Home Directory Plugins Hardware Network Gear Fortinet check_fortigate.pl: fortigate,fortimail, fortianalyzer

Search Exchange

Search All Sites

Nagios Live Webinars

Let our experts show you how Nagios can help your organization.

Contact Us

Phone: 1-888-NAGIOS-1
Email: sales@nagios.com

Login

Remember Me

check_fortigate.pl: fortigate,fortimail, fortianalyzer

Current Version
1.7.0
Last Release Date
2016-06-02
Compatible With
  • Nagios 1.x
  • Nagios 2.x
  • Nagios 3.x
  • Nagios 4.x
Owner
License
GPL
Hits
64747
Network Monitoring Software - Download Nagios XI
Log Management Software - Nagios Log Server - Download
Netflow Analysis Software - Nagios Network Analyzer - Download
Checks fortinet appliances via SNMP v1/v2c/v3, with perf data:

Usage:
check_fortigate.pl -H -C -T [-w|-c|-S|-s|-R|-M|-V|-?]
Options:

-H --host STRING or IPADDRESS Check interface on the indicated host
-P --port INTEGER Port of indicated host, defaults to 161
-v --version STRING SNMP Version, defaults to SNMP v2, v1-v3 supported
-T --type STRING CPU, MEM, Ses, VPN, Cluster, Firmware, HW, ..
-S --serial STRING Primary serial number
-s --slave get values of slave
-w --warning INTEGER Warning threshold, applies to cpu, mem, session, firmware
-c --critical INTEGER Critical threshold, applies to cpu, mem, session, firmware
-R --reset Resets ip file (cluster only)
-M --mode STRING Output-Mode: 0 => just print, 1 => print and show failed tunnel, 2 => critical
-V --vpnmode STRING VPN-Mode: both => IPSec & SSL/OpenVPN, ipsec => IPSec only, ssl => SSL/OpenVPN only
SNMP v1/v2c only
-C --community STRING Community-String for SNMP, only at SNMP v1/v2c, defaults to public
SNMP v3 only
-U --username STRING Username
-A --authpassword STRING auth password
-a --authprotocol STRING auth algorithm, defaults to sha
-X --privpassword STRING private password
-x --privprotocol STRING private algorithm, defaults to aes

-? --help Returns full help text

Requires Net::SNMP, List::Compare, Getopt::Long, Pod::Usage, Switch

This plugin checks FortiGate devices via SNMP (enable snmp, configure community and allow snmp access on client lan)

* Update 2016-05-13: added FortiAnalyzer support, improved Cluster-State check and added Firmware-Check
* Update 2015-03-11: added WTP support (thanks to Mikael)
* Update 2015-02-26: added SNMP v3 support
* Update 2013-01-16: changed CPU OID, added net usage
Required Perl modules:

- List::Compare (Ubuntu/Debian: liblist-compare-perl)
- Net::SNMP (Ubuntu/Debian: libnet-snmp-perl)

NAME
Check Fortinet FortiGate Appliances

SYNOPSIS
check_fortigate.pl -H -C -T [-w|-c|-S|-s|-R|-M|-V|-?]
Options:

-H --host STRING or IPADDRESS Check interface on the indicated host
-P --port INTEGER Port of indicated host, defaults to 161
-v --version STRING SNMP Version, defaults to SNMP v2, v1-v3 supported
-T --type STRING CPU, MEM, Ses, VPN, Cluster, firmware, hw, disk
-S --serial STRING Primary serial number
-s --slave get values of slave
-w --warning INTEGER Warning threshold, applies to cpu, mem, session.
-c --critical INTEGER Critical threshold, applies to cpu, mem, session.
-R --reset Resets ip file (cluster only)
-M --mode STRING Output-Mode: 0 => just print, 1 => print and show failed tunnel, 2 => critical
-V --vpnmode STRING VPN-Mode: both => IPSec & SSL/OpenVPN, ipsec => IPSec only, ssl => SSL/OpenVPN only
SNMP v1/v2c only
-C --community STRING Community-String for SNMP, only at SNMP v1/v2c, defaults to public
SNMP v3 only
-U --username STRING
-A --authpassword STRING auth password
-a --authprotocol STRING auth algorithm, defaults to sha
-X --privpassword STRING private password
-x --privprotocol STRING private algorithm, defaults to aes

-? --help Returns full help text

OPTIONS
-H--host
STRING or IPADDRESS - Check interface on the indicated host.

-C|--community
STRING - Community-String for SNMP

-T|--type
STRING - CPU, MEM, Ses, VPN, Cluster, Firmware, fazmem, fazcpu

-S|--serial
STRING - Primary serial number.

-s|--slave
BOOL - Get values of slave

-w|--warning
INTEGER - Warning threshold, applies to cpu, net, mem, session.

-c|--critical
INTEGER - Critical threshold, applies to cpu, net, mem, session.

-R|--reset
BOOL - Resets ip file (cluster only)

-M|--mode
STRING - Output-Mode: 0 => just print, 1 => print and show
failed tunnel, 2 => critical

-V|--vpnmode
STRING - VPN-Mode: both => IPSec & SSL/OpenVPN, ipsec => IPSec
only, ssl => SSL/OpenVPN only

DESCRIPTION
This plugin checks Fortinet FortiGate devices via SNMP

From Web:
1. Select Network -> Interface -> Local interface
2. Administrative Access: Enable SNMP
3. Select Config -> SNMP
4. Enable SNMP, fill your details
5. SNMP v1/v2c: Create new
6. Configure for your needs, Traps are not required for this plugin!

From CLI:
config system interface
edit "internal"
set allowaccess ping https ssh snmp fgfm
next
end

config system snmp sysinfo
set description "DMZ1 FortiGate 300C"
set location "Room 404"
set conctact-info "BOFH"
set status enable
end

config system snmp community
edit 1
set events cpu-high mem-low fm-if-change
config hosts
edit 1
set interface "internal"
set ip %SNMP Client IP%
next
end
set name "public"
set trap-v1-status disable
set trap-v2c-status disable
next
end

Thats it!


Samples:

To use SNMPv3 just replace "-C public" with "-v 3 -U username -A this_is_auth_string -a sha -x aes128 -X this_is_priv_string"

Cluster:
$ check_fortigate.pl -H 192.168.123.100 -C public -T cluster
OK: Fortinet 300C (Master: FGSERIALMASTER, Slave: FGSERIALSLAVE): HA (Active/Passive) is active
- Warning if unknown node appears
- Critical if single node
- Optional: Critical, if preferred master (-S Serial) is not master

CPU:
$ check_fortigate.pl -H 192.168.123.100 -C public -T cpu
OK: Fortinet 300C (Master: FGSERIALMASTER) CPU is okay: 1%|'cpu'=1%;80;90

CPU-Slave:
$ check_fortigate.pl -H 192.168.123.100 -C public -T cpu -s
OK: Fortinet 300C (Master: FGSERIALMASTER) slave_CPU is okay: 5%|'slave_cpu'=5%;80;90
- Defaults: 80%/90%

Memory:
$ check_fortigate.pl -H 192.168.123.100 -C public -T mem
OK: Fortinet 300C (Master: FGSERIALMASTER) Memory is okay: 29%|'memory'=29%;80;90

Memory-Slave:
$ check_fortigate.pl -H 192.168.123.100 -C public -T mem
OK: Fortinet 300C (Master: FGSERIALMASTER) slave_Memory is okay: 29%|'slave_memory'=29%;80;90
- Defaults: 80%/90%

Sessions:
$ check_fortigate.pl -H 192.168.123.100 -C public -T ses
WARNING: Fortinet 300C (Master: FGSERIALMASTER) Session is warning: 85|'session'=85;80;90

Sessions-Slave:
$ check_fortigate.pl -H 192.168.123.100 -C public -T ses -s
WARNING: Fortinet 300C (Master: FGSERIALMASTER) slave_Session is warning: 85|'slave_session'=85;80;90
- Defaults: 80/90

VPN:

Both: $ check_fortigate.pl -H 192.168.123.200 -C public -T vpn -V both -M 1
OK: Fortigate 100D (Master: FGSERIALMASTER): Active SSL-VPN Connections/Tunnels: 0/0: IPSEC Tunnels: Configured/Active: 4/3 , Static_Sample_p2 down|'ActiveSSL-VPN'=0 'ActiveIPSEC'=3

SSL: $ check_fortigate.pl -H 192.168.123.100 -C public -T vpn -V ssl -M 0
OK: Fortinet 300C (Master: FGSERIALMASTER): Active SSL-VPN Connections/Tunnels: 0/0|'ActiveSSL-VPN'=0 'ActiveIPSEC'=0

IPSec: $ check_fortigate.pl -H 192.168.123.200 -C public -T vpn -V ipsec -M 2
WARNING: Fortigate 100D (Master: FGSERIALMASTER): IPSEC Tunnels: Configured/Active: 4/3 , Static_Sample_p2 down|'ActiveSSL-VPN'=0 'ActiveIPSEC'=3
- Warning if Mode (-M) > 1 and ipsec tunnel is down

Reviews (20)
MayraAltamirano, if you are already in the plugins directory, make sure to run your plugin as such:

./check_fortigate.pl -H 192.168.200.254 -C public -T cluster

or run it with:

/full/path/to/the/check_fortigate.pl -H 192.168.200.254 -C public -T cluster

Hope this helps.
Hello!
Firts of all I'm sorry for my bad english.
I'm a Nagios Newbie and I want to install the plugin check_fortigate.pl, I already install perl and every time I tried to prove the command

check_fortigate.pl -H 192.168.200.254 -C public -T cluster
The server says: check_fortigate.pl: command not found

So I don't know how to make it works.
Any help will be great!

Thanks!
Regards from México!
bygnaggios, May 11, 2018
Works well
bys.ferrara, April 25, 2018
It's very usefull and works well.

My only problem, it's that, I can't find in the documentation if we check with -T ses the active session or the session per sec. (I presume that it's the session but I have some big doubt).
First of all a Great PLugin, which lets you monitor your Fortigate Device. Works with Fortigate 600D (5.4.8). To make it work with Fortimanager (5.6.2) all you have to do is change ( /^(FL|FAZ)/ to ( /^(FL|FAZ|FMG)/ otherwise it will not work for Fortimanager. Unforntunalty the disk check is not working for Fortigate, because it's not defined in the oids and I wasn't able to get the right oid. For the error from mugundan28 all you have to do is to provide the right permissions to /var/spool/nagios/ramdisk/FortiSerial, a chown nagios:nagios did the trick for me.
bymugundan28, February 7, 2018
I am trying to monitor fortigate disk but it will through the error like "CRITICAL: Error writing on /var/spool/nagios/ramdisk/FortiSerial directory, permission denied" the command I am running is ./check_fortigate.pl -H fortigate_firewall -C community -T disk
bympuff, February 19, 2017
Hi all,

is this plugin compatible with FortiOS v5.4?
Thanks.

Kind regards,
Martin
byjmsanesteban, February 6, 2017
Hi all!!

First of all, thank you for such great job.

Second, sorry for my english :)

Third, I think that there may be a little problem with the phase 2 selectors of the VPN, it seems that the plugin shows as 'disconnected VPN' two of my phase 2 selectors, so it is show wrong information.

$return_string = OK, but there are two phase2 down, the $return_state is CRITICAL.

Thank you in advance.

+1 for VPN exclusion list!!

Regards and keep on!!.
Juanma.
bySysManSD, October 13, 2015
Hello highfeeling,

I had the same problem until I activated the SNMP Administrative Access on the interface.
After resolving that, that I had a problem with "error writing on /path_to_nagios_plugins/FortiSerial directory, permission denied", which I resolved creating the directory in the specified path.
byjosy-cig, June 10, 2015
Thank you for this great Plugin!

Could somebody help me with the follow problem?
We have some IPsec VPNs, which are down most of the time.
Therefor the “check_fortigate_vpn_IPSEC” returns a Critical Status.
1) Is it possible to define VPN as an exception?
2) Is it possible to change the number of the VPN connections that must be down before that status is critical?
3) Is there a way to monitor only some IPSec VPN Connections?

Thank You
Owner's reply

Hi Josy,

that is a good idea, actually i have something like that in mind.

It will be integrated in the near future.

byebierens, June 7, 2015
Hi,

i've got some problems with the following unknown error:

UNKNOWN: session get request failed

regards
Hi,

I am facing a strange problem. If I run the snmpwalk command against the fortinet firwall(300c) with Firmware Version 5.2.1 I am able to get the values but I am getting "session get request failed" when I try to run this plugin. I have rechecked SNMP is configured properly on the Fortigate firewall.

What could be the reason for this issue. I am running Nagios 3.5.x on Centos 7 64-bit Os.

snmpwalk -c SNMP-TESTs -v 2c 172.31.5.6
SNMPv2-MIB::sysDescr.0 = STRING: trafic
sysObjectID.0 = OID: fgt300C
SNMPv2-MIB::sysContact.0 = STRING: firewall@example.com
SNMPv2-MIB::sysName.0 = STRING: firewall@example.com
SNMPv2-MIB::sysLocation.0 = STRING: xxxxxx
SNMPv2-MIB::sysServices.0 = INTEGER: 78
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00

Firmware Version
fgSysVersion.0 = STRING: v5.2.1,build0618,140915 (GA)


./check_fortigate.pl -C SNMP -v 2c -H 172.31.5.6
UNKNOWN: session get request failed


Thanks & Regards

Ankush Grover
byZak, March 1, 2015
1 of 1 people found this review helpful
It's really helpful plugin. Please update description :) Probably you forgot about -U "username" variable.
Maybe in next release you try add bandwith monitoring? :)
Best Regards,
Rafal
byzoltan.marton, February 11, 2015
1 of 1 people found this review helpful
Hi all!

Can I use it with snmp v3 with authentication?


thx!
Owner's reply

Today i released v1.4 with SNMPv3 Support :-)

byPartieHonteuse, September 23, 2014
1 of 1 people found this review helpful
This works great! Thank you so much for this plugin. Made this account just to say so and to also assist other users in the future that are new to Nagios such as myself.

the 255 out of bounds messages is because you are not creating an _SNMP_COMMUNITY variable in the host definition. e.g.:

define host{
use generic-switch ; Inherit default values from a template
host_name FG80CXXXXXXX ; The name we're giving to this host
alias Fortigate Firewall ; A longer name associated with the host
_SNMP_COMMUNITY public
address 192.168.1.1 ; IP address of the host
}

And then to check IPSEC VPN:
define service{
use generic-service
host_name FG80CXXXXXXXXX
service_description IPSec VPN Status
check_command check_fortigate_vpn!ipsec
contact_groups twilio_sms_alert
}
byUncleIS, March 26, 2014
Thnak you for your plugin! It is just what I was looking for.

However, there is a problem: as stated before, it workes perfectly well when executed manually, but fails when it is run by Nagios. I disabled EPN and the error message changed. Now it reads as:

"Return code of 255 is out of bounds"

And here is what I have in my logs:

"Warning: Return code of 255 for check of service 'CPU load' on host 'FG-XXX'was out of bounds."

It would be really-really nice to make this work!
Owner's reply

Hey UncleIS,

this plugin creates a Serial File on first run to compare against for failed clusters..

I assume you called the plugin manually as root if so, please delete folder FortiSerial in your plugins folder


!Never try monitoring plugins as root :)!

byMaddin, February 23, 2014
3 of 3 people found this review helpful
The problem is the ePN (Embedded Perlinterpreter for Nagios)

If you enable Debugging in Nagios, you get the following error:

---
HOST: somehost, SERVICE: CPU, CHECK TYPE: Active, OPTIONS: 0, SCHEDULED: Yes, RESCHEDULE: Yes, EXITED OK: No, RETURN CODE: 3, OUTPUT: **ePN failed to compile /some/dir/plugins/check_fortigate.pl: "String found where operator expected at (eval 17) line 94, near "case "cpu""" at /usr/lib/nagios3/p1.pl line 250.

---

The workaround is to disable the ePN by inserting the following String an the second line in the check_fortigate.pl-script

---
# nagios: -epn
---
Owner's reply

Thanks for noticing, i added # nagios -epn to defaults

I should switch switch ( ;-) ) with a more cleaner hash table, that might solve the problem with epn

byjpconfessor, December 27, 2013
I'm having the same problem here...
-> all manual checks works (tried with root and non-root users)
-> nagios checks returns critical status with this output: "Service check did not exit properly"

I checked the Serial folder, was Ok! with all permissions granted (for testing purposes)
byallan.lago, November 15, 2013
1 of 1 people found this review helpful
Hello Risker,

First Thank you for your contribution it will help me a lot at work.

Man, im heaving a hard time to use this

Manually it works perfect well as u can see it below:

OK: Fortigate Dinamica (Master: FGT80CXXXXXXXXX): IPSEC Tunnels: Configured/Active: 1/1 |'ActiveSSL-VPN'=0 'ActiveIPSEC'=1

I already declared the command at commands.cfg like this:

define command {
command_name check_fortigate_cpu
command_line $USER1$/check_fortigate.pl -H $HOSTADDRESS$ -C $ARG1$ -T cpu
}

and use the check like this

check_fortigate_cpu!public

but i receive this at nagios webportal

(Service check did not exit properly)

Do you have any ideias about how to fix this?

Thanks in advance.

Allan Lago
Owner's reply

Hi allan,

did you run this plugin as root, if so permissions of FortiSerial path might be wrong?

Please check path: "/usr/lib/nagios/plugins/FortiSerial" (default path for storing serial information), in there should be a file with the ip of your device.

byhighfeeling, July 29, 2013
2 of 2 people found this review helpful
Hi risker,

your plugin smells good ! Many thanks !

But when I try to implement the commands in Nagios, I got the following : "(Service check did not exit properly)"

When I launch the script manually, I got the following :

OK: (Master: XXXXXX) CPU is okay: noSuchObject%|'cpu'=noSuchObject%;80;90

Any idea please ?

Seb
Owner's reply

Hi highfeeling,

sorry about this late comment, i didnt notice it.

It seems that you are using an older version of fortigate os, i've tested this script on FortiGate 100D / FortiGate 300C (both 5.0.3)

Greetings
Oliver