Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rg_586
New Contributor III

Created on ‎11-04-2022 07:04 AM

SNMP Traffic not able to poll VDOM (multiple vdom setup)

Hello

 

I am working with Fortinet 201E v7.2 1157

Please see diagram in reference to my issue below.

So far, I have setup multiple vdoms. Traffic will go through hit the Root VDOM then it should go to VDOM 1.

To browse to the Firewall I use VDOM 1 - Port 1 sub interface address.

This works fine.

At Global Level I have added SNMP settings and I can see traffic hitting the firewall through packet capture, but then I do not know where it is going.

SNMP polling fails.

 

My question is; how do I link ROOT VDOM to VDOM 1?

I have tried a VDOM - LINK and I created a rule in the rule base of VDOM 1 to SNMP IP, but this failed, no traffic or logs.

 

Do I need a static route on ROOT VDOM context to VDOM 1 context.

 

The setup seems so simple but I am not sure why SNMP cannot talk to VDOM 1 but I can browse to it. Port 1 sub interface is management, I have a HA setup as well, Active-Passive. IMG_2756.jpg

 

 

I do not use the management port, this is for local access only.

 

All help is appreciated, thanks.

 

Labels:
8773
0 Kudos
1 Solution
rg_586
New Contributor III

Created on ‎12-04-2022 02:43 AM

This topic can be closed. I have figured out the issue. I changed management VDOM to be Management VDOM 1 as my root and SNMP kicked in and started working. Thanks for everyones help.

View solution in original post

8285
0 Kudos
17 REPLIES 17
gfleming
Staff
Staff

Created on ‎11-04-2022 09:27 AM

SNMP is configured in the Global VDOM. You need to define the hosts that have access to the SNMP communities: https://docs.fortinet.com/document/fortigate/7.2.2/administration-guide/547825/snmp-v1-v2c-communiti...

 

You need to allow SNMP access on the relevant interfaces in each VDOM: https://docs.fortinet.com/document/fortigate/7.2.2/administration-guide/325005/interface-access

 

Is that all done accordingly?

 

Cheers,
Graham
6284
0 Kudos
rg_586
New Contributor III
In response to gfleming

Created on ‎11-04-2022 10:00 AM

@gflemingThanks for your reply, I've configured the hosts in the Global SNMP section, I've got SNMP enabled on Port 1 physically and on the sub-interface.

 

My first thought was to try break down the problem. I'm not 100% sure in a multiple vdom solution where traffic hits first, does it hit the Root VDOM?

If it does hit the Root VDOM, then that's why i think i needed a static route to the vdom sub-interface port 1.

 

6283
0 Kudos
gfleming
Staff
Staff
In response to rg_586

Created on ‎11-04-2022 10:04 AM Edited on ‎11-04-2022 10:05 AM

If your SNMP polling station is outside of VDOM1 (i.e. it does not connect directly to the sub-interface) then just poll on port1. You don't need to poll the sub interface. SNMPwalk on port1 will give you all the same details.

 

But yes to answer your other concern, you absolutely need routes and fw policies to allow traffic to and from different VDOMs.

Cheers,
Graham
6280
0 Kudos
rg_586
New Contributor III
In response to gfleming

Created on ‎11-04-2022 11:45 AM

@gflemingI've got several sub interfaces under VDOM 1 Port 1, I haven't assigned an actual Physical Address for Port 1, it's set as 0.0.0.0/0.0.0.0 with Admin Access for Https, ssh, snmp.

 

SNMP walk just fails with snmp v1 and v2 enabled.

 

6278
0 Kudos
gfleming
Staff
Staff
In response to rg_586

Created on ‎11-04-2022 02:28 PM

You need snmp access on an interface that has an IP address. If you can't ping the interface you can't snmp it either.

Cheers,
Graham
6269
0 Kudos
rg_586
New Contributor III
In response to gfleming

Created on ‎11-05-2022 04:03 AM Edited on ‎11-05-2022 04:03 AM

@gflemingThanks for all your help, yes the physical interface has Https, ssh, snmp and so does the sub interface that has the IP address.

I can ping the ip address on sub interface. I'll have to work out why it is dropping SNMP packets.

 

6248
0 Kudos
gfleming
Staff
Staff
In response to rg_586

Created on ‎11-05-2022 03:57 PM

OK so I was testing on my lab FortiGate and I could do an snmpwalk on two different interfaces one in root vdom and one in another vdom.

 

But, then I tested from a host inside the non-root vdom and it did not work!

 

I then found this document: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-SNMP-when-VDOM-is-enabled/ta-p...

 

Seems to state that SNMP queries will only work when they hit the management VDOM.

Cheers,
Graham
6223
0 Kudos
gfleming
Staff
Staff
In response to fasahe9494

Created on ‎11-05-2022 03:58 PM

Sí, parece que necesita acceder a una interfaz en el VDOM de administración.

 

https://community.fortinet.com/t5/FortiGate/Note-for-configuring-SNMP-when-using-it-with-VDOM-enable...

Cheers,
Graham
6223
0 Kudos
rg_586
New Contributor III

Created on ‎11-07-2022 10:28 AM

@gflemingI've followed what you have said, and checked my articles. I've now made my VDOM 1 the management VDOM. And I was hoping this would then accept the SNMP queries & traps but it didn't. I may leave this post open to let others see it and share there input.

I have Solarwinds polling the device which is a good start.

6183
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.