Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mhdganji
Contributor II

SNMP on a non-management interface

Hi

Struggling and troubleshooting for hours and found out that Fortigate (FortiOS 7.0.9) just responds to SNMP on its management VDOM interfaces. So:

 

1- Is there any way to force it to respond to SNMP requests received on interfaces which are not member of the Management VDOM (For security purpose I don't like this VDOM to be routed into internal network, just use if for Fortiguard)

 

2- How, using a VDOM link I can config the SNMP requests to be routed to the management VDOM. I built a /30 link between the internal VDOM and management VDOM. Should I make the management VDOM /30 IP to be reachable all through network to monitoring device? Is there a method to tell the device to route just SNMP packets to that IP? (Receive them on internal VDOM, route to management VDOM through the VDOM link, get the response and send it back to monitoring software)

 

Or maybe there are better ways to do this.

 

Thanks

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
4 REPLIES 4
gfleming
Staff
Staff

Yes just use a FW policy that allows only SNMP (UDP/161) from non-mgmt VDOM intf to inter-vdom link.

Cheers,
Graham
mhdganji

Hi,

It did not work and as a matter of fact I wonder how it should work. The SNMP traffic reaches the non-management interface and the box itself decides that it should be sent to management interface, uses the rule and ... ?

Let me say again that just switching the management vdom will put SNMP to work. Meanwhile maybe the pictures below be of any help. And BTW, I upgraded to FortiOS 7.2.

 

P1.JPGP2.JPGP3.JPG

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
gfleming
Staff
Staff

You need policy in root VDOM allowing traffic across the VDOM link. You need policy in management VDOM allowing traffic from the VDOM link to the relevant intf.

You need routing set up to work properly across the VDOM links.

Have you done all this?

Cheers,
Graham
Chuchubi
New Contributor

The above normally works for one device. But will this work for both devices in HA mode? I could manage to get this to work for only the primary device. If your in HA and doing active-active non-loadbalancing or loadbalancing it didn't work for me.

Any suggestions?

Labels
Top Kudoed Authors