How to query Fortinet VDOMs?

Fortigate has this virtual domain concept which is basically a function to virtualize the FortiOS to have multiple and separated Fortigate instances on one device.

From SNMP point of view you need for each VDOM a separate SNMP community string to query the VDOM which looks like community-VdomName.
The big difference is that all these VDOM are accessible through the same IP address but deliver different metrics.

So I would need snmp-config.xml entries like this

   <definition read-community="community">
      <specific>192.168.200.2</specific>
   </definition>
   <definition read-community="community-VdomName1">
      <specific>192.168.200.2</specific>
   </definition>
   <definition read-community="community-VdomName2">
      <specific>192.168.200.2</specific>
   </definition>

Afair this config is not valid since an IP can’t be assigned to multiple communities.

But even the snmp-config would work, how would the BgpMonitor, which I want to use for each VDOM, should know which community it has to use?!

I don’t know if other manufactures have this VDOM concept, but Fortinet does a lot marketing to sell this stuff. I still hope Fortinet is not the first one and we already have a solution/workarounf for that issue.

Do the VDOM’s have their own internal IP address?

We have an appliance which internally has a number of virtual machines on a private network address range for which externally, there is only 1 single IP address to access, and I’ve configured net-snmp on the appliance to proxy requests to the internal VM’s. So externally I query the 1 IP address and use the appropriate community string to access the details for each internal VM.

To set that up in OpenNMS, I just define the proxy-host IP address for each community string. So all the community strings have the same proxy IP address, but are linked to IP addresses that are not visible to OpenNMS.

   <definition proxy-host="10.161.59.68" read-community="cmty_vm01_trn">
      <specific>10.0.32.24</specific>
   </definition>
   <definition proxy-host="10.161.59.68" read-community="cmty_vm01_tst">
      <specific>10.0.32.17</specific>
   </definition>

If you don’t know the internal private IP config of the VDOM (or it is simply not something they have), maybe you could pick your own private IP addresses to use just within opennms to be able to configure the SNMP community string for access via the proxy-host? :thinking:

Cheers,
John

1 Like

I think @tandeejay is on the right track here with the proxy-host approach. You might need to get creative about your provisioning approach.

How can you assign different snmp-users/communities per vDOM?

In our case (5.6) SNMP is configured on the global config mode.
Hence all SNMP is through the management assigned vDOM.

You can enable SNMP per interface and as such per vDOM but at the end SNMP polling is routed to the management vDOM.

If you know differently please tell, cause i was trying to monitor the BGP sessions within a vDOM and i cannot get this information. Most likely due to the limitation of the management vDOM’s visibility to the BGP activated vDOM.

I’ve talked with the Fortinet support. Here the dusty answer.

The management VDOM is responsible for the SNMP. In your case the Management VDOM is root (default). So you can configure whatever IP you want and enabling SNMP on desired interface :

conf sys int
edit
“append allowaccess snmp”
end

This should work as long as the interface is member of root VDOM.

So I think by reading your opennms case that we do not unfortunately have what you are looking for because SNMP is management protocol that only MANAGEMENT VDOM is entitled to process.

So I guess I have to go a more uncomfortable way… Since I can query the state using the bash, a SNMP extend seems to be the simplest approach (depending on the amount of queries you want to add).

I’ve found the resolution for the BGP vDOM monitoring.

You have to query a vDOM assigned interface but change the SNMP community by appending the vDOM name.
E.g. If the vDOM is called “testVdom” and your community is “reallyeasycommunity” then you just create the above config you mention and query the IP using the community “reallyeasycommunity-testVdom”.

I believe this is how it works. Since you will still query the root vDOM but trick OpenNMS into believing this is another “device”.
I haven’t tried it using SNMP v3 if you do test it tell me the results.

Hope this helps.

1 Like