Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
luca1994
New Contributor III

Created on ‎01-15-2024 05:09 AM Edited on ‎02-26-2024 03:25 AM By Community Manager

SNMP no response: timed out

Hello team,

 

I configured snmp.

I enabled snmp in the management interface, after which I went under "System > SNMP" and configured as follows:

 

snmp.png

When test with snmpwalk command via cli from my monitoring system, Fortigate side capture this traffic:

 

capture.png

 

it is as if the fortigate is not responding to snmp traffic. Maybe some policy is missing?

Thanks for the support

 

BR

Labels:
958
0 Kudos
1 Solution
AEK
SuperUser
SuperUser

Created on ‎01-15-2024 11:22 AM

Hello Luca

If your host is not in the same VLAN as your mgmt interface, they yes you have to add a firewall policy as follows:

  • Source interface: Interface from which the host is sending SNMP query (in your case I think it is VPN)
  • Source IP: Host
  • Destination interface: mgmt
  • Destination IP: mgmt IP

In case your mgmt interface is "dedicated for management", then I think you will not be able to add this policy, so I think you will have to enable SNMP on another firewall interface.

AEK

View solution in original post

AEK
919
9 REPLIES 9
syordanov
Staff
Staff

Created on ‎01-15-2024 06:53 AM

Dear luca1994,

I hope you are doing well.
Can you try to run the following commands when your monitoring does snmpwalk :


SSH No1:

diagnose debug reset
diagnose debug disable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug flow show iprope enable
diagnose debug flow show function-name enable
diagnose debug flow filter daddr x.x.x.x <---- where x.x.x.x is the IP address of your mgmt interface
diagnose debug console timestamp enable
diagnose debug flow trace start 200
diagnose debug enable


SSH No2:

diag sys session filter dst x.x.x.x <---- where x.x.x.x is the IP address of your mgmt interface
diag sys session filter dport 161
diag sys session list
diag sys session clear
diag sys session list

Check if the traffic from your monitor station is dropped by policy - 0 deny or reverse patch fail check .

Regards,

Fortinet

.
935
funkylicious
SuperUser
SuperUser

Created on ‎01-15-2024 11:15 AM

If you are using trusted hosts for your firewall administrators to log in, you would need to add this ip of the snmp query server to one of them.

geek
geek
922
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎01-15-2024 11:22 AM

Hello Luca

If your host is not in the same VLAN as your mgmt interface, they yes you have to add a firewall policy as follows:

  • Source interface: Interface from which the host is sending SNMP query (in your case I think it is VPN)
  • Source IP: Host
  • Destination interface: mgmt
  • Destination IP: mgmt IP

In case your mgmt interface is "dedicated for management", then I think you will not be able to add this policy, so I think you will have to enable SNMP on another firewall interface.

AEK
AEK
920
luca1994
New Contributor III
In response to AEK

Created on ‎01-16-2024 03:16 AM

Hello @AEK ,

 

thank you for your response.
So not being able to do policy on the management interface it is mandatory to configure snmp on another interface and then allow this traffic via policy.
Does the same thing apply if the firewall is in HA A-P?

BR

878
0 Kudos
AEK
SuperUser
SuperUser
In response to luca1994

Created on ‎01-16-2024 03:33 AM

Hi Luca

Yes it is same for HA A-P.

AEK
AEK
875
luca1994
New Contributor III
In response to AEK

Created on ‎01-16-2024 08:09 AM

Hello @AEK ,

just out of curiosity , what is the utility of enabling snmp on management interface?

 

Thanks

BR

855
0 Kudos
AEK
SuperUser
SuperUser
In response to luca1994

Created on ‎01-16-2024 09:21 AM

Hi Luca

Personally I usually enable it on the interface which is on the same vlan as the monitoring server.

It is not mandatory to enable it on management interface, but I guess on mgmt interface it just have some natural logic.

AEK
AEK
846
luca1994
New Contributor III
In response to AEK

Created on ‎01-26-2024 03:14 AM

Hello AEK,

 

is safe enabling SNMP on WAN interface?

 

Thank you

BR

655
0 Kudos
AEK
SuperUser
SuperUser
In response to luca1994

Created on ‎01-26-2024 03:42 AM

Hi Luca

This is not safe.

AEK
AEK
648
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.