Check Fortinet FortiGate Appliances (check_fortigate)

NEMS Linux makes it easy and affordable to monitor your Fortinet Fortigate devices and clusters via SNMP, complete with perf data.

check_fortigate requires NEMS Linux 1.7 or higher.

Veriage Disclaimer

Please note that Fortinet’s use of the terms “master” and “slave” to distinguish between primary and secondary devices is an industry-standard terminology in the context of networking hardware. While NEMS Linux respects the terminology used by Fortinet for its products, it’s essential to recognize that these terms can carry historical connotations and may not reflect the values of equity and inclusivity that we strive for in modern society. NEMS Linux is committed to supporting equity, diversity, and inclusion in all aspects of its development and operation.

Configuring Fortigate

From the Fortigate web interface:

  1. Select Network -> Interface -> Local interface

  2. Administrative Access: Enable SNMP

  3. Select Config -> SNMP

  4. Enable SNMP, fill your details

  5. SNMP v1/v2c: Create new

  6. Configure for your needs, Traps are not required for this plugin!

Available checkcommands

Check Fortigate Cluster

Check the status of a Fortigate cluster, providing information about the active/passive state and any warnings or critical alerts.

Check Command: check_fortigate_cluster

Parameters: Community Name (default: public)

Check Fortigate CPU

Monitor the CPU usage of a Fortigate device, ensuring that it remains within acceptable thresholds to maintain optimal network performance.

Check Command: check_fortigate_cpu

Parameters: Community Name (default: public)

Check Fortigate RAM

Monitor the RAM usage of a Fortigate device, ensuring that it remains within acceptable thresholds to prevent network performance degradation.

Check Command: check_fortigate_mem

Parameters: Community Name (default: public)

Check Fortigate Network

Monitor the network traffic on a Fortigate device, ensuring that it remains within acceptable thresholds to prevent congestion and bottlenecks.

Check Command: check_fortigate_net

Parameters: Community Name (default: public), Warning Bytes (default: 500000), Critical Bytes (default: 1000000)

Check Fortigate Sessions

Monitor the session count on a Fortigate device, ensuring that it remains within acceptable thresholds to prevent resource exhaustion.

Check Command: check_fortigate_ses

Parameters: Community Name (default: public), Warning Sessions (default: 4500), Critical Sessions (default: 6000)

Check Fortigate Slave CPU

Monitors the CPU usage of a slave unit in a Fortigate cluster, ensuring that it remains within acceptable thresholds for optimal performance.

Check Command: check_fortigate_slave_cpu

Parameters: Community Name (default: public)

Check Fortigate Slave RAM

Monitor the RAM usage of a slave unit in a Fortigate cluster, ensuring that it remains within acceptable thresholds to prevent performance degradation.

Check Command: check_fortigate_slave_mem

Parameters: Community Name (default: public)

Check Fortigate Slave Network

Monitor the network traffic on a slave unit in a Fortigate cluster, ensuring that it remains within acceptable thresholds to prevent congestion and bottlenecks.

Check Command: check_fortigate_slave_net

Parameters: Community Name (default: public), Warning Bytes (default: 500000), Critical Bytes (default: 1000000)

Check Fortigate Slave Sessions

This command monitors the session count on a slave unit in a Fortigate cluster, ensuring that it remains within acceptable levels to prevent resource exhaustion.

Check Command: check_fortigate_slave_ses

Parameters: Community Name (default: public), Warning Sessions (default: 4500), Critical Sessions (default: 6000)

Check Fortigate VPN

Monitor the status of VPN connections on a Fortigate device, ensuring that they are operational and secure. This check supports both IPSec and SSL/OpenVPN connections.

Check Command: check_fortigate_vpn

Parameters: Community Name (default: public), VPN Mode: ipsec, ssl, both (default: both)

Check Fortigate Access Points

Check the status of FortiAPs (WTPs) on a Fortigate device, ensuring that they are operational and properly configured.

Check Command: check_fortigate_wtp

Parameters: Community Name (default: public)

CLI Usage

check_fortigate.pl -H -C -T [-w|-c|-S|-s|-R|-M|-V|-?]

Options

-H, --host STRING or IPADDRESS

Check interface on the indicated host.

-P, --port INTEGER

Port of indicated host, defaults to 161.

-v, --version STRING

SNMP Version, defaults to SNMP v2, v1-v3 supported.

-T, --type STRING

CPU, MEM, Ses, VPN, Cluster, Firmware, HW, etc.

-S, --serial STRING

Primary serial number.

-s, --slave

Get values of slave.

-w, --warning INTEGER

Warning threshold, applies to cpu, mem, session, firmware.

-c, --critical INTEGER

Critical threshold, applies to cpu, mem, session, firmware.

-R, --reset

Resets ip file (cluster only).

-M, --mode STRING

Output-Mode: 0 => just print, 1 => print and show failed tunnel, 2 => critical.

-V, --vpnmode STRING

VPN-Mode: both => IPSec & SSL/OpenVPN, ipsec => IPSec only, ssl => SSL/OpenVPN only.

SNMP v1/v2c only:

-C, --community STRING

Community-String for SNMP, only at SNMP v1/v2c, defaults to public.

SNMP v3 only:

-U, --username STRING

Username.

-A, --authpassword STRING

Auth password.

-a, --authprotocol STRING

Auth algorithm, defaults to sha.

-X, --privpassword STRING

Private password.

-x, --privprotocol STRING

Private algorithm, defaults to aes.

-?, --help

Returns full help text.

Dependencies

These dependencies are preinstalled on NEMS Linux:

  • Net::SNMP

  • List::Compare

  • Getopt::Long

  • Pod::Usage

  • Switch

CLI Examples

To use SNMPv3 just replace -C public with -v 3 -U username -A this_is_auth_string -a sha -x aes128 -X this_is_priv_string.

Cluster:

$ check_fortigate.pl -H 192.168.123.100 -C public -T cluster

OK: Fortinet 300C (Master: FGSERIALMASTER, Slave: FGSERIALSLAVE): HA (Active/Passive) is active
- Warning if unknown node appears
- Critical if single node
- Optional: Critical, if preferred master (-S Serial) is not master

CPU:

$ check_fortigate.pl -H 192.168.123.100 -C public -T cpu

OK: Fortinet 300C (Master: FGSERIALMASTER) CPU is okay: 1%|'cpu'=1%;80;90

CPU-Slave:

$ check_fortigate.pl -H 192.168.123.100 -C public -T cpu -s

OK: Fortinet 300C (Master: FGSERIALMASTER) slave_CPU is okay: 5%|'slave_cpu'=5%;80;90
- Defaults: 80%/90%

Memory:

$ check_fortigate.pl -H 192.168.123.100 -C public -T mem

OK: Fortinet 300C (Master: FGSERIALMASTER) Memory is okay: 29%|'memory'=29%;80;90

Memory-Slave:

$ check_fortigate.pl -H 192.168.123.100 -C public -T mem

OK: Fortinet 300C (Master: FGSERIALMASTER) slave_M

Source

From https://github.com/riskersen/Monitoring/tree/master/fortigate