Do you have a policy allowing SNMP for the src to dst(s)?  Since when you change it to all it work it tells me your policy is bad.

 

did you do a trace

 

e.g cli cmds

 

diag debug reset 

diag debug enable 

diag debug flow filter port 161

diag debug flow filter addr x.x.x.x

diag debug flow trace start 100

 

do a poll from NMS, see what policy hits or if it hits policy 0

 

After diagnostic

 

diag debug reset 

diag debug disable

 

 

FWIW diag debug is the 1st you should do when troubleshooting

 

 

Ken Felix

I updated the post with the attached image, thank you

Djamil wrote:

I updated the post with the attached image, thank you

Hmm. If you're trying to poll the Fortigate itself, I'm not sure what the purpose of the VIP is - that sounds like it's going to terminate into some resource on the local network rather than on the FG itself.

 

Where is this virtual IP going to?

emnoc wrote:

Do you have a policy allowing SNMP for the src to dst(s)?  Since when you change it to all it work it tells me your policy is bad.

 

did you do a trace

 

e.g cli cmds

 

diag debug reset 

diag debug enable 

diag debug flow filter port 161

diag debug flow filter addr x.x.x.x

diag debug flow trace start 100

 

do a poll from NMS, see what policy hits or if it hits policy 0

 

After diagnostic

 

diag debug reset 

diag debug disable

 

 

FWIW diag debug is the 1st you should do when troubleshooting

 

 

Ken Felix

i did diag debug and i could see traffic coming in from my NMS server, in fact i noticed that my problem is coming from the IPV4 Policy when i disable it, it works just fine and i can add my fortigate to libreNMS.

SJFriedl wrote:

Djamil wrote:

I updated the post with the attached image, thank you

Hmm. If you're trying to poll the Fortigate itself, I'm not sure what the purpose of the VIP is - that sounds like it's going to terminate into some resource on the local network rather than on the FG itself.

 

Where is this virtual IP going to?

The Virtual IP is used to access an internal server using TCP and UDP, it's a DNAT rule.

I did a test and replaced the VIRTUAL IP GROUP with ''ALL'' and it worked, i could add my fortigate to libreNMS but i lost my DNAT.

So your managing the fw that has the DNAT vip  on it? You do not need a policy for that & if that is what your trying todo.

 

So let's back up, you have a WAN+INTERNAL setup ? and using libreNMS to poll the snmp-agent on the wan side ?  If yes, did you enable allowacces for "snmp" ?

 

Also did you run, diag debug flow ?

 

Ken Felix

 

 

 

emnoc wrote:

So your managing the few that has the DNAT VIP  on it? You do not need a policy for that & if that is what your trying todo.

 

The FW is proprietary to our client, the policy was already in place, to describe what I found (look the attached image) :

 

1- They created two virtual IPs one for TCP and one for UDP

2- They created one Virtual IP Group with the two Virtual IPs

3 - They created the IPV4 Policy shown previously

 

 

emnoc wrote:

So let's back up, you have a WAN+INTERNAL setup? and using libreNMS to poll the SNMP-agent on the wan side?  If yes, did you enable allowacces for "snmp"?

Yes, SNMP is working just fine because as soon as I remove the VIRTUAL IP Group from the IPV4 policy and replace it with "ALL" it works

You don't need a fwpolicy to manage a firewall via SNMP.

 

do a "show interface wan1 | grep allowaccess" 

 

Is SNMP enabled on the interface that your trying to snmp to ?  Now enable diag debug flow  run from the libeNMS, 

 

diag debug reset

diag debug enable

diag debug flow filter dport 161

diag debug flow trace start 10

 

 

# libreNMS 

snmpwalk -c <  community> -v2c x.x.x.x

 

What do you see?

 

Ken Felix