Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Djamil
New Contributor

SNMP blocked by IPv4 Policy

Hello guys,

 

I'm actually working on administrating our Fortigates and monitoring them using LibreNMS.

 

My problem is with one FortiGate that have an IPv4 Policy with the following configuration :

 

 

If I change the destination from the "Virtual IP Group LDLC-redirect-Zyxel" to "ALL", I can add this FortiGate to LibreNMS without any problem, but as soon as I put the Virtual IP Group back, I lose the SNMP pooling.

 

How can I solve this issue?

 

 

12 REPLIES 12
SJFriedl
New Contributor II

Something must be broken in the forum software, because I got the nightmare image paste you did. Maybe you have to *attach* it rather than just paste it in place?

emnoc
Esteemed Contributor III

Do you have a policy allowing SNMP for the src to dst(s)?  Since when you change it to all it work it tells me your policy is bad.

 

did you do a trace

 

e.g cli cmds

 

diag debug reset 

diag debug enable 

diag debug flow filter port 161

diag debug flow filter addr x.x.x.x

diag debug flow trace start 100

 

do a poll from NMS, see what policy hits or if it hits policy 0

 

After diagnostic

 

diag debug reset 

diag debug disable

 

 

FWIW diag debug is the 1st you should do when troubleshooting

 

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

Djamil

I updated the post with the attached image, thank you

SJFriedl
New Contributor II

Djamil wrote:

I updated the post with the attached image, thank you

Hmm. If you're trying to poll the Fortigate itself, I'm not sure what the purpose of the VIP is - that sounds like it's going to terminate into some resource on the local network rather than on the FG itself.

 

Where is this virtual IP going to?

Djamil

emnoc wrote:

Do you have a policy allowing SNMP for the src to dst(s)?  Since when you change it to all it work it tells me your policy is bad.

 

did you do a trace

 

e.g cli cmds

 

diag debug reset 

diag debug enable 

diag debug flow filter port 161

diag debug flow filter addr x.x.x.x

diag debug flow trace start 100

 

do a poll from NMS, see what policy hits or if it hits policy 0

 

After diagnostic

 

diag debug reset 

diag debug disable

 

 

FWIW diag debug is the 1st you should do when troubleshooting

 

 

Ken Felix

i did diag debug and i could see traffic coming in from my NMS server, in fact i noticed that my problem is coming from the IPV4 Policy when i disable it, it works just fine and i can add my fortigate to libreNMS.

Djamil

SJFriedl wrote:

Djamil wrote:

I updated the post with the attached image, thank you

Hmm. If you're trying to poll the Fortigate itself, I'm not sure what the purpose of the VIP is - that sounds like it's going to terminate into some resource on the local network rather than on the FG itself.

 

Where is this virtual IP going to?

The Virtual IP is used to access an internal server using TCP and UDP, it's a DNAT rule.

I did a test and replaced the VIRTUAL IP GROUP with ''ALL'' and it worked, i could add my fortigate to libreNMS but i lost my DNAT.

emnoc
Esteemed Contributor III

So your managing the fw that has the DNAT vip  on it? You do not need a policy for that & if that is what your trying todo.

 

So let's back up, you have a WAN+INTERNAL setup ? and using libreNMS to poll the snmp-agent on the wan side ?  If yes, did you enable allowacces for "snmp" ?

 

Also did you run, diag debug flow ?

 

Ken Felix

 

 

 

PCNSE 

NSE 

StrongSwan  

Djamil
New Contributor

emnoc wrote:

So your managing the few that has the DNAT VIP  on it? You do not need a policy for that & if that is what your trying todo.

 

The FW is proprietary to our client, the policy was already in place, to describe what I found (look the attached image) :

 

1- They created two virtual IPs one for TCP and one for UDP

2- They created one Virtual IP Group with the two Virtual IPs

3 - They created the IPV4 Policy shown previously

 

 

emnoc wrote:

So let's back up, you have a WAN+INTERNAL setup? and using libreNMS to poll the SNMP-agent on the wan side?  If yes, did you enable allowacces for "snmp"?

Yes, SNMP is working just fine because as soon as I remove the VIRTUAL IP Group from the IPV4 policy and replace it with "ALL" it works

emnoc
Esteemed Contributor III

You don't need a fwpolicy to manage a firewall via SNMP.

 

do a "show interface wan1 | grep allowaccess" 

 

Is SNMP enabled on the interface that your trying to snmp to ?  Now enable diag debug flow  run from the libeNMS, 

 

diag debug reset

diag debug enable

diag debug flow filter dport 161

diag debug flow trace start 10

 

 

# libreNMS 

snmpwalk -c <  community> -v2c x.x.x.x

 

What do you see?

 

Ken Felix

 

 

 

PCNSE 

NSE 

StrongSwan