| Description |
This article describes troubleshooting steps to undertake when an SNMP query from the SNMP manager to the firewall fails. |
| Scope | FortiGate. |
| Solution |
Verify that there are indeed packets being sent from the SNMP manager to the firewall. To do so, run the following CLI command:
diagnose sniffer packet any 'host SNMP-manager-ip' 6 0 l
After executing this command, send an SNMP query from the SNMP manager to make sure packets are reaching the firewall. If the packets do not reach the firewall, validate the internal network.
Packet captures can also be taken from the FortiGate GUI. Refer to the FortiGate packet capture tool GUI.
The SNMP manager IP must be added under System -> SNMP -> SNMP V2 or SNMP V3 settings, as shown below:
Important: The SNMP community names, user, and authentication/encryption settings in the firewall and the SNMP manager must be the same. For example, in the above SNMP setting, the SNMP community name was configured as 'public', so the same should be defined in the SNMP manager.
Note: Using 'public' as the community name for SNMP V1/V2 is not considered safe. The community name 'public' is a default and well-known string, making it vulnerable to unauthorized access. The SNMP should be enabled in the corresponding firewall interface, as shown in the image below:
Additional Debugs: Conduct a debug flow to verify traffic is being accepted:
diagnose debug flow filter addr <Host IP address> diagnose debug flow show iprope enable diagnose debug flow show function-name enable diagnose debug flow trace start <No. of packets to be analyzed> diagnose debug enable
Reference for debug flow: Note: Make sure that FortiGate is not relying on a different interface or via a different route. If the problem persists after verifying all of these settings, contact TAC for further support. |
