Hello Team!
I am using a FortiGate 40F model FG-40F with a configuration which consist of a VDOM root (management, operation mode NAT) and a VDOM transparent (operation mode transparent).
The VDOM root is only use to give access to internet:
The VDOM transparent is only use to stablish a firewall between a network called LAN and a network called WAN:
My objective is to monitor the Fortinet sending get SNMP from a PC connected to the port 2 (Inside lan 2).
I have configured the System > SNMP in this way:
My problem is that the Fortinet receives the SNMP get but not answer me:
I am sending the get SNMP with iReasoning Browser:
I amnot using HA or trusted hosts (I have tested to add my pc to trusted hosts but the behaviour does not change), I have checked the threads: SNMP don't response traffic, SNMP response and SNMP no response: timed out but I can not solve the problem. I give you more information that could be interesting:
I hope that you can help me, thanks in advance.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 07-24-2024 06:26 AM Edited on 07-24-2024 06:27 AM
Hi @Pablo1 ,
Normally this is possible.
https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/986787/nat-and-transparent-mode
Can you change vdom link type PPP to Ethernet.
config system vdom-link
edit <VDOM_NAME>
set type ethernet
end
end
Hello @Pablo1 ,
In which vdom is the IP address from which you made the SNMP query?
If you send a query to the management address on the transparent vdom, this may be the reason for the lack of response. Can you try querying an interface in the root vdom?
Hi ozkanaltas,
My PC (172.26.1.15) is connected directly to the port 2 (172.26.1.7 Inside lan2 which belongs to VDOM:transparent).
I have tried to change my PC IP to 172.32.60.2 and connect to the WAN port (172.32.60.4 which belong to VDOM:root) and after add SNMP administrative access to the WAN port the SNMP works. However, I cannot use this configuration in my project, WAN Port cannot have SNMP Access and my port connection must be port 2, namely, VDOM: transparent.
Is possible to create any configuration or add anything by console to obtain SNMP answer from the VDOM: transparent?
Thanks for your answering.
Hi @Pablo1 ,
I think this is related to transparent vdom and vdom infrastructure.
I think the easiest is to create a vdomlink between the transparent vdom and the management vdom. You can open snmp access in the interface on the management side of this link and make queries to this interface.
Hello Pablo
- I assume the lan2 interface (172.26.1.15) in in the root VDOM.
- In lan2 interface configuration > Administrative Access, did you enable SNMP?
- Can you try with the standard snmpget or snmpwalk command? Mine gives the following:
$ snmpget -v2c -c public 172.16.50.1 fgSystemInfo.1.0
FORTINET-FORTIGATE-MIB::fgSysVersion.0 = STRING: v6.2.16,build1392,240129 (GA)
$ snmpwalk -v2c -c public 172.16.50.1 fgSystemInfo
FORTINET-FORTIGATE-MIB::fgSysVersion.0 = STRING: v6.2.16,build1392,240129 (GA)
FORTINET-FORTIGATE-MIB::fgSysMgmtVdom.0 = INTEGER: 1
FORTINET-FORTIGATE-MIB::fgSysCpuUsage.0 = Gauge32: 0
FORTINET-FORTIGATE-MIB::fgSysMemUsage.0 = Gauge32: 34
...
Created on 07-23-2024 07:49 AM Edited on 07-23-2024 07:56 AM
Hi AEK,
The lan2 interface (172.26.1.15) is in the VDOM: transparent.
Yes in the port 1 and 2 (belongs to VDOM: transparent) I have SNMP enable, but not in VDOM: root.
Is possible to create any configuration or add anything by console to obtain SNMP answer from the VDOM: transparent?
I suppose I must execute snmpget and snmpwalk command in my pc, right? is not possible to do it in the Fortinet console? In that case, do you recommend me any program or library to do it in windows?
Plenty of thanks.
Hi Pablo
While configuring the SNMP, the interface should be in the management VDOM to get the response from the Firewall to the SNMP Monitoring tool
Ref:
Hi ozkanaltas and AEK
If have understand correctly, I must creat a VDOMlink between VDOMroot and VDOMtransparent and later allow SNMP traffic with specify FW policy rules.
But I have problems to create the VDOMlink, when a try using the web I obtain the error "Input value is invalid"
And when I try to create by console I obtain: "VDOM link type must be changed from PPP to Ethernet" I click on yes but nothing change:
Is possible to stablish a VDOM link between a NAT VDOM and a transparent VDOM?
I was using like guide this thread: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-SNMP-when-SNMP-Server-is-conne...
Thanks.
Created on 07-24-2024 06:26 AM Edited on 07-24-2024 06:27 AM
Hi @Pablo1 ,
Normally this is possible.
https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/986787/nat-and-transparent-mode
Can you change vdom link type PPP to Ethernet.
config system vdom-link
edit <VDOM_NAME>
set type ethernet
end
end
Thanks to Connect 2 Transparent VDOMs with NAT VDOM... - Fortinet Community I have configured the VDOMlink, and I have added the policy rules in every VDOM:
But unfortunately the SNMP still do not response.
I have checked the mac address table and looks empty:
What can be the problem? Maybe is it necessary configure any static route?
I have try to add a static route like in the following link: How to route traffic from one VDOM to ano... - Fortinet Community
But the command set device gives me an error:
Thanks by your time.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.