Hello team,
I configured snmp.
I enabled snmp in the management interface, after which I went under "System > SNMP" and configured as follows:
When test with snmpwalk command via cli from my monitoring system, Fortigate side capture this traffic:
it is as if the fortigate is not responding to snmp traffic. Maybe some policy is missing?
Thanks for the support
BR
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Luca
If your host is not in the same VLAN as your mgmt interface, they yes you have to add a firewall policy as follows:
In case your mgmt interface is "dedicated for management", then I think you will not be able to add this policy, so I think you will have to enable SNMP on another firewall interface.
Dear luca1994,
I hope you are doing well.
Can you try to run the following commands when your monitoring does snmpwalk :
SSH No1:
diagnose debug reset
diagnose debug disable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug flow show iprope enable
diagnose debug flow show function-name enable
diagnose debug flow filter daddr x.x.x.x <---- where x.x.x.x is the IP address of your mgmt interface
diagnose debug console timestamp enable
diagnose debug flow trace start 200
diagnose debug enable
SSH No2:
diag sys session filter dst x.x.x.x <---- where x.x.x.x is the IP address of your mgmt interface
diag sys session filter dport 161
diag sys session list
diag sys session clear
diag sys session list
Check if the traffic from your monitor station is dropped by policy - 0 deny or reverse patch fail check .
Regards,
Fortinet
If you are using trusted hosts for your firewall administrators to log in, you would need to add this ip of the snmp query server to one of them.
Hello Luca
If your host is not in the same VLAN as your mgmt interface, they yes you have to add a firewall policy as follows:
In case your mgmt interface is "dedicated for management", then I think you will not be able to add this policy, so I think you will have to enable SNMP on another firewall interface.
Hello @AEK ,
thank you for your response.
So not being able to do policy on the management interface it is mandatory to configure snmp on another interface and then allow this traffic via policy.
Does the same thing apply if the firewall is in HA A-P?
BR
Hi Luca
Yes it is same for HA A-P.
Hello @AEK ,
just out of curiosity , what is the utility of enabling snmp on management interface?
Thanks
BR
Hi Luca
Personally I usually enable it on the interface which is on the same vlan as the monitoring server.
It is not mandatory to enable it on management interface, but I guess on mgmt interface it just have some natural logic.
Hello AEK,
is safe enabling SNMP on WAN interface?
Thank you
BR
Hi Luca
This is not safe.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1703 | |
1092 | |
752 | |
446 | |
229 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.