use the command:

diagnose deb disable

2025-03-10 17:24:37 snmpd: usm scopedpdu parse: scoped PDU sz=62
2025-03-10 17:24:37 snmpd: data [(62) (30 3c 04 15 80 00 30 44 04 46 47 54 36 30 45 54 4b 31 38 30 39 39 4b 37 36 04 00 a0 21 02 04 16 1b d4 d2 02 01 00 02 01 00 30 13 30 11 06 0d 2b 06 01 04 01 e0 44 65 08 02 01 01 01 05 00 )(0<....0D.FGT60ETK18099K76...!............0.0...+.....De.......)]
2025-03-10 17:24:37 snmpd: usm scopedpdu parse: msgData (0 left)
2025-03-10 17:24:37 snmpd: usm scopedpdu parse: msgType: 0xa0 (33 left)
2025-03-10 17:24:37 snmpd: usm scopedpdu parse: b_vars: <>(19) (0 left)
2025-03-10 17:24:37 snmpd: v3 recv: get
2025-03-10 17:24:37 snmpd: get : fgAvStatsEntry.1 -> () -> 4 <<----------------
2025-03-10 17:24:37 snmpd: snmp_get failed : 4
2025-03-10 17:24:37 snmpd: </msg> 1

2025-03-10 17:24:38 snmpd: v3 recv: get-bulk
2025-03-10 17:24:38 snmpd: get-next: fgAvStatsEntry.2 -> (
2025-03-10 17:24:38 snmpd: avstats_cache: try to find key (vd_idx = 0) next = 1
2025-03-10 17:24:38 snmpd: avstats_cache: fg_avl_traverse()
2025-03-10 17:24:38 snmpd: avstats_cache: key (vd_idx = 0) next = 1 not found <<---------
2025-03-10 17:24:38 snmpd: avstats_cache: try to find key (vd_idx = 0) next = 1
2025-03-10 17:24:38 snmpd: avstats_cache: fg_avl_traverse()
2025-03-10 17:24:38 snmpd: avstats_cache: key (vd_idx = 0) next = 1 not found <<----------

The issue is fixed by updating the firewall to v7.4.7

Note:

The list of MIBs and changes for each of them on different firmware versions can be checked in the link: MIBs

Technical Tip: SNMP stops showing data for fgAvVirusDetected event.

You are leaving our website