Home Directory Plugins Hardware Network Gear Fortinet Check Fortigate VPN sessions

Search Exchange

Search All Sites

Nagios Live Webinars

Let our experts show you how Nagios can help your organization.

Contact Us

Phone: 1-888-NAGIOS-1
Email: sales@nagios.com


Remember Me

Directory Tree

Check Fortigate VPN sessions

4 votes
Last Release Date
Compatible With
  • Nagios 1.x
  • Nagios 2.x
  • Nagios 3.x
check_fortigate_vpnFortigate VPN connections pre v4MR2
check_fortigate_vpn.plFortigate VPN connections v4MR2 and later
Network Monitoring Software - Download Nagios XI
Log Management Software - Nagios Log Server - Download
Netflow Analysis Software - Nagios Network Analyzer - Download
This script is used to check IPSEC and VPN tunnels on Fortigate units.
These scripts are originally written to monitor several VPN tunnels on a Fortigate 200A. It works also for other Fortigates. It is tested on groundwork nagios v2, and OPSview v3.13.0. It should also work for other versions.

It gives the number of SSL VPN sessions, the number of Active IPSEC sessions. If a IPSEC session is down, that session is also printed, and the state is changed to WARNING. if 2 or more IPSEC sessions are down, the state changed to CRITICAL.

Last update gives two scripts:

check_fortigate_vpn for FortiOS v4MR1 and older.
check_fortigate_vpn.pl for FortiOS v4MR2 and newer.
(unfortunately Fortinet has changed the oids for the fortigate units.)

The syntax is:

check_fortigate_vpn -H host -C community -M modus -T vpn-type -f

./check_fortigate_vpn -H -C public -M 0
Fortigate 200B: OK, Active SSL-VPN Connections/Tunnels: 1/1, IPSEC Tunnels: Configured/Active: 7/2
Reviews (3)
It'd be great to just check select vpn tunnel status. like how we can with https://exchange.nagios.org/directory/Plugins/Hardware/Network-Gear/Others/SonicWALL-VPN-check/details

or is it possible with this plugin itself ?

You can change the type in line 172:
-version => 2,
Change it to
-version => 1,

But my recommendation for the developer is to improve the customizability of the script. Many parameters could be fetched by user input. Would make things easier, f. e. the SNMP version. But also, f. e., what if you want to check one specific IPSEC tunnel?

One example: You have a Fortigate with one tunnel to Headquarter, and IT department of Headquarter wants to check the status of exactly this specific tunnel. But there're other tunnels to other branches, which are unnecessary for IT department at HQ.

This is one thing you have to modify yourself if you need this feature. Other than that, it's helpful in general. Thanks.
I am trying your script to check a FortiGate-100D.
But I always get «SNMP service is not available on at ./check_fortigate_vpn.pl line 187» and exit code of 255.
I think it is related with SNMP version, this particular Fortigate only has v1 enabled and not vc2 nor v3.

I've noticed you use a serie of perl functions but I dont understand how can I hardcode SNMP v1 on those
- get_snmp_session($ip, $community);
- get_snmp_value($session, $oid_unitdesc);
- get_snmp_table($session, $oid_ipsectuntableroot . $oidf_tunndx);
- close_snmp_session($session);
- get_snmp_request($session, $oid)

Can you please tell me hou can I force the SNMP version?

Thank you