Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
arch7
New Contributor

[SOLVED] Unable to poll the firewall with SNMP

Good morning,

 

I'm trying to monitor my Fortigate 60D (v5.4.1,build5447 (GA)) using a monitoring tool that uses SNMP.

I have enabled the LAN interface to allow SNMP Packets

config system interface
    edit "Transit"
        set vdom "root"
        set mode static
        set dhcp-relay-service disable
        set ip 10.0.0.2 255.255.255.252
        set allowaccess ping https ssh snmp fgfm
        set pptp-client disable
        set arpforward enable
        set broadcast-forward disable
        set bfd global
        set l2forward disable
        set icmp-redirect enable
        set vlanforward disable
        set stpforward disable
        set ips-sniffer-mode disable
        set ident-accept disable
        set ipmac disable
        set subst disable
        set substitute-dst-mac 00:00:00:00:00:00
        set status up
        set netbios-forward disable
        set wins-ip 0.0.0.0
        set type hard-switch
        set netflow-sampler disable
        set sflow-sampler disable
        set scan-botnet-connections block
        set sample-rate 2000
        set polling-interval 20
        set sample-direction both
        set explicit-web-proxy enable
        set explicit-ftp-proxy disable
        set tcp-mss 0
        set inbandwidth 0
        set outbandwidth 0
        set spillover-threshold 0
        set ingress-spillover-threshold 0
        set weight 0
        set external disable
        set description ''
        set alias ''
        set l2tp-client disable
        set security-mode none
        set stp enable
        set stp-ha-slave priority-adjust
        set device-identification enable
        set device-user-identification enable
        set device-identification-active-scan enable
        set device-access-list ''
        set lldp-transmission vdom
        set fortiheartbeat disable
        set estimated-upstream-bandwidth 0
        set estimated-downstream-bandwidth 0
        set role lan
        set snmp-index 13
        set secondary-IP disable
        set auto-auth-extension-device disable
        set ap-discover enable
        set fortilink disable
        config ipv6
            set ip6-mode static
            unset ip6-allowaccess
            set ip6-reachable-time 0
            set ip6-retrans-time 0
            set ip6-hop-limit 0
            set dhcp6-prefix-delegation disable
            set ip6-address ::/0
            set ip6-send-adv disable
            set autoconf disable
            set dhcp6-relay-service disable
        end
        unset dhcp-relay-ip
        set dhcp-relay-type regular
        set mtu-override disable
        set wccp disable
        set drop-overlapped-fragment disable
        set drop-fragment disable
    next
end

 

 

and I have enabled the SNMP agent

config system snmp sysinfo
    set status enable
    set description "FGT001"
    set contact-info ""
    set location ""
end

 

 

and the community

config system snmp community
    edit 1
        set name "public"
        config hosts
            edit 1
                set ip 192.168.1.51 255.255.255.255
            next
        end
        set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change bgp-established bgp-backward-transition ha-member-up ha-member-down ent-conf-change av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open faz-disconnect wc-ap-up wc-ap-down fswctl-session-up fswctl-session-down
    next
end

 

But I'm unable to see the Firewall from the monitoring tool. I noticed that in my syslog server I receive messages like this one

time=20:38:04 devname=FGT001 devid=FGT60Dxxxx logid=0001000014 type=traffic subtype=local level=notice vd=root srcip=192.168.1.51 srcport=50745 srcintf="Transit" dstip=10.0.0.2 dstport=161 dstintf="root" sessionid=34986472 proto=17 action=deny policyid=0 policytype=local-in-policy dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="SNMP" app="SNMP" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel=critical devtype="Router/NAT Device" mastersrcmac=00:16:46:29:5e:13 srcmac=00:19:04:2c:3e:41

 

So it looks like that the interface "root" is blocking the SNMP traffic. But it should be allowed since I enabled it on the correct LAN interface.

I confess I'm a bit confused right now.

 

Any suggestion would really be appreciated.

Thank you very much and best regards

1 Solution
arch7

Good morning and sorry for the late reply,

emnoc,

I did what you suggested and this is what I see on the CLI if I poll the firewall from my monitoring tool

 

id=20085 trace_id=101 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=17, 192.168.1.51:48841->10.0.0.2:161) from Transit. "
id=20085 trace_id=101 func=init_ip_session_common line=4893 msg="allocate a new session-0514c672"
id=20085 trace_id=101 func=fw_local_in_handler line=384 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=102 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=17, 192.168.1.51:48841->10.0.0.2:161) from Transit. "
id=20085 trace_id=102 func=init_ip_session_common line=4893 msg="allocate a new session-0514c6a4"
id=20085 trace_id=102 func=fw_local_in_handler line=384 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=103 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=17, 192.168.1.51:48841->10.0.0.2:161) from Transit. "
id=20085 trace_id=103 func=init_ip_session_common line=4893 msg="allocate a new session-0514c6c7"
id=20085 trace_id=103 func=fw_local_in_handler line=384 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=104 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=17, 192.168.1.51:48841->10.0.0.2:161) from Transit. "
id=20085 trace_id=104 func=init_ip_session_common line=4893 msg="allocate a new session-0514c6e3"
id=20085 trace_id=104 func=fw_local_in_handler line=384 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=105 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=1, 192.168.1.51:22120->10.0.0.2:2048) from Transit. type=8, code=0, id=22120, seq=1."
id=20085 trace_id=105 func=init_ip_session_common line=4893 msg="allocate a new session-0514c70c"
id=20085 trace_id=105 func=fw_local_in_handler line=384 msg="iprope_in_check() check failed on policy 0, drop"
 

 

After some digging about the sentence "check failed on policy 0, drop" I found a KB about the trusted hosts and that was the problem: the host was not "trusted" on the admin user.

for reference, this is the KB http://kb.fortinet.com/kb....do?externalID=FD31702

 

Then I needed to activate the V3 on my snmp, there were some little problems there too, but then I managed to solve them using the thread [link]https://forum.fortinet.com/tm.aspx?m=112848[/link]

 

rwpatterson,

I cannot issue the command on my firewall, perhaps it is not supported on this kind of platform.

 

So the issue is solved.

Thank you very much and best regards.

View solution in original post

5 REPLIES 5
emnoc
Esteemed Contributor III

Diag commands are what you need

 

diag debug  application  snmpd -1

diag debug reset

diag debug flow filter addr <snmp host>

diag debug flow show console enable

 

diag debug en

diag debug flow trace start 100

 

 

Things to double check

1:  right host for the poller ( ipv4 address of the snmp-set/get/walk )

2:  community is correct ( check for type or special characters )

 

 

PCNSE 

NSE 

StrongSwan  

rwpatterson
Valued Contributor III

Try:

 

config system snmp community
    edit 1
        set name "public"
        config hosts
            edit 1
                set ip 192.168.1.51 255.255.255.255
set interface "portx"
            next
        end
        set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change bgp-established bgp-backward-transition ha-member-up ha-member-down ent-conf-change av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open faz-disconnect wc-ap-up wc-ap-down fswctl-session-up fswctl-session-down
    next
end

 

I don't know about you, but I certainly don't want any SNMP access from outside...

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

arch7

Good morning and sorry for the late reply,

emnoc,

I did what you suggested and this is what I see on the CLI if I poll the firewall from my monitoring tool

 

id=20085 trace_id=101 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=17, 192.168.1.51:48841->10.0.0.2:161) from Transit. "
id=20085 trace_id=101 func=init_ip_session_common line=4893 msg="allocate a new session-0514c672"
id=20085 trace_id=101 func=fw_local_in_handler line=384 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=102 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=17, 192.168.1.51:48841->10.0.0.2:161) from Transit. "
id=20085 trace_id=102 func=init_ip_session_common line=4893 msg="allocate a new session-0514c6a4"
id=20085 trace_id=102 func=fw_local_in_handler line=384 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=103 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=17, 192.168.1.51:48841->10.0.0.2:161) from Transit. "
id=20085 trace_id=103 func=init_ip_session_common line=4893 msg="allocate a new session-0514c6c7"
id=20085 trace_id=103 func=fw_local_in_handler line=384 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=104 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=17, 192.168.1.51:48841->10.0.0.2:161) from Transit. "
id=20085 trace_id=104 func=init_ip_session_common line=4893 msg="allocate a new session-0514c6e3"
id=20085 trace_id=104 func=fw_local_in_handler line=384 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=105 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=1, 192.168.1.51:22120->10.0.0.2:2048) from Transit. type=8, code=0, id=22120, seq=1."
id=20085 trace_id=105 func=init_ip_session_common line=4893 msg="allocate a new session-0514c70c"
id=20085 trace_id=105 func=fw_local_in_handler line=384 msg="iprope_in_check() check failed on policy 0, drop"
 

 

After some digging about the sentence "check failed on policy 0, drop" I found a KB about the trusted hosts and that was the problem: the host was not "trusted" on the admin user.

for reference, this is the KB http://kb.fortinet.com/kb....do?externalID=FD31702

 

Then I needed to activate the V3 on my snmp, there were some little problems there too, but then I managed to solve them using the thread [link]https://forum.fortinet.com/tm.aspx?m=112848[/link]

 

rwpatterson,

I cannot issue the command on my firewall, perhaps it is not supported on this kind of platform.

 

So the issue is solved.

Thank you very much and best regards.

Potato
New Contributor II

 

Oh sh!, I just have the similar issue like you.

 

The solution for SNMPv2: 1. Make sure the SNMP box checked on the interface

2. Make sure SNMP configuration done [Always someone forgets to enable the SNMP agent]

3. Configure Firewall local-in-policy to allow SNMP service to the interface

4. Add the SNMP IP address as Admin Trust host if you add any trusted host to restrict the admin access before!!!!

ede_pfau
Esteemed Contributor III

Checking the 'allowaccess snmp' setting will create a local-in policy automatically. No need for a manual local-in policy.


Ede

"Kernel panic: Aiee, killing interrupt handler!"