Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rg_586
New Contributor III

Created on ‎11-04-2022 07:04 AM

SNMP Traffic not able to poll VDOM (multiple vdom setup)

Hello

 

I am working with Fortinet 201E v7.2 1157

Please see diagram in reference to my issue below.

So far, I have setup multiple vdoms. Traffic will go through hit the Root VDOM then it should go to VDOM 1.

To browse to the Firewall I use VDOM 1 - Port 1 sub interface address.

This works fine.

At Global Level I have added SNMP settings and I can see traffic hitting the firewall through packet capture, but then I do not know where it is going.

SNMP polling fails.

 

My question is; how do I link ROOT VDOM to VDOM 1?

I have tried a VDOM - LINK and I created a rule in the rule base of VDOM 1 to SNMP IP, but this failed, no traffic or logs.

 

Do I need a static route on ROOT VDOM context to VDOM 1 context.

 

The setup seems so simple but I am not sure why SNMP cannot talk to VDOM 1 but I can browse to it. Port 1 sub interface is management, I have a HA setup as well, Active-Passive. IMG_2756.jpg

 

 

I do not use the management port, this is for local access only.

 

All help is appreciated, thanks.

 

Labels:
5709
0 Kudos
1 Solution
rg_586
New Contributor III

Created on ‎12-04-2022 02:43 AM

This topic can be closed. I have figured out the issue. I changed management VDOM to be Management VDOM 1 as my root and SNMP kicked in and started working. Thanks for everyones help.

View solution in original post

5221
0 Kudos
17 REPLIES 17
gfleming
Staff
Staff
In response to rg_586

Created on ‎11-07-2022 02:21 PM

This should work. Can you please provide details:

  • IP address of the SNMP polling station (solarwinds)
  • IP address of the interface of the FortiGate
  • Ping from polling station to interface is successful
  • What is the path from polling station to interface on FortiGate?

Can you show output of:

show system interface <subinterface> (interface you want to poll)
show system snmp community

 

Cheers,
Graham
1574
0 Kudos
rg_586
New Contributor III
In response to gfleming

Created on ‎11-09-2022 07:27 AM

@gfleming 

 

I'm working with this Article now, it was updated yesterday and i will make changes at some point to et vdom in community.

1559
0 Kudos
rg_586
New Contributor III
In response to rg_586

Created on ‎11-11-2022 07:48 AM

@gflemingI believe I know why the SNMP is not working but I may need your input. As of version 7 onwards, and I am now on v7.2.2 as of yesterday.

 

In version 7 onwards you do not need a management vdom to send out SNMP traffic. I've got SNMP setup same as before, and same as my diagram I posted.

 

Because I manage my VDOM through VDOM 1 Port 1 sub interface 1 and I do not use the management port.

 

Do you think I need a vdom-link from VDOM 1 to Root?

 

Or do you think I need to use the management port for connecting straight onto the Firewall to manage and send traps & queries out?

 

Or instead of using sub interfaces to manage my firewall, i should just assign a physical port a ip address to manage?

1553
0 Kudos
gfleming
Staff
Staff
In response to rg_586

Created on ‎11-11-2022 09:49 AM

If you can ping the IP address of the interface your are polling from the polling station then you don’t need to add any routes.

 

can you provide the output of the commands I requested?

Cheers,
Graham
1549
0 Kudos
rg_586
New Contributor III

Created on ‎11-19-2022 04:27 AM

@gflemingapologies I was working on something else, unfortunately I cannot send out any configs which is a real shame hence the diagram and my explanations. 

 

So i've got the right settings, i can ping my sub interface, however the traffic just goes down a black hole from the SNMP server.

I am now on the latest version.

Do I need to setup a VDOM-Link from Root to VDOM 1?

In the root VDOM I have no static routes but when browsing to the firewall it is fine. And I have this all setup on Port1 sub interface 1. Which is really odd why SNMP cannot get out.

I followed the last article I posted in the comment before.

1515
0 Kudos
gfleming
Staff
Staff
In response to rg_586

Created on ‎11-19-2022 08:32 AM

Hi it's still not clear can you please be very clear:

- Can you ping your sub interface from the SNMP server? (It sounds like you can but other traffic goes down a black hole, but I'm not sure exactly what you mean)

- If traffic from your SNMP server is traversing your Root VDOM to VDOM 1 why do you insist on polling the interface in VDOM 1? Why not poll the interface in the Root VDOM?

Cheers,
Graham
1512
0 Kudos
rg_586
New Contributor III

Created on ‎12-04-2022 02:43 AM

This topic can be closed. I have figured out the issue. I changed management VDOM to be Management VDOM 1 as my root and SNMP kicked in and started working. Thanks for everyones help.

5222
0 Kudos
gfleming
Staff
Staff
In response to rg_586

Created on ‎12-05-2022 10:43 AM

Glad you figured it out! This solution was presented earlier please consider marking the other reply as solution as well, thank you.

 

https://community.fortinet.com/t5/Fortinet-Forum/SNMP-Traffic-not-able-to-poll-VDOM-multiple-vdom-se...

 

Cheers,
Graham
1440
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.