Home Directory Plugins Hardware Network Gear Fortinet check_fortigate.pl: fortigate,fortimail, fortianalyzer

Search Exchange

Search All Sites

Nagios Live Webinars

Let our experts show you how Nagios can help your organization.

Contact Us

Phone: 1-888-NAGIOS-1
Email: sales@nagios.com

Login

Remember Me

Directory Tree

check_fortigate.pl: fortigate,fortimail, fortianalyzer

Current Version
1.7.0
Last Release Date
2016-06-02
Compatible With
  • Nagios 1.x
  • Nagios 2.x
  • Nagios 3.x
  • Nagios 4.x
Owner
License
GPL
Hits
98960
Network Monitoring Software - Download Nagios XI
Log Management Software - Nagios Log Server - Download
Netflow Analysis Software - Nagios Network Analyzer - Download
Checks fortinet appliances via SNMP v1/v2c/v3, with perf data:

Usage:
check_fortigate.pl -H -C -T [-w|-c|-S|-s|-R|-M|-V|-?]
Options:

-H --host STRING or IPADDRESS Check interface on the indicated host
-P --port INTEGER Port of indicated host, defaults to 161
-v --version STRING SNMP Version, defaults to SNMP v2, v1-v3 supported
-T --type STRING CPU, MEM, Ses, VPN, Cluster, Firmware, HW, ..
-S --serial STRING Primary serial number
-s --slave get values of slave
-w --warning INTEGER Warning threshold, applies to cpu, mem, session, firmware
-c --critical INTEGER Critical threshold, applies to cpu, mem, session, firmware
-R --reset Resets ip file (cluster only)
-M --mode STRING Output-Mode: 0 => just print, 1 => print and show failed tunnel, 2 => critical
-V --vpnmode STRING VPN-Mode: both => IPSec & SSL/OpenVPN, ipsec => IPSec only, ssl => SSL/OpenVPN only
SNMP v1/v2c only
-C --community STRING Community-String for SNMP, only at SNMP v1/v2c, defaults to public
SNMP v3 only
-U --username STRING Username
-A --authpassword STRING auth password
-a --authprotocol STRING auth algorithm, defaults to sha
-X --privpassword STRING private password
-x --privprotocol STRING private algorithm, defaults to aes

-? --help Returns full help text

Requires Net::SNMP, List::Compare, Getopt::Long, Pod::Usage, Switch

This plugin checks FortiGate devices via SNMP (enable snmp, configure community and allow snmp access on client lan)

* Update 2016-05-13: added FortiAnalyzer support, improved Cluster-State check and added Firmware-Check
* Update 2015-03-11: added WTP support (thanks to Mikael)
* Update 2015-02-26: added SNMP v3 support
* Update 2013-01-16: changed CPU OID, added net usage
Required Perl modules:

- List::Compare (Ubuntu/Debian: liblist-compare-perl)
- Net::SNMP (Ubuntu/Debian: libnet-snmp-perl)

NAME
Check Fortinet FortiGate Appliances

SYNOPSIS
check_fortigate.pl -H -C -T [-w|-c|-S|-s|-R|-M|-V|-?]
Options:

-H --host STRING or IPADDRESS Check interface on the indicated host
-P --port INTEGER Port of indicated host, defaults to 161
-v --version STRING SNMP Version, defaults to SNMP v2, v1-v3 supported
-T --type STRING CPU, MEM, Ses, VPN, Cluster, firmware, hw, disk
-S --serial STRING Primary serial number
-s --slave get values of slave
-w --warning INTEGER Warning threshold, applies to cpu, mem, session.
-c --critical INTEGER Critical threshold, applies to cpu, mem, session.
-R --reset Resets ip file (cluster only)
-M --mode STRING Output-Mode: 0 => just print, 1 => print and show failed tunnel, 2 => critical
-V --vpnmode STRING VPN-Mode: both => IPSec & SSL/OpenVPN, ipsec => IPSec only, ssl => SSL/OpenVPN only
SNMP v1/v2c only
-C --community STRING Community-String for SNMP, only at SNMP v1/v2c, defaults to public
SNMP v3 only
-U --username STRING
-A --authpassword STRING auth password
-a --authprotocol STRING auth algorithm, defaults to sha
-X --privpassword STRING private password
-x --privprotocol STRING private algorithm, defaults to aes

-? --help Returns full help text

OPTIONS
-H--host
STRING or IPADDRESS - Check interface on the indicated host.

-C|--community
STRING - Community-String for SNMP

-T|--type
STRING - CPU, MEM, Ses, VPN, Cluster, Firmware, fazmem, fazcpu

-S|--serial
STRING - Primary serial number.

-s|--slave
BOOL - Get values of slave

-w|--warning
INTEGER - Warning threshold, applies to cpu, net, mem, session.

-c|--critical
INTEGER - Critical threshold, applies to cpu, net, mem, session.

-R|--reset
BOOL - Resets ip file (cluster only)

-M|--mode
STRING - Output-Mode: 0 => just print, 1 => print and show
failed tunnel, 2 => critical

-V|--vpnmode
STRING - VPN-Mode: both => IPSec & SSL/OpenVPN, ipsec => IPSec
only, ssl => SSL/OpenVPN only

DESCRIPTION
This plugin checks Fortinet FortiGate devices via SNMP

From Web:
1. Select Network -> Interface -> Local interface
2. Administrative Access: Enable SNMP
3. Select Config -> SNMP
4. Enable SNMP, fill your details
5. SNMP v1/v2c: Create new
6. Configure for your needs, Traps are not required for this plugin!

From CLI:
config system interface
edit "internal"
set allowaccess ping https ssh snmp fgfm
next
end

config system snmp sysinfo
set description "DMZ1 FortiGate 300C"
set location "Room 404"
set conctact-info "BOFH"
set status enable
end

config system snmp community
edit 1
set events cpu-high mem-low fm-if-change
config hosts
edit 1
set interface "internal"
set ip %SNMP Client IP%
next
end
set name "public"
set trap-v1-status disable
set trap-v2c-status disable
next
end

Thats it!


Samples:

To use SNMPv3 just replace "-C public" with "-v 3 -U username -A this_is_auth_string -a sha -x aes128 -X this_is_priv_string"

Cluster:
$ check_fortigate.pl -H 192.168.123.100 -C public -T cluster
OK: Fortinet 300C (Master: FGSERIALMASTER, Slave: FGSERIALSLAVE): HA (Active/Passive) is active
- Warning if unknown node appears
- Critical if single node
- Optional: Critical, if preferred master (-S Serial) is not master

CPU:
$ check_fortigate.pl -H 192.168.123.100 -C public -T cpu
OK: Fortinet 300C (Master: FGSERIALMASTER) CPU is okay: 1%|'cpu'=1%;80;90

CPU-Slave:
$ check_fortigate.pl -H 192.168.123.100 -C public -T cpu -s
OK: Fortinet 300C (Master: FGSERIALMASTER) slave_CPU is okay: 5%|'slave_cpu'=5%;80;90
- Defaults: 80%/90%

Memory:
$ check_fortigate.pl -H 192.168.123.100 -C public -T mem
OK: Fortinet 300C (Master: FGSERIALMASTER) Memory is okay: 29%|'memory'=29%;80;90

Memory-Slave:
$ check_fortigate.pl -H 192.168.123.100 -C public -T mem
OK: Fortinet 300C (Master: FGSERIALMASTER) slave_Memory is okay: 29%|'slave_memory'=29%;80;90
- Defaults: 80%/90%

Sessions:
$ check_fortigate.pl -H 192.168.123.100 -C public -T ses
WARNING: Fortinet 300C (Master: FGSERIALMASTER) Session is warning: 85|'session'=85;80;90

Sessions-Slave:
$ check_fortigate.pl -H 192.168.123.100 -C public -T ses -s
WARNING: Fortinet 300C (Master: FGSERIALMASTER) slave_Session is warning: 85|'slave_session'=85;80;90
- Defaults: 80/90

VPN:

Both: $ check_fortigate.pl -H 192.168.123.200 -C public -T vpn -V both -M 1
OK: Fortigate 100D (Master: FGSERIALMASTER): Active SSL-VPN Connections/Tunnels: 0/0: IPSEC Tunnels: Configured/Active: 4/3 , Static_Sample_p2 down|'ActiveSSL-VPN'=0 'ActiveIPSEC'=3

SSL: $ check_fortigate.pl -H 192.168.123.100 -C public -T vpn -V ssl -M 0
OK: Fortinet 300C (Master: FGSERIALMASTER): Active SSL-VPN Connections/Tunnels: 0/0|'ActiveSSL-VPN'=0 'ActiveIPSEC'=0

IPSec: $ check_fortigate.pl -H 192.168.123.200 -C public -T vpn -V ipsec -M 2
WARNING: Fortigate 100D (Master: FGSERIALMASTER): IPSEC Tunnels: Configured/Active: 4/3 , Static_Sample_p2 down|'ActiveSSL-VPN'=0 'ActiveIPSEC'=3
- Warning if Mode (-M) > 1 and ipsec tunnel is down

Reviews (27)
To allow AuthNoPriv I needed to delete any references to $priv_password and $priv_prot in get_snmp_session_v3().
Also needed to update the USM.pm perl module file to allow SHA-256 to work. See : https://github.com/Napsty/scripts/blob/master/perl-net-snmp-sha2/USM.pm

Other than, works pretty good.
Got the script to work with snmpv3 with sha256 and aes128. Only thing to do to get sha256 working is download the new USM.pm file from https://github.com/Napsty/scripts/tree/master/perl-net-snmp-sha2 and copy it to /usr/share/perl5/Net/SNMP/Security/ directory. I did use libnet-snmp-perl instead of cpan install Net::SNMP since cpan didn't give me all the files for SNMP.
byrijocumo, March 17, 2023
It was working fine but I noticed that it is now showing "0" for sessions and memory. Maybe because it's a newer firmware. Has anyone gone through the same problem?
Thanks
this is really good and working fine.

we used to have a sonicwall plugin which would check specific vpn tunnels if they are active/down.

is it possible in this plugin too? i just find that it can only show the status of all vpn tunnels configure in that firewall.

thanks.
bymdcdh, April 7, 2022
If anybody is having issues with "UNKNOWN: session get request failed" then this may help...

First off, the script expects a dir to exist /usr/local/nagios/var/spool/FortiSerial so create that on your Nagios host and make sure perms are the same as the other folders in the spool dir (or pass your own location to the script with -p or --path /my/path)

Secondly, running the commands check_fortigate_xyz wasn't working for me, so I created a check_fortigate_blank command (Configure > Commands > Copy check_fortigate_CPU > edit the copy) and set the command line to $USER1$/check_fortigate.pl -H $HOSTADDRESS$ $ARG1$

You can then use this command in services by entering all the required variable for the SNMP auth, eg. for SNMP v3 into the ARG1 field, eg.

--snmp_version 3 --username blah --privprotocol blah --privpassword blah --authpassword blah --authprotocol blah --type blah

You can see the variables by running ./check_fortigate.pl -h
Hello folks,

I am facing the problem "UNKNOWN: session get request failed"
Has anyone had the same problem and was able to solve it?

Thanks in advance!
bymelesban, June 19, 2020
1 of 1 people found this review helpful
Hello

I have 3 different fortigate

In two of them models 200B and 600C the plugins work perfectly for me

But on model 501E I get the following error UNKNOWN: session get request failed

The SNMP configuration is activated in all 3 fortigate the same, with the IP of my nagios server, with the SNMP events cpu-high mem-low fm-if-change activated, I also have the protocol v1 and v2c port 161 enable activated

Could someone help me, this is driving me crazy

Thank you
MayraAltamirano, if you are already in the plugins directory, make sure to run your plugin as such:

./check_fortigate.pl -H 192.168.200.254 -C public -T cluster

or run it with:

/full/path/to/the/check_fortigate.pl -H 192.168.200.254 -C public -T cluster

Hope this helps.
Hello!
Firts of all I'm sorry for my bad english.
I'm a Nagios Newbie and I want to install the plugin check_fortigate.pl, I already install perl and every time I tried to prove the command

check_fortigate.pl -H 192.168.200.254 -C public -T cluster
The server says: check_fortigate.pl: command not found

So I don't know how to make it works.
Any help will be great!

Thanks!
Regards from México!
bygnaggios, May 11, 2018
Works well
bys.ferrara, April 25, 2018
It's very usefull and works well.

My only problem, it's that, I can't find in the documentation if we check with -T ses the active session or the session per sec. (I presume that it's the session but I have some big doubt).
First of all a Great PLugin, which lets you monitor your Fortigate Device. Works with Fortigate 600D (5.4.8). To make it work with Fortimanager (5.6.2) all you have to do is change ( /^(FL|FAZ)/ to ( /^(FL|FAZ|FMG)/ otherwise it will not work for Fortimanager. Unforntunalty the disk check is not working for Fortigate, because it's not defined in the oids and I wasn't able to get the right oid. For the error from mugundan28 all you have to do is to provide the right permissions to /var/spool/nagios/ramdisk/FortiSerial, a chown nagios:nagios did the trick for me.
bymugundan28, February 7, 2018
I am trying to monitor fortigate disk but it will through the error like "CRITICAL: Error writing on /var/spool/nagios/ramdisk/FortiSerial directory, permission denied" the command I am running is ./check_fortigate.pl -H fortigate_firewall -C community -T disk
bympuff, February 19, 2017
Hi all,

is this plugin compatible with FortiOS v5.4?
Thanks.

Kind regards,
Martin
byjmsanesteban, February 6, 2017
Hi all!!

First of all, thank you for such great job.

Second, sorry for my english :)

Third, I think that there may be a little problem with the phase 2 selectors of the VPN, it seems that the plugin shows as 'disconnected VPN' two of my phase 2 selectors, so it is show wrong information.

$return_string = OK, but there are two phase2 down, the $return_state is CRITICAL.

Thank you in advance.

+1 for VPN exclusion list!!

Regards and keep on!!.
Juanma.
bySysManSD, October 13, 2015
Hello highfeeling,

I had the same problem until I activated the SNMP Administrative Access on the interface.
After resolving that, that I had a problem with "error writing on /path_to_nagios_plugins/FortiSerial directory, permission denied", which I resolved creating the directory in the specified path.
byjosy-cig, June 10, 2015
Thank you for this great Plugin!

Could somebody help me with the follow problem?
We have some IPsec VPNs, which are down most of the time.
Therefor the “check_fortigate_vpn_IPSEC” returns a Critical Status.
1) Is it possible to define VPN as an exception?
2) Is it possible to change the number of the VPN connections that must be down before that status is critical?
3) Is there a way to monitor only some IPSec VPN Connections?

Thank You
Owner's reply

Hi Josy,

that is a good idea, actually i have something like that in mind.

It will be integrated in the near future.

byebierens, June 7, 2015
Hi,

i've got some problems with the following unknown error:

UNKNOWN: session get request failed

regards
Hi,

I am facing a strange problem. If I run the snmpwalk command against the fortinet firwall(300c) with Firmware Version 5.2.1 I am able to get the values but I am getting "session get request failed" when I try to run this plugin. I have rechecked SNMP is configured properly on the Fortigate firewall.

What could be the reason for this issue. I am running Nagios 3.5.x on Centos 7 64-bit Os.

snmpwalk -c SNMP-TESTs -v 2c 172.31.5.6
SNMPv2-MIB::sysDescr.0 = STRING: trafic
sysObjectID.0 = OID: fgt300C
SNMPv2-MIB::sysContact.0 = STRING: firewall@example.com
SNMPv2-MIB::sysName.0 = STRING: firewall@example.com
SNMPv2-MIB::sysLocation.0 = STRING: xxxxxx
SNMPv2-MIB::sysServices.0 = INTEGER: 78
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00

Firmware Version
fgSysVersion.0 = STRING: v5.2.1,build0618,140915 (GA)


./check_fortigate.pl -C SNMP -v 2c -H 172.31.5.6
UNKNOWN: session get request failed


Thanks & Regards

Ankush Grover
byZak, March 1, 2015
1 of 1 people found this review helpful
It's really helpful plugin. Please update description :) Probably you forgot about -U "username" variable.
Maybe in next release you try add bandwith monitoring? :)
Best Regards,
Rafal
Page 1 of 2