Troubleshooting Tip: Troubleshooting SNMP query failure from the SNMP manager to the firewall

First, verify that there are indeed packets being sent from the SNMP manager to the firewall. To do so, run the following CLI command:

diag sniffer packet any 'host SNMP-manager-ip' 4 0 a

After executing this command, send an SNMP query from the SNMP manager to make sure there are packets reaching the firewall. If the packets do not reach the firewall, validate the internal network.

The SNMP manager IP must be added under System -> SNMP -> SNMP V2 or SNMP V3 settings as shown below:

Also, SNMP should be enabled in the corresponding firewall interface as shown in the image below:

Important: the SNMP community names mentioned in the firewall and the SNMP manager must be the same.

For example: in the following SNMP setting, the SNMP community name was configured as 'public', so the same should be defined in the SNMP manager.

Additional Debugs: Conduct a debug flow to verify traffic is being accepted: 
 
If encountering the traffic being dropped due to the implicit deny (Failed on policy 0), verify there are no trusted hosts configured under System Administrators. If so, it is necessary to include the SNMP server IPS. 
 
In addition, verify the port is open for listening: diagnose sys udpsock | grep 161.
 
If the above is validated, also check which protocol the SNMP manager is using when the traffic is received. In some instances, collectors may utilize TCP (proto =6) but the firewall by design utilizes UDP (proto =17) for SNMP. 

Reference for debug flow: Troubleshooting Tip: First steps to troubleshoot connectivity problems to or through a FortiGate wit...

If the problem persists after verifying all of these settings, contact TAC for further support.