Skip to content

Latest commit

 

History

History
executable file
·
577 lines (502 loc) · 22.8 KB

README.md

File metadata and controls

executable file
·
577 lines (502 loc) · 22.8 KB

fortigate_exporter

Go Docker Docker Repository on Quay Matrix

Prometheus exporter for FortiGate® firewalls.


This repository is archived due to lack of time from the maintainer, as well as lack of support from Fortinet to provide documentation. The constant fight to reverse engineer the APIs for new versions takes too much time for a few developers. Feel free to fork this project and continue the work!


NOTE: This is not an official Fortinet product, it is developed fully independently by professionals and hobbyists alike.

Supported Metrics

Right now the exporter supports a quite limited set of metrics, but it is very easy to add! Open an issue if your favorite metric is missing.

For example PromQL usage, see EXAMPLES.

Supported metrics right now as follows.

Global:

  • System/SensorInfo
    • fortigate_sensor_fan_rpm
    • fortigate_sensor_temperature_celsius
    • fortigate_sensor_voltage_volts
  • System/Status
    • fortigate_version_info
  • System/Time/Clock
    • fortigate_time_seconds
  • System/Resource/Usage
    • fortigate_cpu_usage_ratio
    • fortigate_memory_usage_ratio
    • fortigate_current_sessions
  • System/HAChecksums
    • fortigate_ha_member_has_role
  • License/Status
    • fortigate_license_vdom_usage
    • fortigate_license_vdom_max
  • WebUI/State
    • fortigate_last_reboot_seconds
    • fortigate_last_snapshot_seconds

Per-VDOM:

  • System/VDOMResources
    • fortigate_vdom_cpu_usage_ratio
    • fortigate_vdom_memory_usage_ratio
    • fortigate_vdom_current_sessions
  • Firewall/Policies
    • fortigate_policy_active_sessions
    • fortigate_policy_bytes_total
    • fortigate_policy_hit_count_total
    • fortigate_policy_packets_total
  • Firewall/IpPool
    • fortigate_ippool_available_ratio
    • fortigate_ippool_used_ips
    • fortigate_ippool_total_ips
    • fortigate_ippool_clients
    • fortigate_ippool_used_items
    • fortigate_ippool_total_items
    • fortigate_ippool_pba_per_ip
  • System/Fortimanager/Status
    • fortigate_fortimanager_connection_status
    • fortigate_fortimanager_registration_status
  • System/Interface
    • fortigate_interface_link_up
    • fortigate_interface_speed_bps
    • fortigate_interface_transmit_packets_total
    • fortigate_interface_receive_packets_total
    • fortigate_interface_transmit_bytes_total
    • fortigate_interface_receive_bytes_total
    • fortigate_interface_transmit_errors_total
    • fortigate_interface_receive_errors_total
  • System/SDNConnector
    • fortigate_system_sdn_connector_status
    • fortigate_system_sdn_connector_last_update_seconds
  • User/Fsso
    • fortigate_user_fsso_info
  • VPN/Ssl/Connections
    • fortigate_vpn_connections
    • fortigate_vpn_users
  • VPN/Ssl/Stats
    • fortigate_vpn_ssl_users
    • fortigate_vpn_ssl_tunnels
    • fortigate_vpn_ssl_connections
  • VPN/IPSec
    • fortigate_ipsec_tunnel_receive_bytes_total
    • fortigate_ipsec_tunnel_transmit_bytes_total
    • fortigate_ipsec_tunnel_up
  • Wifi/APStatus
    • fortigate_wifi_access_points
    • fortigate_wifi_fabric_clients
    • fortigate_wifi_fabric_max_allowed_clients
  • Log/Fortianalyzer/Status
    • fortigate_log_fortianalyzer_registration_info
    • fortigate_log_fortianalyzer_logs_received
  • Log/Fortianalyzer/Queue
    • fortigate_log_fortianalyzer_queue_connections
    • fortigate_log_fortianalyzer_queue_logs
  • Log/DiskUsage
    • fortigate_log_disk_used_bytes
    • fortigate_log_disk_total_bytes

Per-HA-Member and VDOM:

  • System/HAStatistics
    • fortigate_ha_member_info
    • fortigate_ha_member_cpu_usage_ratio
    • fortigate_ha_member_memory_usage_ratio
    • fortigate_ha_member_network_usage_ratio
    • fortigate_ha_member_sessions
    • fortigate_ha_member_packets_total
    • fortigate_ha_member_virus_events_total
    • fortigate_ha_member_bytes_total
    • fortigate_ha_member_ips_events_total

Per-Link and VDOM:

  • System/LinkMonitor
    • fortigate_link_status
    • fortigate_link_latency_seconds
    • fortigate_link_latency_jitter_seconds
    • fortigate_link_packet_loss_ratio
    • fortigate_link_packet_sent_total
    • fortigate_link_packet_received_total
    • fortigate_link_active_sessions
    • fortigate_link_bandwidth_tx_byte_per_second
    • fortigate_link_bandwidth_rx_byte_per_second
    • fortigate_link_status_change_time_seconds

Per-SDWAN and VDOM:

  • VirtualWAN/HealthCheck
    • fortigate_virtual_wan_status
    • fortigate_virtual_wan_latency_seconds
    • fortigate_virtual_wan_latency_jitter_seconds
    • fortigate_virtual_wan_packet_loss_ratio
    • fortigate_virtual_wan_packet_sent_total
    • fortigate_virtual_wan_packet_received_total
    • fortigate_virtual_wan_active_sessions
    • fortigate_virtual_wan_bandwidth_tx_byte_per_second
    • fortigate_virtual_wan_bandwidth_rx_byte_per_second
    • fortigate_virtual_wan_status_change_time_seconds

Per-BGP-Neighbor and VDOM:

  • BGP/Neighbors/IPv4
    • fortigate_bgp_neighbor_ipv4_info
  • BGP/Neighbors/IPv6
    • fortigate_bgp_neighbor_ipv6_info
  • BGP/NeighborPaths/IPv4
    • fortigate_bgp_neighbor_ipv4_paths
    • fortigate_bgp_neighbor_ipv4_best_paths
  • BGP/NeighborPaths/IPv6
    • fortigate_bgp_neighbor_ipv6_paths
    • fortigate_bgp_neighbor_ipv6_best_paths

Per-OSPF-Neighbor and VDOM:

  • OSPF/Neighbors
    • fortigate_ospf_neighbor_info

Per-VirtualServer and VDOM:

  • Firewall/LoadBalance
    • fortigate_lb_virtual_server_info

Per-RealServer for each VirtualServer and VDOM:

  • Firewall/LoadBalance
    • fortigate_lb_real_server_info
    • fortigate_lb_real_server_mode
    • fortigate_lb_real_server_status
    • fortigate_lb_real_server_active_sessions
    • fortigate_lb_real_server_rtt_seconds
    • fortigate_lb_real_server_processed_bytes_total

Per-Certificate:

  • System/AvailableCertificates
    • fortigate_certificate_info
    • fortigate_certificate_valid_from_seconds
    • fortigate_certificate_valid_to_seconds
    • fortigate_certificate_cmdb_references

Per-VDOM and Wifi-Client:

  • Wifi/Clients
    • fortigate_wifi_client_info
    • fortigate_wifi_client_data_rate_bps
    • fortigate_wifi_client_bandwidth_rx_bps
    • fortigate_wifi_client_bandwidth_tx_bps
    • fortigate_wifi_client_signal_strength_dBm
    • fortigate_wifi_client_signal_noise_dBm
    • fortigate_wifi_client_tx_discard_ratio
    • fortigate_wifi_client_tx_retries_ratio

Per-VDOM and managed access point:

  • Wifi/ManagedAP
    • fortigate_wifi_managed_ap_info
    • fortigate_wifi_managed_ap_join_time_seconds
    • fortigate_wifi_managed_ap_cpu_usage_ratio
    • fortigate_wifi_managed_ap_memory_free_bytes
    • fortigate_wifi_managed_ap_memory_bytes_total

Per-VDOM, managed access point and radio:

  • Wifi/ManagedAP
    • fortigate_wifi_managed_ap_radio_info
    • fortigate_wifi_managed_ap_radio_client_count
    • fortigate_wifi_managed_ap_radio_operating_tx_power_ratio
    • fortigate_wifi_managed_ap_radio_operating_channel_utilization_ratio
    • fortigate_wifi_managed_ap_radio_bandwidth_rx_bps
    • fortigate_wifi_managed_ap_radio_rx_bytes_total
    • fortigate_wifi_managed_ap_radio_tx_bytes_total
    • fortigate_wifi_managed_ap_radio_interfering_aps
    • fortigate_wifi_managed_ap_radio_tx_power_ratio
    • fortigate_wifi_managed_ap_radio_tx_discard_ratio
    • fortigate_wifi_managed_ap_radio_tx_retries_ratio

Per-VDOM, managed access point and interface:

  • Wifi/ManagedAP
    • fortigate_wifi_managed_ap_interface_rx_bytes_total
    • fortigate_wifi_managed_ap_interface_tx_bytes_total
    • fortigate_wifi_managed_ap_interface_rx_packets_total
    • fortigate_wifi_managed_ap_interface_tx_packets_total
    • fortigate_wifi_managed_ap_interface_rx_errors_total
    • fortigate_wifi_managed_ap_interface_tx_errors_total
    • fortigate_wifi_managed_ap_interface_rx_dropped_packets_total
    • fortigate_wifi_managed_ap_interface_tx_dropped_packets_total

Per-VDOM, managed switch and interface:

  • Switch/ManagedSwitch
    • fortigate_managed_switch_collisions_total
    • fortigate_managed_switch_crc_alignments_total
    • fortigate_managed_switch_fragments_total
    • fortigate_managed_switch_info
    • fortigate_managed_switch_jabbers_total
    • fortigate_managed_switch_l3_packets_total
    • fortigate_managed_switch_max_poe_budget_watt
    • fortigate_managed_switch_port_info
    • fortigate_managed_switch_port_power_status
    • fortigate_managed_switch_port_power_watt
    • fortigate_managed_switch_port_status
    • fortigate_managed_switch_rx_bcast_packets_total
    • fortigate_managed_switch_rx_bytes_total
    • fortigate_managed_switch_rx_drops_total
    • fortigate_managed_switch_rx_errors_total
    • fortigate_managed_switch_rx_mcast_packets_total
    • fortigate_managed_switch_rx_oversize_total
    • fortigate_managed_switch_rx_packets_total
    • fortigate_managed_switch_rx_ucast_packets_total
    • fortigate_managed_switch_tx_bcast_packets_total
    • fortigate_managed_switch_tx_bytes_total
    • fortigate_managed_switch_tx_drops_total
    • fortigate_managed_switch_tx_errors_total
    • fortigate_managed_switch_tx_mcast_packets_total
    • fortigate_managed_switch_tx_oversize_total
    • fortigate_managed_switch_tx_packets_total
    • fortigate_managed_switch_tx_ucast_packets_total
    • fortigate_managed_switch_under_size_total

Usage

Example:

$ ./fortigate_exporter -auth-file ~/fortigate-key.yaml
# or
$ docker run -d -p 9710:9710 -v /path/to/fortigate-key.yaml:/config/fortigate-key.yaml quay.io/bluecmd/fortigate_exporter:master

Where fortigate-key.yaml contains pairs of FortiGate targets and API keys in the following format:

"https://my-fortigate":
  token: api-key-goes-here
  # If you have a smaller fortigate unit you might want
  # to exclude sensors as they do not have any
  probes:
    exclude:
      - System/SensorInfo

"https://my-other-fortigate:8443":
  token: api-key-goes-here

NOTE: Currently only token authentication is supported. FortiGate does not allow usage of tokens on non-HTTPS connections, which means that currently you need HTTPS to be configured properly.

You can select which probes you want to run on a per target basis.

  • Probes can be included or excluded under the optional probes section by defining include and/or exclude lists.
  • Each probe name, that can be run by the fortigate exporter, is compared to the include/exclude lists.
  • Inclusion/exclusion of a probe is based on a prefix match, therefore lists must contains entries starting with a probe name to be included/excluded.
  • Prefix match is case sensitive.
  • include list is evaluated before exclude list, therefore exclude list can exclude a previously included probe.

Example:

"https://my-fortigate":
  token: api-key-goes-here
  probes:
    include:
      - System
      - VPN
      - Firewall/Policies
      # Include only probes with name starting with: System or VPN + probe: Firewall/Policies
      # Other probes are excluded because there were not explictly included
"https://my-other-fortigate:8443":
  token: api-key-goes-here
  probes:
    exclude:
      - Wifi
      - Firewall/LoadBalance
      # Exclude probes with name starting with: Wifi + probe: Firewall/LoadBalance
      # All other probes are included by default because include list is empty
"https://my-other-orther-fortigate:8443":
  token: api-key-goes-here
  probes:
    include:
      - System
      - Firewall
    exclude:
      - System/LinkMonitor
      # Inlcude probes with name starting with: System and Firewall
      # Then exclude probe: System/LinkMonitor

Special cases:

  • If probes isn't set or is empty, all probes will be run against the target.
  • If include list is empty, by default, all probes will be selected to be run against the target.
  • If include contains an entry - '', then all probes are included (equivalent to not defining include)
  • If exclude contains an entry - '', then all probes are excluded (equivalent to not defining the target)

To probe a FortiGate, do something like curl 'localhost:9710/probe?target=https://my-fortigate'

Dynamic configuration

In use cases where the Fortigates that is to be scraped through the fortigate-exporter is configured in Prometheus using some discovery method it becomes problematic that the fortigate-key.yaml configuration also has to be updated for each fortigate, and that the fortigate-exporter needs to be restarted on each change. For that scenario the token can be passed as a query parameter, token, to the fortigate.

Example:

curl 'localhost:9710/probe?target=https://192.168.2.31&token=ghi6eItWzWewgbrFMsazvBVwDjZzzb'

It is also possible to pass a profile query parameter. The value will match an entry in the fortigate-key.yaml file, but only to use the probes section for include/exclude directives.

Example:

curl 'localhost:9710/probe?target=https://192.168.2.31&token=ghi6eItWzWewgbrFMsazvBVwDjZzzb&profile=fs124e'

The profile=fs124e would match the following entry in fortigate-key.yaml.

Example:

fs124e:
  # token: not used 
  probes:
    include:
      - System
      - Firewall
    exclude:
      - System/LinkMonitor

Available CLI parameters

flag default value description
-auth-file fortigate-key.yaml path to the location of the key file
-listen :9710 address to listen for incoming requests
-scrape-timeout 30 timeout in seconds
-https-timeout 10 timeout in seconds for establishment of HTTPS connections
-insecure not set allows to turn off security validation of TLS certificates
-extra-ca-certs (none) comma-separated files containing extra PEMs to trust for TLS connections in addition to the system trust store
-max-bgp-paths 10000 Sets maximum amount of BGP paths to fetch, value is per IP stack version (IPv4 & IPv6)
-max-vpn-users 0 Sets maximum amount of VPN users to fetch (0 eq. none by default)

FortiGate Configuration

Read permission is enough for Fortigate exporter purpose. To improve security, limit permissions to required ones only (least privilege principle).

probe name permission API URL
Default Global any api/v2/monitor/system/status
BGP/NeighborPaths/IPv4 netgrp.route-cfg api/v2/monitor/router/bgp/paths
BGP/NeighborPaths/IPv6 netgrp.route-cfg api/v2/monitor/router/bgp/paths6
BGP/Neighbors/IPv4 netgrp.route-cfg api/v2/monitor/router/bgp/neighbors
BGP/Neighbors/IPv6 netgrp.route-cfg api/v2/monitor/router/bgp/neighbors6
Firewall/IpPool fwgrp.policy api/v2/monitor/firewall/ippool
Firewall/LoadBalance fwgrp.others api/v2/monitor/firewall/load-balance
Firewall/Policies fwgrp.policy api/v2/monitor/firewall/policy/select
api/v2/monitor/firewall/policy6/select
api/v2/cmdb/firewall/policy
api/v2/cmdb/firewall/policy6
License/Status any api/v2/monitor/license/status/select
Log/Fortianalyzer/Status loggrp.config api/v2/monitor/log/fortianalyzer
Log/Fortianalyzer/Queue loggrp.config api/v2/monitor/log/fortianalyzer-queue
Log/DiskUsage loggrp.config api/v2/monitor/log/current-disk-usage
System/AvailableCertificates any api/v2/monitor/system/available-certificates
System/Fortimanager/Status sysgrp.cfg api/v2/monitor/system/fortimanager/status
System/HAStatistics sysgrp.cfg api/v2/monitor/system/ha-statistics
api/v2/cmdb/system/ha
System/Interface netgrp.cfg api/v2/monitor/system/interface/select
System/LinkMonitor sysgrp.cfg api/v2/monitor/system/link-monitor
System/Resource/Usage sysgrp.cfg api/v2/monitor/system/resource/usage
System/SensorInfo sysgrp.cfg api/v2/monitor/system/sensor-info
System/Status any api/v2/monitor/system/status
System/Time/Clock sysgrp.cfg api/v2/monitor/system/time
System/VDOMResources sysgrp.cfg api/v2/monitor/system/resource/usage
User/Fsso authgrp api/v2/monitor/user/fsso
VPN/IPSec vpngrp api/v2/monitor/vpn/ipsec
VPN/Ssl/Connections vpngrp api/v2/monitor/vpn/ssl
VPN/Ssl/Stats vpngrp api/v2/monitor/vpn/ssl/stats
VirtualWAN/HealthCheck netgrp.cfg api/v2/monitor/virtual-wan/health-check
Wifi/APStatus wifi api/v2/monitor/wifi/ap_status
Wifi/Clients wifi api/v2/monitor/wifi/client
Wifi/ManagedAP wifi api/v2/monitor/wifi/managed_ap
Switch/ManagedSwitch switch api/v2/monitor/switch-controller/managed-switch
If you omit to grant some of these permissions you will receive log messages warning about
403 errors and relevant metrics will be unavailable, but other metrics will still work.
If you do not need some probes to be run, do not grant permission for them and use include/exclude feature (see Usage section).

The following example Admin Profile describes the permissions that needs to be granted to the monitor user in order for all metrics to be available.

config system accprofile
    edit "monitor"
        # global scope will fail on non multi-VDOM firewall
        set scope global
        set authgrp read
        # As of FortiOS 6.2.1 it seems `fwgrp-permissions.other` is removed,
        # use 'fwgrp read' to get load balance servers metrics
        set fwgrp custom
        set loggrp custom
        set netgrp custom
        set sysgrp custom
        set vpngrp read
        set wifi read
        # will fail for most recent FortiOS
        set system-diagnostics disable
        config fwgrp-permission
            set policy read
            set others read
        end
        config netgrp-permission
            set cfg read
            set route-cfg read
        end
        config loggrp-permission
            set config read
        end
        config sysgrp-permission
            set cfg read
        end
    next
end

Prometheus Configuration

An example configuration for Prometheus looks something like this:

  - job_name: 'fortigate_exporter'
    metrics_path: /probe
    static_configs:
      - targets:
        - https://my-fortigate
        - https://my-other-fortigate:8443
    relabel_configs:
      - source_labels: [__address__]
        target_label: __param_target
      - source_labels: [__param_target]
        target_label: instance
        # Drop the https:// and port (if specified) for the 'instance=' label
        regex: '(?:.+)(?::\/\/)([^:]*).*'
      - target_label: __address__
        replacement: '[::1]:9710'

In above configuration only the targets and the replacement values needs to be changed as per your environment. Where target is URL of the Fortigate firewall and the replacement (at the bottom) will be the FQDN of system where the node exporter is running, example replacement: 'YourSystem.public.corp.com:9710'

If using Dynamic configuration:

  - job_name: 'fortigate_exporter'
    metrics_path: /probe
    file_sd_configs:
      - files:
          - /etc/prometheus/file_sd/fws/*.yml
    params:
      profile:
      - fs124e
    relabel_configs:
    - source_labels: [__address__]
      target_label: __param_target
    - source_labels: [token]
      target_label: __param_token
    - source_labels: [__param_target]
      regex: '(?:.+)(?::\/\/)([^:]*).*'
      target_label: instance
    - target_label: __address__
      replacement: '[::1]:9710'
    - action: labeldrop
      regex: token

Make sure to use the last labeldrop on the token label so that the tokens is not be part of your time series.

Since token is a label it will be shown in the Prometheus webgui at http://<your prometheus>:9090/targets.

Make sure you protect your Prometheus if you add the token part of your prometheus config

Some options to protect Prometheus:

Docker

You can either use the automatic builds on quay.io or build yourself like this:

docker build -t fortigate_exporter .
docker run -d -p 9710:9710 -v /path/to/fortigate-key.yaml:/config/fortigate-key.yaml fortigate_exporter

docker-compose

prometheus_fortigate_exporter:
  build: ./
  ports:
    - 9710:9710
  volumes:
    - /path/to/fortigate-key.yaml:/config/fortigate-key.yaml
  # Applying multiple parameters
  command: ["-auth-file", "/config/fortigate-key.yaml", "-insecure"]
  restart: unless-stopped

Known Issues

This is a collection of known issues that for some reason cannot be fixed, but might be possible to work around.

Missing Metrics?

Please file an issue describing what metrics you'd like to see. Include as much details as possible please, e.g. how the perfect Prometheus metric would look for your use-case.

An alternative to using this exporter is to use generic SNMP polling, e.g. using a Prometheus SNMP exporter (official, alternative). Note that there are limitations (e.g. 1) in what FortiGate supports querying via SNMP.

Legal

Fortinet®, and FortiGate® are registered trademarks of Fortinet, Inc.

This is not an official Fortinet product.