Technical Tip: SNMP traffic is blocked due to a local-in policy violation

elvikola · ‎11-26-2025

Description

This article describes the steps to resolve the SNMP traffic policy violation issue. The issue occurs when the SNMP traffic is blocked due to a local-in policy violation, and debug flow show output as below:

id=65308 trace_id=110 func=print_pkt_detail line=5813 msg="vd-root:0 received a packet(proto=17, 10.10.3.6:54923->10.10.1.11:161) tun_id=0.0.0.0 from Vlan.934. "

id=65308 trace_id=110 func=init_ip_session_common line=5997 msg="allocate a new session-00f3d090" id=65308
trace_id=110 func=vf_ip_route_input_common line=2611 msg="find a route: flag=84000000 gw-10.10.1.11 via root"
id=65308 trace_id=110 func=__iprope_tree_check line=539 msg="gnum-100004, use addr/intf hash, len=74"

id=65308 trace_id=1304 func=__iprope_check_one_policy line=2243 msg="policy-4294967295 is matched, act-drop"
id=65308 trace_id=1304 func=__iprope_check line=2290 msg="gnum-10000f check result: ret-matched, act-drop, flag-00000801, flag2-00000000"
id=65308 trace_id=1304 func=iprope_policy_group_check line=4694 msg="after check: ret-matched, act-drop, flag-00000801, flag2-00000000"
id=65308 trace_id=110 func=fw_local_in_handler line=606 msg="iprope_in_check() check failed on policy 0, drop"

Scope

FortiGate, FortiOS.

Solution

Make sure that not all the admin users have a trusted-host set.

To resolve the SNMP traffic policy violation issue, follow these steps:

Go to System -> Administrator -> Select the admin user.
Add the SNMP collector IP address to the Trusted Host configuration. For example, if the SNMP collector IP address is 10.10.3.2, add 10.10.3.2/32 to the trusted host list.
Save the changes and verify that the SNMP traffic is no longer blocked.

By adding the SNMP collector IP to the trusted host configuration, the SNMP traffic policy violation issue is resolved, and SNMP polling works.

Technical Tip: SNMP traffic is blocked due to a local-in policy violation

You are leaving our website