Home Directory Plugins Hardware Network Gear Fortinet check_fortigate.pl: fortigate,fortimail, fortianalyzer

Search Exchange

Search All Sites

Nagios Live Webinars

Let our experts show you how Nagios can help your organization.

Contact Us

Phone: 1-888-NAGIOS-1
Email: sales@nagios.com

Login

Remember Me

Directory Tree

check_fortigate.pl: fortigate,fortimail, fortianalyzer

Current Version
1.7.0
Last Release Date
2016-06-02
Compatible With
  • Nagios 1.x
  • Nagios 2.x
  • Nagios 3.x
  • Nagios 4.x
Owner
License
GPL
Hits
96789
Network Monitoring Software - Download Nagios XI
Log Management Software - Nagios Log Server - Download
Netflow Analysis Software - Nagios Network Analyzer - Download
Checks fortinet appliances via SNMP v1/v2c/v3, with perf data:

Usage:
check_fortigate.pl -H -C -T [-w|-c|-S|-s|-R|-M|-V|-?]
Options:

-H --host STRING or IPADDRESS Check interface on the indicated host
-P --port INTEGER Port of indicated host, defaults to 161
-v --version STRING SNMP Version, defaults to SNMP v2, v1-v3 supported
-T --type STRING CPU, MEM, Ses, VPN, Cluster, Firmware, HW, ..
-S --serial STRING Primary serial number
-s --slave get values of slave
-w --warning INTEGER Warning threshold, applies to cpu, mem, session, firmware
-c --critical INTEGER Critical threshold, applies to cpu, mem, session, firmware
-R --reset Resets ip file (cluster only)
-M --mode STRING Output-Mode: 0 => just print, 1 => print and show failed tunnel, 2 => critical
-V --vpnmode STRING VPN-Mode: both => IPSec & SSL/OpenVPN, ipsec => IPSec only, ssl => SSL/OpenVPN only
SNMP v1/v2c only
-C --community STRING Community-String for SNMP, only at SNMP v1/v2c, defaults to public
SNMP v3 only
-U --username STRING Username
-A --authpassword STRING auth password
-a --authprotocol STRING auth algorithm, defaults to sha
-X --privpassword STRING private password
-x --privprotocol STRING private algorithm, defaults to aes

-? --help Returns full help text

Requires Net::SNMP, List::Compare, Getopt::Long, Pod::Usage, Switch

This plugin checks FortiGate devices via SNMP (enable snmp, configure community and allow snmp access on client lan)

* Update 2016-05-13: added FortiAnalyzer support, improved Cluster-State check and added Firmware-Check
* Update 2015-03-11: added WTP support (thanks to Mikael)
* Update 2015-02-26: added SNMP v3 support
* Update 2013-01-16: changed CPU OID, added net usage
Required Perl modules:

- List::Compare (Ubuntu/Debian: liblist-compare-perl)
- Net::SNMP (Ubuntu/Debian: libnet-snmp-perl)

NAME
Check Fortinet FortiGate Appliances

SYNOPSIS
check_fortigate.pl -H -C -T [-w|-c|-S|-s|-R|-M|-V|-?]
Options:

-H --host STRING or IPADDRESS Check interface on the indicated host
-P --port INTEGER Port of indicated host, defaults to 161
-v --version STRING SNMP Version, defaults to SNMP v2, v1-v3 supported
-T --type STRING CPU, MEM, Ses, VPN, Cluster, firmware, hw, disk
-S --serial STRING Primary serial number
-s --slave get values of slave
-w --warning INTEGER Warning threshold, applies to cpu, mem, session.
-c --critical INTEGER Critical threshold, applies to cpu, mem, session.
-R --reset Resets ip file (cluster only)
-M --mode STRING Output-Mode: 0 => just print, 1 => print and show failed tunnel, 2 => critical
-V --vpnmode STRING VPN-Mode: both => IPSec & SSL/OpenVPN, ipsec => IPSec only, ssl => SSL/OpenVPN only
SNMP v1/v2c only
-C --community STRING Community-String for SNMP, only at SNMP v1/v2c, defaults to public
SNMP v3 only
-U --username STRING
-A --authpassword STRING auth password
-a --authprotocol STRING auth algorithm, defaults to sha
-X --privpassword STRING private password
-x --privprotocol STRING private algorithm, defaults to aes

-? --help Returns full help text

OPTIONS
-H--host
STRING or IPADDRESS - Check interface on the indicated host.

-C|--community
STRING - Community-String for SNMP

-T|--type
STRING - CPU, MEM, Ses, VPN, Cluster, Firmware, fazmem, fazcpu

-S|--serial
STRING - Primary serial number.

-s|--slave
BOOL - Get values of slave

-w|--warning
INTEGER - Warning threshold, applies to cpu, net, mem, session.

-c|--critical
INTEGER - Critical threshold, applies to cpu, net, mem, session.

-R|--reset
BOOL - Resets ip file (cluster only)

-M|--mode
STRING - Output-Mode: 0 => just print, 1 => print and show
failed tunnel, 2 => critical

-V|--vpnmode
STRING - VPN-Mode: both => IPSec & SSL/OpenVPN, ipsec => IPSec
only, ssl => SSL/OpenVPN only

DESCRIPTION
This plugin checks Fortinet FortiGate devices via SNMP

From Web:
1. Select Network -> Interface -> Local interface
2. Administrative Access: Enable SNMP
3. Select Config -> SNMP
4. Enable SNMP, fill your details
5. SNMP v1/v2c: Create new
6. Configure for your needs, Traps are not required for this plugin!

From CLI:
config system interface
edit "internal"
set allowaccess ping https ssh snmp fgfm
next
end

config system snmp sysinfo
set description "DMZ1 FortiGate 300C"
set location "Room 404"
set conctact-info "BOFH"
set status enable
end

config system snmp community
edit 1
set events cpu-high mem-low fm-if-change
config hosts
edit 1
set interface "internal"
set ip %SNMP Client IP%
next
end
set name "public"
set trap-v1-status disable
set trap-v2c-status disable
next
end

Thats it!


Samples:

To use SNMPv3 just replace "-C public" with "-v 3 -U username -A this_is_auth_string -a sha -x aes128 -X this_is_priv_string"

Cluster:
$ check_fortigate.pl -H 192.168.123.100 -C public -T cluster
OK: Fortinet 300C (Master: FGSERIALMASTER, Slave: FGSERIALSLAVE): HA (Active/Passive) is active
- Warning if unknown node appears
- Critical if single node
- Optional: Critical, if preferred master (-S Serial) is not master

CPU:
$ check_fortigate.pl -H 192.168.123.100 -C public -T cpu
OK: Fortinet 300C (Master: FGSERIALMASTER) CPU is okay: 1%|'cpu'=1%;80;90

CPU-Slave:
$ check_fortigate.pl -H 192.168.123.100 -C public -T cpu -s
OK: Fortinet 300C (Master: FGSERIALMASTER) slave_CPU is okay: 5%|'slave_cpu'=5%;80;90
- Defaults: 80%/90%

Memory:
$ check_fortigate.pl -H 192.168.123.100 -C public -T mem
OK: Fortinet 300C (Master: FGSERIALMASTER) Memory is okay: 29%|'memory'=29%;80;90

Memory-Slave:
$ check_fortigate.pl -H 192.168.123.100 -C public -T mem
OK: Fortinet 300C (Master: FGSERIALMASTER) slave_Memory is okay: 29%|'slave_memory'=29%;80;90
- Defaults: 80%/90%

Sessions:
$ check_fortigate.pl -H 192.168.123.100 -C public -T ses
WARNING: Fortinet 300C (Master: FGSERIALMASTER) Session is warning: 85|'session'=85;80;90

Sessions-Slave:
$ check_fortigate.pl -H 192.168.123.100 -C public -T ses -s
WARNING: Fortinet 300C (Master: FGSERIALMASTER) slave_Session is warning: 85|'slave_session'=85;80;90
- Defaults: 80/90

VPN:

Both: $ check_fortigate.pl -H 192.168.123.200 -C public -T vpn -V both -M 1
OK: Fortigate 100D (Master: FGSERIALMASTER): Active SSL-VPN Connections/Tunnels: 0/0: IPSEC Tunnels: Configured/Active: 4/3 , Static_Sample_p2 down|'ActiveSSL-VPN'=0 'ActiveIPSEC'=3

SSL: $ check_fortigate.pl -H 192.168.123.100 -C public -T vpn -V ssl -M 0
OK: Fortinet 300C (Master: FGSERIALMASTER): Active SSL-VPN Connections/Tunnels: 0/0|'ActiveSSL-VPN'=0 'ActiveIPSEC'=0

IPSec: $ check_fortigate.pl -H 192.168.123.200 -C public -T vpn -V ipsec -M 2
WARNING: Fortigate 100D (Master: FGSERIALMASTER): IPSEC Tunnels: Configured/Active: 4/3 , Static_Sample_p2 down|'ActiveSSL-VPN'=0 'ActiveIPSEC'=3
- Warning if Mode (-M) > 1 and ipsec tunnel is down

Reviews (27)
byzoltan.marton, February 11, 2015
1 of 1 people found this review helpful
Hi all!

Can I use it with snmp v3 with authentication?


thx!
Owner's reply

Today i released v1.4 with SNMPv3 Support :-)

byPartieHonteuse, September 23, 2014
1 of 1 people found this review helpful
This works great! Thank you so much for this plugin. Made this account just to say so and to also assist other users in the future that are new to Nagios such as myself.

the 255 out of bounds messages is because you are not creating an _SNMP_COMMUNITY variable in the host definition. e.g.:

define host{
use generic-switch ; Inherit default values from a template
host_name FG80CXXXXXXX ; The name we're giving to this host
alias Fortigate Firewall ; A longer name associated with the host
_SNMP_COMMUNITY public
address 192.168.1.1 ; IP address of the host
}

And then to check IPSEC VPN:
define service{
use generic-service
host_name FG80CXXXXXXXXX
service_description IPSec VPN Status
check_command check_fortigate_vpn!ipsec
contact_groups twilio_sms_alert
}
byUncleIS, March 26, 2014
Thnak you for your plugin! It is just what I was looking for.

However, there is a problem: as stated before, it workes perfectly well when executed manually, but fails when it is run by Nagios. I disabled EPN and the error message changed. Now it reads as:

"Return code of 255 is out of bounds"

And here is what I have in my logs:

"Warning: Return code of 255 for check of service 'CPU load' on host 'FG-XXX'was out of bounds."

It would be really-really nice to make this work!
Owner's reply

Hey UncleIS,

this plugin creates a Serial File on first run to compare against for failed clusters..

I assume you called the plugin manually as root if so, please delete folder FortiSerial in your plugins folder


!Never try monitoring plugins as root :)!

byMaddin, February 23, 2014
3 of 3 people found this review helpful
The problem is the ePN (Embedded Perlinterpreter for Nagios)

If you enable Debugging in Nagios, you get the following error:

---
HOST: somehost, SERVICE: CPU, CHECK TYPE: Active, OPTIONS: 0, SCHEDULED: Yes, RESCHEDULE: Yes, EXITED OK: No, RETURN CODE: 3, OUTPUT: **ePN failed to compile /some/dir/plugins/check_fortigate.pl: "String found where operator expected at (eval 17) line 94, near "case "cpu""" at /usr/lib/nagios3/p1.pl line 250.

---

The workaround is to disable the ePN by inserting the following String an the second line in the check_fortigate.pl-script

---
# nagios: -epn
---
Owner's reply

Thanks for noticing, i added # nagios -epn to defaults

I should switch switch ( ;-) ) with a more cleaner hash table, that might solve the problem with epn

byjpconfessor, December 27, 2013
I'm having the same problem here...
-> all manual checks works (tried with root and non-root users)
-> nagios checks returns critical status with this output: "Service check did not exit properly"

I checked the Serial folder, was Ok! with all permissions granted (for testing purposes)
byallan.lago, November 15, 2013
1 of 1 people found this review helpful
Hello Risker,

First Thank you for your contribution it will help me a lot at work.

Man, im heaving a hard time to use this

Manually it works perfect well as u can see it below:

OK: Fortigate Dinamica (Master: FGT80CXXXXXXXXX): IPSEC Tunnels: Configured/Active: 1/1 |'ActiveSSL-VPN'=0 'ActiveIPSEC'=1

I already declared the command at commands.cfg like this:

define command {
command_name check_fortigate_cpu
command_line $USER1$/check_fortigate.pl -H $HOSTADDRESS$ -C $ARG1$ -T cpu
}

and use the check like this

check_fortigate_cpu!public

but i receive this at nagios webportal

(Service check did not exit properly)

Do you have any ideias about how to fix this?

Thanks in advance.

Allan Lago
Owner's reply

Hi allan,

did you run this plugin as root, if so permissions of FortiSerial path might be wrong?

Please check path: "/usr/lib/nagios/plugins/FortiSerial" (default path for storing serial information), in there should be a file with the ip of your device.

byhighfeeling, July 29, 2013
3 of 3 people found this review helpful
Hi risker,

your plugin smells good ! Many thanks !

But when I try to implement the commands in Nagios, I got the following : "(Service check did not exit properly)"

When I launch the script manually, I got the following :

OK: (Master: XXXXXX) CPU is okay: noSuchObject%|'cpu'=noSuchObject%;80;90

Any idea please ?

Seb
Owner's reply

Hi highfeeling,

sorry about this late comment, i didnt notice it.

It seems that you are using an older version of fortigate os, i've tested this script on FortiGate 100D / FortiGate 300C (both 5.0.3)

Greetings
Oliver

Page 2 of 2