Troubleshooting Tip: snmpwalk is getting failed

In this example, let's have a look into the scenario when an SNMP request is coming on the port3 interface but the SNMP service is running on the port1 interface. 

SNMP server(172.31.143.202)--------------------------------------Port3(172.31.141.78)--Fortigate --Port1(10.5.29.78, snmp enabled on port1)

Configuration on Firewall:

config system snmp community
    edit 1
        set name "public"
        set status enable
            config hosts
                edit 1
                    set source-ip 0.0.0.0
                    set ip 172.31.143.202 255.255.255.255
                    set ha-direct disable
                    set host-type any
                next

Initiated the snmpwalk but the packet will be dropped:

iron-kvm49 (root) # diagnose debug flow show function-name enable
show function name

FGT(root) #
FGT (root) # diagnose debug flow filter addr 172.31.143.202

FGT(root) # diagnose de flow filter port 161

FGT(root) # diagnose debug flow trace start 1000

FGT (root) # diagnose de enable

FGT (root) # id=65308 trace_id=314 func=print_pkt_detail line=5842 msg="vd-root:0 received a packet(proto=17, 172.31.143.202:51501->10.5.29.78:161) tun_id=0.0.0.0 from port3. "
id=65308 trace_id=314 func=init_ip_session_common line=6028 msg="allocate a new session-01b0d211, tun_id=0.0.0.0"
id=65308 trace_id=314 func=__vf_ip_route_input_rcu line=2012 msg="find a route: flag=80000000 gw-0.0.0.0 via root"
id=65308 trace_id=314 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=43, len=2"
id=65308 trace_id=314 func=fw_local_in_handler line=615 msg="iprope_in_check() check failed on policy 0, drop" <----- Packet is getting dropped.

Note.

Here, the packet is getting dropped because the packet is coming on Port3 but SNMP destination is Port1.

Solution:

As SNMP traffic is for different interfaces, it is mandatory to create a Firewall Policy and allow SNMP traffic.

Policy configuration:

config firewall policy
    edit 3
        set name "test"
        set uuid 69523ec0-3c19-51ee-3217-95e7388cbae1
        set srcintf "port3"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "SNMP" <----- Allowing SNMP service.
        set nat enable
    next
end

Now initiate the SNMP traffic and SNMP polling is getting successful:

FGT (root) # diagnose de enable
id=65308 trace_id=315 func=print_pkt_detail line=5842 msg="vd-root:0 received a packet(proto=17, 172.31.143.202:51702->10.5.29.78:161) tun_id=0.0.0.0 from port3. "
id=65308 trace_id=315 func=init_ip_session_common line=6028 msg="allocate a new session-01b0f1a0, tun_id=0.0.0.0"
id=65308 trace_id=315 func=__vf_ip_route_input_rcu line=2012 msg="find a route: flag=80000000 gw-0.0.0.0 via root"
id=65308 trace_id=315 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=43, len=3"
id=65308 trace_id=315 func=get_new_addr line=1239 msg="find SNAT: IP-10.5.29.78(from IPPOOL), port-51702"
id=65308 trace_id=315 func=ip_session_confirm_final line=3087 msg="npu_state=0x0, hook=1"
id=65308 trace_id=316 func=print_pkt_detail line=5842 msg="vd-root:0 received a packet(proto=17, 10.5.29.78:161->172.31.143.202:51702) tun_id=0.0.0.0 from local. "
id=65308 trace_id=316 func=resolve_ip_tuple_fast line=5930 msg="Find an existing session, id-01b0f1a0, reply direction"

If the issues are persistent, collect the below output and share it with TAC for further assistance.

Terminal 1:

diag debug application snmpd -1

diag debug enable

Terminal 2:

diag sniffer packet any "port 161 or 162" 6 0 l