Hello
I am working with Fortinet 201E v7.2 1157
Please see diagram in reference to my issue below.
So far, I have setup multiple vdoms. Traffic will go through hit the Root VDOM then it should go to VDOM 1.
To browse to the Firewall I use VDOM 1 - Port 1 sub interface address.
This works fine.
At Global Level I have added SNMP settings and I can see traffic hitting the firewall through packet capture, but then I do not know where it is going.
SNMP polling fails.
My question is; how do I link ROOT VDOM to VDOM 1?
I have tried a VDOM - LINK and I created a rule in the rule base of VDOM 1 to SNMP IP, but this failed, no traffic or logs.
Do I need a static route on ROOT VDOM context to VDOM 1 context.
The setup seems so simple but I am not sure why SNMP cannot talk to VDOM 1 but I can browse to it. Port 1 sub interface is management, I have a HA setup as well, Active-Passive.
I do not use the management port, this is for local access only.
All help is appreciated, thanks.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
This topic can be closed. I have figured out the issue. I changed management VDOM to be Management VDOM 1 as my root and SNMP kicked in and started working. Thanks for everyones help.
SNMP is configured in the Global VDOM. You need to define the hosts that have access to the SNMP communities: https://docs.fortinet.com/document/fortigate/7.2.2/administration-guide/547825/snmp-v1-v2c-communiti...
You need to allow SNMP access on the relevant interfaces in each VDOM: https://docs.fortinet.com/document/fortigate/7.2.2/administration-guide/325005/interface-access
Is that all done accordingly?
@gflemingThanks for your reply, I've configured the hosts in the Global SNMP section, I've got SNMP enabled on Port 1 physically and on the sub-interface.
My first thought was to try break down the problem. I'm not 100% sure in a multiple vdom solution where traffic hits first, does it hit the Root VDOM?
If it does hit the Root VDOM, then that's why i think i needed a static route to the vdom sub-interface port 1.
If your SNMP polling station is outside of VDOM1 (i.e. it does not connect directly to the sub-interface) then just poll on port1. You don't need to poll the sub interface. SNMPwalk on port1 will give you all the same details.
But yes to answer your other concern, you absolutely need routes and fw policies to allow traffic to and from different VDOMs.
@gflemingI've got several sub interfaces under VDOM 1 Port 1, I haven't assigned an actual Physical Address for Port 1, it's set as 0.0.0.0/0.0.0.0 with Admin Access for Https, ssh, snmp.
SNMP walk just fails with snmp v1 and v2 enabled.
You need snmp access on an interface that has an IP address. If you can't ping the interface you can't snmp it either.
Created on 11-05-2022 04:03 AM Edited on 11-05-2022 04:03 AM
@gflemingThanks for all your help, yes the physical interface has Https, ssh, snmp and so does the sub interface that has the IP address.
I can ping the ip address on sub interface. I'll have to work out why it is dropping SNMP packets.
OK so I was testing on my lab FortiGate and I could do an snmpwalk on two different interfaces one in root vdom and one in another vdom.
But, then I tested from a host inside the non-root vdom and it did not work!
I then found this document: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-SNMP-when-VDOM-is-enabled/ta-p...
Seems to state that SNMP queries will only work when they hit the management VDOM.
Sí, parece que necesita acceder a una interfaz en el VDOM de administración.
@gflemingI've followed what you have said, and checked my articles. I've now made my VDOM 1 the management VDOM. And I was hoping this would then accept the SNMP queries & traps but it didn't. I may leave this post open to let others see it and share there input.
I have Solarwinds polling the device which is a good start.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1703 | |
1092 | |
752 | |
446 | |
229 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.