Votes:
In my network I have a firewall from FortiGate.
We're using the standard sensors in PRTG but this device's operation is very sensitive for my organization and we want to have additional monitoring so that we are alerted as soon as anything goes wrong.
What are my options?
Created on Apr 3, 2017 7:15:12 AM by
Last change on Aug 10, 2017 8:23:11 AM by
22 Replies
Votes:
This article applies as of PRTG 23
While PRTG provides a couple of sensors that work with FortiGate firewalls by default, for example the FortiGate System Statistics sensor, the SNMP Traffic sensor, and the SNMP System Uptime sensor, you may still be interested in more detailed sensors.
FortiGate has a very extensive SNMP implementation that can lead to issues when you try to import or deploy a complete .oidlib file and use the SNMP Library sensor. If you encounter this issue, see MIB problems: PRTG hangs when adding SNMP library sensor.
In this article, we describe a different approach that does not use the .oidlib file, but you could still use it for other sensors.
You can use the device template that we provide below to automatically create custom sensors with the auto-discovery.
The metrics that you can actually monitor vary depending on the size, management, and monitoring capabilities of your firewall model. The sensors can monitor the following if the data is available:
The device template creates the available and compatible sensors based on the data at hand. The sensors implement default alerts whenever possible, but you can still fine-tune most channels by defining additional limits in the channel settings or modifying the lookups included by default.
The resulting sensors look like this:
No sensors deployed? :(
Please read ahead for troubleshooting.
Have any issues? Please don't hesitate to contact us by replying to this post or via a support ticket. Please make sure to mention this KB post. Please read ahead for troubleshooting steps that you can take in advance.
Your auto-discovery log tells you a lot about what went wrong during the sensor's deployment. You can troubleshoot the auto-discovery by inspecting the auto-discovery log. If you get entries like the one below (NOT FOUND), it means that the required protocol or Object Identifier (OID) is not available.
[...] 23.02.2017 14:37:58: Device ID: 19294 Name: somename EMULATOR@163 Host: somehost.somedomain.sometld 23.02.2017 14:37:58: Device Templates; Device ID: 21890; Selected: 1 23.02.2017 14:37:58: Template Loaded; Device ID: 21890; Name: Custom Fortigate Health v0.1 23.02.2017 14:38:01: Template Check; Device ID: 21890; Check ID: ping; FOUND 23.02.2017 14:38:01: Template Assigned; Device ID: 21890; Name: Custom Fortigate Health v0.1 23.02.2017 14:38:06: Template Check; Device ID: 21890; Check ID: snmp_fgProcessorTable; FOUND 23.02.2017 14:38:16: Template Check; Device ID: 21890; Check ID: snmp_fgHwSensorTable; NOT FOUND [...]
In the example above, some sensors were skipped because the device did not respond to the snmp_fgHwSensorTable check. This means that this data is probably not available on your device. You can track this data by looking for the name after snmp_. In this case, a search for fgHwSensorTable will tell you which OID from the MIB is missing.
You can also use this log to identify if the discovery was interrupted because the device did not respond to ping or to a basic SNMP check.
If the discovery log is not sufficient, you can review the SNMP data directly from your device. To do so, save the text below (in the white box) as .txt and use it with the Scan Script option in our SNMP Tester. This will allow you to review which SNMP queries succeed and which do not deliver any data. Please have this information at hand when contacting our support team.
-------- Fortinet Fortigate Device Template (https://kb.paessler.com/en/topic/73911) Version: 0.8 -------- hrSystemUptime walk=1.3.6.1.2.1.25.1.1 -------- MIB-2 System walk=1.3.6.1.2.1.1 -------- Sensor Specific Queries ---- fgha walk=1.3.6.1.4.1.12356.101.13.1 ---- fgSystem walk=1.3.6.1.4.1.12356.101.4 ---- fgAppWebCache walk=1.3.6.1.4.1.12356.101.10.113 ---- fgVpnTunTable walk=1.3.6.1.4.1.12356.101.12 ---- fgLinkMonitor walk=1.3.6.1.4.1.12356.101.4.8 ---- fgWcWtpSessionTable walk=1.3.6.1.4.1.12356.101.14.4.4 ----
Version History
| Version | Description |
|---|---|
| 0.1 | Initial Release |
| 0.2 | Added HA Member sensor(s) |
| 0.3 | Fixed issue in HA Status Lookup (thanks JohnG) |
| 0.4 | Added VPN Tunnel Status/Traffic (thanks Mark G.) |
| 0.5 | Added support for Fortigate Link Monitors |
| 0.6 | Modified the way the "VPN Tunnel" works to make them more reliable (in Detail: The sensor now uses the fgVpnTunEntPhase2Name for tracking within the Table. This means one working sensor per VPNxSA |
| 0.8 | Added support for monitoring several metrics of FortiAP units connected to the Fortigate. As well as support for Dial-Up VPNs. |
Best Regards,
Luciano Lingnau [Paessler Support]
Created on Apr 3, 2017 7:15:37 AM by
Last change on Feb 1, 2023 7:54:01 AM by
Votes:
Very useful, thanks for this.
There's an error in the HA value lookup table, causing it to report an error when HA units are in sync. The corrected file is as below:
<SingleInt state="Error" value="0">Unsynchronized</SingleInt>
<SingleInt state="OK" value="1">Synchronized</SingleInt>
the original file had
<SingleInt state="Warning" value="0">Unsynchronized</SingleInt>
<SingleInt state="Error" value="1">Synchronized</SingleInt>
Last change on Jan 7, 2019 10:02:55 AM by
Votes:
Thank you for the feedback and input. Well spotted, I've adjusted the included lookup in the zip file for download. Any other tips/suggestions are also welcome. :)
Best Regards,
Luciano Lingnau [Paessler Support]
Created on May 9, 2017 5:30:00 AM by
Votes:
Hello silavric,
thank you for your reply.
At the present time there is no Fortiweb specific template. However, depending on how Fortigate did this (If they've implemented the same FORTINET-FORTIGATE-MIB) the template above might work just as well. The template won't refuse to work if the device isn't a Fortigate. As long as the relevant metrics are present, sensors will be deployed (I assume that for instance the CPU and Hardware implementation might be common to the two devices).
Just remember to enable SNMP before trying to use the template. You can also perform the test suggested in the Troubleshooting\SNMP Data section of the article to check if any data is available for the relevant OID's on your particular device (Fortiweb).
Best Regards,
Luciano Lingnau [Paessler Support]
Created on Nov 14, 2018 6:27:23 AM by
Votes:
Hi Mike,
Thanks for letting us know! Could you provide what you specifically changed so we can adjust the guide above?
Best regards.
Created on Jan 31, 2019 8:02:11 PM by
Votes:
It's pretty much like the link monitors but the name is different and the OID used is different too. I tried to edit it by myself but something doesn't work and I'm not sure how to troubleshoot it. Performances SLAs are like advanced link monitors and are used with SD-WAN. It's continuous checks to make sure the connection related to it is still reliable. I'm using a custom snmp table for now in PRTG but maybe with this it would be easier to configure in PRTG.
The table oid used is 1.3.6.1.4.1.12356.101.4.9.1 for health checks (performance SLAs) instead of 1.3.6.1.4.1.12356.101.4.8.1 for the link monitors and the table name is fgvwlhealth check link.
Fortinet has a new mib with it with their OS 6.0.*
Last change on Feb 4, 2019 11:14:18 AM by
Votes:
Did you checked whether your device provides data from the required OIDs via our SNMP Tester?
Created on May 27, 2020 10:49:09 AM by
Votes:
Hi there,
You could use the OID fgVpnSslStatsLoginUsers which displays current number of users logged in through SSL-VPN tunnels in the virtual domain. Please note that this MIB has also other User OIDs however, I don't know whether these are working.
Created on Sep 15, 2020 7:04:14 AM by
Votes:
Hi there,
If the SNMP tester also does not display any results, the reason is your SNMP configuration.
Created on Sep 16, 2020 8:41:07 AM by
Votes:
Hello,
Regarding what you would like to achieve, I invite you to take a look at the API from Fortinet. If they provide the data you are looking for, then you can create a custom script and execute it via the Custom sensors in PRTG like the EXE/Script sensors whose manuals are here:
Please, make sure that the response returned by the script respect the format mentioned in the manual.
Kind regards.
Created on Sep 21, 2020 11:35:18 AM by
Last change on Dec 11, 2020 3:15:53 PM by
Votes:
Hello,
Can you please describe in details what you mean by:
I can see that the version has been update a couple of days ago to version 0.8, how can I keep track of these changes ?
A native sensor is planned to be integrated into PRTG, as you can see on our Roadmap. However, you can of course get more information with the MIB corresponding to your device. I also invite you to have a look to this blog post, where you will find the link of a manual which may help you.
Regards.
Created on Jan 13, 2021 12:31:22 PM by
Votes:
Hello,
Thank you for your message.
Regarding the issue with the sensor, Sync mode is effectively used for HA node and therefore is returning an error as your device is not in a cluster.
This sensor is dedicated to monitor HA node and therefore you could also consider to remove it as the metrics (CPU, memory, session count) are already monitored in an other one (System Statistics). Please, make sure to have the other sensor before removing the current one.
Otherwise, I invite you to disable the lookup of the channel Sync Status so the sensor state won't be defined by this channel anymore.
Finally, to avoid having a sensor which monitors HA node (when device doesn't belong to cluster), I invite you to modify the template. Here are the lines to remove:
<create id="_snmp_fgHaStatsTable" kind="snmpcustomtable" meta="snmptable" requires="snmp_fgHaStatsTable" displayname="Fortigate HA Member: XXX"> ... <\create>
If you have questions, let us know.
Regards.
Created on Jun 21, 2021 5:42:57 AM by
Last change on Jun 21, 2021 5:45:31 AM by
Votes:
Hello,
Thank you for your message.
Regarding your question, I'm afraid that there is no further template/updates available.
In case some of the information you would like to monitor are missing, I invite you to add them by importing the MIB file of your device with the MIB Importer tool and then use the SNMP Library sensor to monitor them.
Afterwards, when you are satisfied of the configuration of your device (sensors added to it), you can create a new template from it that you can re-use for other devices.
If you have questions, let me know.
Regards.
Created on Sep 3, 2021 7:21:19 AM by
Last change on Sep 3, 2021 7:23:18 AM by
Add comment