Good morning,
I'm trying to monitor my Fortigate 60D (v5.4.1,build5447 (GA)) using a monitoring tool that uses SNMP.
I have enabled the LAN interface to allow SNMP Packets
config system interface
edit "Transit"
set vdom "root"
set mode static
set dhcp-relay-service disable
set ip 10.0.0.2 255.255.255.252
set allowaccess ping https ssh snmp fgfm
set pptp-client disable
set arpforward enable
set broadcast-forward disable
set bfd global
set l2forward disable
set icmp-redirect enable
set vlanforward disable
set stpforward disable
set ips-sniffer-mode disable
set ident-accept disable
set ipmac disable
set subst disable
set substitute-dst-mac 00:00:00:00:00:00
set status up
set netbios-forward disable
set wins-ip 0.0.0.0
set type hard-switch
set netflow-sampler disable
set sflow-sampler disable
set scan-botnet-connections block
set sample-rate 2000
set polling-interval 20
set sample-direction both
set explicit-web-proxy enable
set explicit-ftp-proxy disable
set tcp-mss 0
set inbandwidth 0
set outbandwidth 0
set spillover-threshold 0
set ingress-spillover-threshold 0
set weight 0
set external disable
set description ''
set alias ''
set l2tp-client disable
set security-mode none
set stp enable
set stp-ha-slave priority-adjust
set device-identification enable
set device-user-identification enable
set device-identification-active-scan enable
set device-access-list ''
set lldp-transmission vdom
set fortiheartbeat disable
set estimated-upstream-bandwidth 0
set estimated-downstream-bandwidth 0
set role lan
set snmp-index 13
set secondary-IP disable
set auto-auth-extension-device disable
set ap-discover enable
set fortilink disable
config ipv6
set ip6-mode static
unset ip6-allowaccess
set ip6-reachable-time 0
set ip6-retrans-time 0
set ip6-hop-limit 0
set dhcp6-prefix-delegation disable
set ip6-address ::/0
set ip6-send-adv disable
set autoconf disable
set dhcp6-relay-service disable
end
unset dhcp-relay-ip
set dhcp-relay-type regular
set mtu-override disable
set wccp disable
set drop-overlapped-fragment disable
set drop-fragment disable
next
end
and I have enabled the SNMP agent
config system snmp sysinfo
set status enable
set description "FGT001"
set contact-info ""
set location ""
end
and the community
config system snmp community
edit 1
set name "public"
config hosts
edit 1
set ip 192.168.1.51 255.255.255.255
next
end
set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change bgp-established bgp-backward-transition ha-member-up ha-member-down ent-conf-change av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open faz-disconnect wc-ap-up wc-ap-down fswctl-session-up fswctl-session-down
next
end
But I'm unable to see the Firewall from the monitoring tool. I noticed that in my syslog server I receive messages like this one
time=20:38:04 devname=FGT001 devid=FGT60Dxxxx logid=0001000014 type=traffic subtype=local level=notice vd=root srcip=192.168.1.51 srcport=50745 srcintf="Transit" dstip=10.0.0.2 dstport=161 dstintf="root" sessionid=34986472 proto=17 action=deny policyid=0 policytype=local-in-policy dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="SNMP" app="SNMP" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel=critical devtype="Router/NAT Device" mastersrcmac=00:16:46:29:5e:13 srcmac=00:19:04:2c:3e:41
So it looks like that the interface "root" is blocking the SNMP traffic. But it should be allowed since I enabled it on the correct LAN interface.
I confess I'm a bit confused right now.
Any suggestion would really be appreciated.
Thank you very much and best regards
Solved! Go to Solution.
Good morning and sorry for the late reply,
emnoc,
I did what you suggested and this is what I see on the CLI if I poll the firewall from my monitoring tool
id=20085 trace_id=101 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=17, 192.168.1.51:48841->10.0.0.2:161) from Transit. "
id=20085 trace_id=101 func=init_ip_session_common line=4893 msg="allocate a new session-0514c672"
id=20085 trace_id=101 func=fw_local_in_handler line=384 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=102 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=17, 192.168.1.51:48841->10.0.0.2:161) from Transit. "
id=20085 trace_id=102 func=init_ip_session_common line=4893 msg="allocate a new session-0514c6a4"
id=20085 trace_id=102 func=fw_local_in_handler line=384 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=103 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=17, 192.168.1.51:48841->10.0.0.2:161) from Transit. "
id=20085 trace_id=103 func=init_ip_session_common line=4893 msg="allocate a new session-0514c6c7"
id=20085 trace_id=103 func=fw_local_in_handler line=384 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=104 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=17, 192.168.1.51:48841->10.0.0.2:161) from Transit. "
id=20085 trace_id=104 func=init_ip_session_common line=4893 msg="allocate a new session-0514c6e3"
id=20085 trace_id=104 func=fw_local_in_handler line=384 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=105 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=1, 192.168.1.51:22120->10.0.0.2:2048) from Transit. type=8, code=0, id=22120, seq=1."
id=20085 trace_id=105 func=init_ip_session_common line=4893 msg="allocate a new session-0514c70c"
id=20085 trace_id=105 func=fw_local_in_handler line=384 msg="iprope_in_check() check failed on policy 0, drop"
After some digging about the sentence "check failed on policy 0, drop" I found a KB about the trusted hosts and that was the problem: the host was not "trusted" on the admin user.
for reference, this is the KB http://kb.fortinet.com/kb....do?externalID=FD31702
Then I needed to activate the V3 on my snmp, there were some little problems there too, but then I managed to solve them using the thread [link]https://forum.fortinet.com/tm.aspx?m=112848[/link]
rwpatterson,
I cannot issue the command on my firewall, perhaps it is not supported on this kind of platform.
So the issue is solved.
Thank you very much and best regards.
Diag commands are what you need
diag debug application snmpd -1
diag debug reset
diag debug flow filter addr <snmp host>
diag debug flow show console enable
diag debug en
diag debug flow trace start 100
Things to double check
1: right host for the poller ( ipv4 address of the snmp-set/get/walk )
2: community is correct ( check for type or special characters )
PCNSE
NSE
StrongSwan
Try:
config system snmp community
edit 1
set name "public"
config hosts
edit 1
set ip 192.168.1.51 255.255.255.255
set interface "portx"
next
end
set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change bgp-established bgp-backward-transition ha-member-up ha-member-down ent-conf-change av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open faz-disconnect wc-ap-up wc-ap-down fswctl-session-up fswctl-session-down
next
end
I don't know about you, but I certainly don't want any SNMP access from outside...
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Good morning and sorry for the late reply,
emnoc,
I did what you suggested and this is what I see on the CLI if I poll the firewall from my monitoring tool
id=20085 trace_id=101 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=17, 192.168.1.51:48841->10.0.0.2:161) from Transit. "
id=20085 trace_id=101 func=init_ip_session_common line=4893 msg="allocate a new session-0514c672"
id=20085 trace_id=101 func=fw_local_in_handler line=384 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=102 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=17, 192.168.1.51:48841->10.0.0.2:161) from Transit. "
id=20085 trace_id=102 func=init_ip_session_common line=4893 msg="allocate a new session-0514c6a4"
id=20085 trace_id=102 func=fw_local_in_handler line=384 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=103 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=17, 192.168.1.51:48841->10.0.0.2:161) from Transit. "
id=20085 trace_id=103 func=init_ip_session_common line=4893 msg="allocate a new session-0514c6c7"
id=20085 trace_id=103 func=fw_local_in_handler line=384 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=104 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=17, 192.168.1.51:48841->10.0.0.2:161) from Transit. "
id=20085 trace_id=104 func=init_ip_session_common line=4893 msg="allocate a new session-0514c6e3"
id=20085 trace_id=104 func=fw_local_in_handler line=384 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=105 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=1, 192.168.1.51:22120->10.0.0.2:2048) from Transit. type=8, code=0, id=22120, seq=1."
id=20085 trace_id=105 func=init_ip_session_common line=4893 msg="allocate a new session-0514c70c"
id=20085 trace_id=105 func=fw_local_in_handler line=384 msg="iprope_in_check() check failed on policy 0, drop"
After some digging about the sentence "check failed on policy 0, drop" I found a KB about the trusted hosts and that was the problem: the host was not "trusted" on the admin user.
for reference, this is the KB http://kb.fortinet.com/kb....do?externalID=FD31702
Then I needed to activate the V3 on my snmp, there were some little problems there too, but then I managed to solve them using the thread [link]https://forum.fortinet.com/tm.aspx?m=112848[/link]
rwpatterson,
I cannot issue the command on my firewall, perhaps it is not supported on this kind of platform.
So the issue is solved.
Thank you very much and best regards.
Oh sh!, I just have the similar issue like you.
The solution for SNMPv2: 1. Make sure the SNMP box checked on the interface
2. Make sure SNMP configuration done [Always someone forgets to enable the SNMP agent]
3. Configure Firewall local-in-policy to allow SNMP service to the interface
4. Add the SNMP IP address as Admin Trust host if you add any trusted host to restrict the admin access before!!!!
Checking the 'allowaccess snmp' setting will create a local-in policy automatically. No need for a manual local-in policy.
This actually works. I went under the user Admin under administrators and added the snmp server source IP under the trusted hosts and it did. snmp was also already added to the interface. Thank you Potato!
Hi Arch7,
The SNMP polling sometimes fails due to the user which is not added in the "trusted-host" list, so we need to add the user in trusted-host configuration to fetch the information from Fortigate.
Please check below KB link for details:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SNMP-fails-due-to-trusted-hosts/ta-p...
Regards,
Parteek
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.