Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Unable to poll the firewall with SNMP
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[SOLVED] Unable to poll the firewall with SNMP
Good morning,
I'm trying to monitor my Fortigate 60D (v5.4.1,build5447 (GA)) using a monitoring tool that uses SNMP.
I have enabled the LAN interface to allow SNMP Packets
config system interface
edit "Transit"
set vdom "root"
set mode static
set dhcp-relay-service disable
set ip 10.0.0.2 255.255.255.252
set allowaccess ping https ssh snmp fgfm
set pptp-client disable
set arpforward enable
set broadcast-forward disable
set bfd global
set l2forward disable
set icmp-redirect enable
set vlanforward disable
set stpforward disable
set ips-sniffer-mode disable
set ident-accept disable
set ipmac disable
set subst disable
set substitute-dst-mac 00:00:00:00:00:00
set status up
set netbios-forward disable
set wins-ip 0.0.0.0
set type hard-switch
set netflow-sampler disable
set sflow-sampler disable
set scan-botnet-connections block
set sample-rate 2000
set polling-interval 20
set sample-direction both
set explicit-web-proxy enable
set explicit-ftp-proxy disable
set tcp-mss 0
set inbandwidth 0
set outbandwidth 0
set spillover-threshold 0
set ingress-spillover-threshold 0
set weight 0
set external disable
set description ''
set alias ''
set l2tp-client disable
set security-mode none
set stp enable
set stp-ha-slave priority-adjust
set device-identification enable
set device-user-identification enable
set device-identification-active-scan enable
set device-access-list ''
set lldp-transmission vdom
set fortiheartbeat disable
set estimated-upstream-bandwidth 0
set estimated-downstream-bandwidth 0
set role lan
set snmp-index 13
set secondary-IP disable
set auto-auth-extension-device disable
set ap-discover enable
set fortilink disable
config ipv6
set ip6-mode static
unset ip6-allowaccess
set ip6-reachable-time 0
set ip6-retrans-time 0
set ip6-hop-limit 0
set dhcp6-prefix-delegation disable
set ip6-address ::/0
set ip6-send-adv disable
set autoconf disable
set dhcp6-relay-service disable
end
unset dhcp-relay-ip
set dhcp-relay-type regular
set mtu-override disable
set wccp disable
set drop-overlapped-fragment disable
set drop-fragment disable
next
end
and I have enabled the SNMP agent
config system snmp sysinfo
set status enable
set description "FGT001"
set contact-info ""
set location ""
end
and the community
config system snmp community
edit 1
set name "public"
config hosts
edit 1
set ip 192.168.1.51 255.255.255.255
next
end
set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change bgp-established bgp-backward-transition ha-member-up ha-member-down ent-conf-change av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open faz-disconnect wc-ap-up wc-ap-down fswctl-session-up fswctl-session-down
next
end
But I'm unable to see the Firewall from the monitoring tool. I noticed that in my syslog server I receive messages like this one
time=20:38:04 devname=FGT001 devid=FGT60Dxxxx logid=0001000014 type=traffic subtype=local level=notice vd=root srcip=192.168.1.51 srcport=50745 srcintf="Transit" dstip=10.0.0.2 dstport=161 dstintf="root" sessionid=34986472 proto=17 action=deny policyid=0 policytype=local-in-policy dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="SNMP" app="SNMP" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel=critical devtype="Router/NAT Device" mastersrcmac=00:16:46:29:5e:13 srcmac=00:19:04:2c:3e:41
So it looks like that the interface "root" is blocking the SNMP traffic. But it should be allowed since I enabled it on the correct LAN interface.
I confess I'm a bit confused right now.
Any suggestion would really be appreciated.
Thank you very much and best regards
Solved! Go to Solution.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good morning and sorry for the late reply,
emnoc,
I did what you suggested and this is what I see on the CLI if I poll the firewall from my monitoring tool
id=20085 trace_id=101 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=17, 192.168.1.51:48841->10.0.0.2:161) from Transit. "
id=20085 trace_id=101 func=init_ip_session_common line=4893 msg="allocate a new session-0514c672"
id=20085 trace_id=101 func=fw_local_in_handler line=384 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=102 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=17, 192.168.1.51:48841->10.0.0.2:161) from Transit. "
id=20085 trace_id=102 func=init_ip_session_common line=4893 msg="allocate a new session-0514c6a4"
id=20085 trace_id=102 func=fw_local_in_handler line=384 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=103 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=17, 192.168.1.51:48841->10.0.0.2:161) from Transit. "
id=20085 trace_id=103 func=init_ip_session_common line=4893 msg="allocate a new session-0514c6c7"
id=20085 trace_id=103 func=fw_local_in_handler line=384 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=104 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=17, 192.168.1.51:48841->10.0.0.2:161) from Transit. "
id=20085 trace_id=104 func=init_ip_session_common line=4893 msg="allocate a new session-0514c6e3"
id=20085 trace_id=104 func=fw_local_in_handler line=384 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=105 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=1, 192.168.1.51:22120->10.0.0.2:2048) from Transit. type=8, code=0, id=22120, seq=1."
id=20085 trace_id=105 func=init_ip_session_common line=4893 msg="allocate a new session-0514c70c"
id=20085 trace_id=105 func=fw_local_in_handler line=384 msg="iprope_in_check() check failed on policy 0, drop"
After some digging about the sentence "check failed on policy 0, drop" I found a KB about the trusted hosts and that was the problem: the host was not "trusted" on the admin user.
for reference, this is the KB http://kb.fortinet.com/kb....do?externalID=FD31702
Then I needed to activate the V3 on my snmp, there were some little problems there too, but then I managed to solve them using the thread [link]https://forum.fortinet.com/tm.aspx?m=112848[/link]
rwpatterson,
I cannot issue the command on my firewall, perhaps it is not supported on this kind of platform.
So the issue is solved.
Thank you very much and best regards.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Diag commands are what you need
diag debug application snmpd -1
diag debug reset
diag debug flow filter addr <snmp host>
diag debug flow show console enable
diag debug en
diag debug flow trace start 100
Things to double check
1: right host for the poller ( ipv4 address of the snmp-set/get/walk )
2: community is correct ( check for type or special characters )
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try:
config system snmp community
edit 1
set name "public"
config hosts
edit 1
set ip 192.168.1.51 255.255.255.255
set interface "portx"
next
end
set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change bgp-established bgp-backward-transition ha-member-up ha-member-down ent-conf-change av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open faz-disconnect wc-ap-up wc-ap-down fswctl-session-up fswctl-session-down
next
end
I don't know about you, but I certainly don't want any SNMP access from outside...
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good morning and sorry for the late reply,
emnoc,
I did what you suggested and this is what I see on the CLI if I poll the firewall from my monitoring tool
id=20085 trace_id=101 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=17, 192.168.1.51:48841->10.0.0.2:161) from Transit. "
id=20085 trace_id=101 func=init_ip_session_common line=4893 msg="allocate a new session-0514c672"
id=20085 trace_id=101 func=fw_local_in_handler line=384 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=102 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=17, 192.168.1.51:48841->10.0.0.2:161) from Transit. "
id=20085 trace_id=102 func=init_ip_session_common line=4893 msg="allocate a new session-0514c6a4"
id=20085 trace_id=102 func=fw_local_in_handler line=384 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=103 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=17, 192.168.1.51:48841->10.0.0.2:161) from Transit. "
id=20085 trace_id=103 func=init_ip_session_common line=4893 msg="allocate a new session-0514c6c7"
id=20085 trace_id=103 func=fw_local_in_handler line=384 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=104 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=17, 192.168.1.51:48841->10.0.0.2:161) from Transit. "
id=20085 trace_id=104 func=init_ip_session_common line=4893 msg="allocate a new session-0514c6e3"
id=20085 trace_id=104 func=fw_local_in_handler line=384 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=105 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=1, 192.168.1.51:22120->10.0.0.2:2048) from Transit. type=8, code=0, id=22120, seq=1."
id=20085 trace_id=105 func=init_ip_session_common line=4893 msg="allocate a new session-0514c70c"
id=20085 trace_id=105 func=fw_local_in_handler line=384 msg="iprope_in_check() check failed on policy 0, drop"
After some digging about the sentence "check failed on policy 0, drop" I found a KB about the trusted hosts and that was the problem: the host was not "trusted" on the admin user.
for reference, this is the KB http://kb.fortinet.com/kb....do?externalID=FD31702
Then I needed to activate the V3 on my snmp, there were some little problems there too, but then I managed to solve them using the thread [link]https://forum.fortinet.com/tm.aspx?m=112848[/link]
rwpatterson,
I cannot issue the command on my firewall, perhaps it is not supported on this kind of platform.
So the issue is solved.
Thank you very much and best regards.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh sh!, I just have the similar issue like you.
The solution for SNMPv2: 1. Make sure the SNMP box checked on the interface
2. Make sure SNMP configuration done [Always someone forgets to enable the SNMP agent]
3. Configure Firewall local-in-policy to allow SNMP service to the interface
4. Add the SNMP IP address as Admin Trust host if you add any trusted host to restrict the admin access before!!!!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Checking the 'allowaccess snmp' setting will create a local-in policy automatically. No need for a manual local-in policy.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This actually works. I went under the user Admin under administrators and added the snmp server source IP under the trusted hosts and it did. snmp was also already added to the interface. Thank you Potato!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Arch7,
The SNMP polling sometimes fails due to the user which is not added in the "trusted-host" list, so we need to add the user in trusted-host configuration to fetch the information from Fortigate.
Please check below KB link for details:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SNMP-fails-due-to-trusted-hosts/ta-p...
Regards,
Parteek
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,724 -
FortiClient
1,770 -
5.2
801 -
FortiManager
733 -
5.4
639 -
FortiAnalyzer
562 -
FortiSwitch
476 -
FortiAP
473 -
FortiClient EMS
435 -
6.0
416 -
5.6
362 -
FortiMail
319 -
6.2
251 -
SSL-VPN
246 -
FortiAuthenticator v5.5
234 -
IPsec
210 -
Fortiweb
205 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
104 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
97 -
FortiToken
92 -
Firewall policy
83 -
Customer Service
80 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiGate-VM
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSoar
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1720 | |
| 1095 | |
| 752 | |
| 447 | |
| 234 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.