Hot!SNMP interface index conflict after FortiManager upgrade from 5.4 to 5.6

Author
aagrafi
Gold Member
  • Total Posts : 141
  • Scores: 4
  • Reward points: 0
  • Joined: 2016/03/09 01:47:25
  • Status: offline
2018/07/05 12:36:40 (permalink)
0

SNMP interface index conflict after FortiManager upgrade from 5.4 to 5.6

Hello,
 
I recently updated an FMG-300D from 5.4 to 5.6.5 and afterwards the managed device's configuration appears to be in conflict with the FMG. After looking deeper, I found out that the FMG after the upgrade decided to chance some snmp interface indexes and after the installation process, these changes were rejected by the FortiGate.
 
Have you experienced similar issue with FMG upgrade. Any ideas of how to resolve the conflict?
 
Thanks
#1
ergotherego
Silver Member
  • Total Posts : 102
  • Scores: 10
  • Reward points: 0
  • Status: offline
Re: SNMP interface index conflict after FortiManager upgrade from 5.4 to 5.6 2018/07/05 12:44:51 (permalink)
0
I ran into this when upgrading FMG from 5.4.2 to 5.4.3. TAC was unable to reproduce, and as far as I know no bug report issued. I was able to work-around the issue by
 
1) Retrieve the configs for the firewalls inside FMG
2) Perform a re-install against all VDOMs on those firewalls
3) Will probably need to re-install on other firewalls as well, since FMG wants to have all FGTs use the same SNMP index for all interfaces of the same name.
 
That re-synced the SNMP index IDs to a value that worked on both sides. I had to do this for a bunch of firewalls, but after doing it once, it did solve the issue permanently for that firewall. We now run FMG 5.6.3 and have not seen the issue recur.
 
Ps. What version of 5.4 did you upgrade from? Sounds like you basically skipped over the 5.4 patch release where this issue occurred, and are running into it now. TAC informed me in 5.4.3 there is intended change in behavior to sync SNMP index IDs, and typically it should be adding 100 to the existing value. E.g, if local FGT had index ID of 11 for "port1" that FMG would want to change that to an index ID of 111 to avoid conflict.
#2
aagrafi
Gold Member
  • Total Posts : 141
  • Scores: 4
  • Reward points: 0
  • Joined: 2016/03/09 01:47:25
  • Status: offline
Re: SNMP interface index conflict after FortiManager upgrade from 5.4 to 5.6 2018/07/06 00:04:53 (permalink)
0
Thanks for your response. It certainly provides several useful insights. I did the upgrade from 5.4.0, since this was interim from 5.2. According to the release notes, you can upgrade directly from 5.4.0 to 5.6. Had no idea about this issue with the SNMP indexes and I find it embarrassing for such mission critical systems having so ridiculous changes in behavior from version to version...
#3
aagrafi
Gold Member
  • Total Posts : 141
  • Scores: 4
  • Reward points: 0
  • Joined: 2016/03/09 01:47:25
  • Status: offline
Re: SNMP interface index conflict after FortiManager upgrade from 5.4 to 5.6 2018/07/10 12:12:05 (permalink)
0
Apparently the problem was resolved after I upgraded the FortiGate to 5.2.7 and re-installed the policies.
#4
Jump to:
© 2018 APG vNext Commercial Version 5.5