Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Pablo1
New Contributor II

SNMP do not response

Hello Team!

 

I am using a FortiGate 40F model FG-40F with a configuration which consist of a VDOM root (management, operation mode NAT) and a VDOM transparent (operation mode transparent).

 

VDOMs.jpg

 

The VDOM root is only use to give access to internet:

 
VDOMroot.jpg
 

The VDOM transparent is only use to stablish a firewall between a network called LAN and a network called WAN:

 

VDOMtransparent.jpg

My objective is to monitor the Fortinet sending get SNMP from a PC connected to the port 2 (Inside lan 2).

I have configured the System > SNMP in this way:

 

SNMPconfig.jpg

 

My problem is that the Fortinet receives the SNMP get but not answer me:

 

lan2capture.jpg

 

I am sending the get SNMP with iReasoning Browser:

iReasoning.jpg

 

I amnot using HA or trusted hosts (I have tested to add my pc to trusted hosts but the behaviour does not change), I have checked the threads: SNMP don't response traffic, SNMP response and SNMP no response: timed out but I can not solve the problem. I give you more information that could be interesting:

debug.jpg

 

I hope that you can help me, thanks in advance.

 

1 Solution
ozkanaltas
Valued Contributor III

Hi @Pablo1 ,

 

Normally this is possible. 

 

https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/986787/nat-and-transparent-mode

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Connect-2-Transparent-VDOMs-with-NAT-VDOM-...

 

Can you change vdom link type PPP to Ethernet. 

 

 

config system vdom-link
edit <VDOM_NAME>
set type ethernet
end
end

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

View solution in original post

If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
12 REPLIES 12
ozkanaltas
Valued Contributor III

Hello @Pablo1 ,

 

In which vdom is the IP address from which you made the SNMP query?

 

If you send a query to the management address on the transparent vdom, this may be the reason for the lack of response. Can you try querying an interface in the root vdom?

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Pablo1
New Contributor II

Hi ozkanaltas, 

 

My PC (172.26.1.15) is connected directly to the port 2 (172.26.1.7 Inside lan2 which belongs to VDOM:transparent).

 

I have tried to change my PC IP to 172.32.60.2 and connect to the WAN port (172.32.60.4 which belong to VDOM:root) and after add SNMP administrative access to the WAN port the SNMP works. However, I cannot use this configuration in my project, WAN Port cannot have SNMP Access and my port connection must be port 2, namely, VDOM: transparent.

Is possible to create any configuration or add anything by console to obtain SNMP answer from the VDOM: transparent?

Thanks for your answering.

ozkanaltas
Valued Contributor III

Hi @Pablo1 ,

 

I think this is related to transparent vdom and vdom infrastructure. 

 

I think the easiest is to create a vdomlink between the transparent vdom and the management vdom. You can open snmp access in the interface on the management side of this link and make queries to this interface.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-SNMP-when-VDOM-is-enabled/ta-p...

 

https://community.fortinet.com/t5/Support-Forum/SNMP-on-a-non-management-interface/m-p/253360/highli...

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
AEK
SuperUser
SuperUser

Hello Pablo

- I assume the lan2 interface (172.26.1.15) in in the root VDOM.

- In lan2 interface configuration > Administrative Access, did you enable SNMP?

- Can you try with the standard snmpget or snmpwalk command? Mine gives the following:

$ snmpget -v2c -c public 172.16.50.1 fgSystemInfo.1.0      
FORTINET-FORTIGATE-MIB::fgSysVersion.0 = STRING: v6.2.16,build1392,240129 (GA)

$ snmpwalk -v2c -c public 172.16.50.1 fgSystemInfo    
FORTINET-FORTIGATE-MIB::fgSysVersion.0 = STRING: v6.2.16,build1392,240129 (GA)
FORTINET-FORTIGATE-MIB::fgSysMgmtVdom.0 = INTEGER: 1
FORTINET-FORTIGATE-MIB::fgSysCpuUsage.0 = Gauge32: 0
FORTINET-FORTIGATE-MIB::fgSysMemUsage.0 = Gauge32: 34
...

 

AEK
AEK
Pablo1
New Contributor II

Hi AEK,


The lan2 interface (172.26.1.15) is in the VDOM: transparent.

 

Yes in the port 1 and 2 (belongs to VDOM: transparent) I have SNMP enable, but not in VDOM: root. 
Is possible to create any configuration or add anything by console to obtain SNMP answer from the VDOM: transparent?

I suppose I must execute snmpget and snmpwalk command in my pc, right? is not possible to do it in the Fortinet console? In that case, do you recommend me any program or library to do it in windows? 

Plenty of thanks.

 

AEK

Hi Pablo

While configuring the SNMP, the interface should be in the management VDOM to get the response from the Firewall to the SNMP Monitoring tool

 

Ref:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-SNMP-when-VDOM-is-enabled/ta-p...

 

AEK
AEK
Pablo1
New Contributor II

Hi ozkanaltas and AEK

 

If  have understand correctly, I must creat a VDOMlink between VDOMroot and VDOMtransparent and later allow SNMP traffic with specify FW policy rules.

But I have problems to create the VDOMlink, when a try using the web I obtain the error "Input value is invalid"

 

VDONlink1.jpg

VDONlink2.jpg

 

And when I try to create by console I obtain: "VDOM link type must be changed from PPP to Ethernet" I click on yes but nothing change:

 

VDONlink3.jpg

VDONlink4.jpg

VDONlink5.jpg

Is possible to stablish a VDOM link between a NAT VDOM and a transparent VDOM? 

I was using like guide this thread: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-SNMP-when-SNMP-Server-is-conne...

Thanks.

ozkanaltas
Valued Contributor III

Hi @Pablo1 ,

 

Normally this is possible. 

 

https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/986787/nat-and-transparent-mode

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Connect-2-Transparent-VDOMs-with-NAT-VDOM-...

 

Can you change vdom link type PPP to Ethernet. 

 

 

config system vdom-link
edit <VDOM_NAME>
set type ethernet
end
end

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Pablo1
New Contributor II

Thanks to Connect 2 Transparent VDOMs with NAT VDOM... - Fortinet Community I have configured the VDOMlink, and I have added the policy rules in every VDOM:

 

VDONlink6.jpg

VDONlink7.jpg

VDONlink8.jpg

VDONlink9.jpg

 

But unfortunately the SNMP still do not response.

 

I have checked the mac address table and looks empty:

VDONlink10.jpg

What can be the problem? Maybe is it necessary configure any static route?

 

I have try to add a static route like in the following link: How to route traffic from one VDOM to ano... - Fortinet Community

 

VDONlink11.jpg

But the command set device gives me an error:
VDONlink12.jpg

 

Thanks by your time.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors