Prometheus exporter for Fortigate firewalls.
Right now the exporter supports a quite limited set of metrics, but it is very easy to add! Open an issue if your favorite metric is missing.
For example PromQL usage, see EXAMPLES.
Supported metrics right now as follows.
Global:
fortigate_version_info
fortigate_cpu_usage_ratio
fortigate_memory_usage_ratio
fortigate_current_sessions
fortigate_license_vdom_usage
fortigate_license_vdom_max
Per-VDOM:
fortigate_vdom_cpu_usage_ratio
fortigate_vdom_memory_usage_ratio
fortigate_vdom_current_sessions
fortigate_policy_active_sessions
fortigate_policy_bytes_total
fortigate_policy_hit_count_total
fortigate_policy_packets_total
fortigate_interface_link_up
fortigate_interface_speed_bps
fortigate_interface_transmit_packets_total
fortigate_interface_receive_packets_total
fortigate_interface_transmit_bytes_total
fortigate_interface_receive_bytes_total
fortigate_interface_transmit_errors_total
fortigate_interface_receive_errors_total
fortigate_vpn_connections
fortigate_ipsec_tunnel_receive_bytes_total
fortigate_ipsec_tunnel_transmit_bytes_total
fortigate_ipsec_tunnel_up
Per-HA-Member and VDOM:
fortigate_ha_member_info
fortigate_ha_member_cpu_usage_ratio
fortigate_ha_member_memory_usage_ratio
fortigate_ha_member_network_usage_ratio
fortigate_ha_member_sessions
fortigate_ha_member_packets_total
fortigate_ha_member_virus_events_total
fortigate_ha_member_bytes_total
fortigate_ha_member_ips_events_total
Per-Link and VDOM:
fortigate_link_status
fortigate_link_latency_seconds
fortigate_link_latency_jitter_seconds
fortigate_link_packet_loss_ratio
fortigate_link_packet_sent_total
fortigate_link_packet_received_total
fortigate_link_active_sessions
fortigate_link_bandwidth_tx_byte_per_second
fortigate_link_bandwidth_rx_byte_per_second
fortigate_link_status_change_time_seconds
Per-SDWAN and VDOM:
fortigate_virtual_wan_status
fortigate_virtual_wan_latency_seconds
fortigate_virtual_wan_latency_jitter_seconds
fortigate_virtual_wan_packet_loss_ratio
fortigate_virtual_wan_packet_sent_total
fortigate_virtual_wan_packet_received_total
fortigate_virtual_wan_active_sessions
fortigate_virtual_wan_bandwidth_tx_byte_per_second
fortigate_virtual_wan_bandwidth_rx_byte_per_second
fortigate_virtual_wan_status_change_time_seconds
Per-VirtualServer and VDOM:
fortigate_lb_virtual_server_info
Per-RealServer for each VirtualServer and VDOM:
fortigate_lb_real_server_info
fortigate_lb_real_server_mode
fortigate_lb_real_server_status
fortigate_lb_real_server_active_sessions
fortigate_lb_real_server_rtt_seconds
fortigate_lb_real_server_processed_bytes_total
Per-Certificate
fortigate_certificate_info
fortigate_certificate_valid_from_seconds
fortigate_certificate_valid_to_seconds
fortigate_certificate_cmdb_references
Example:
$ ./fortigate_exporter -auth-file ~/fortigate-key.yaml
# or
$ docker run -d -p 9710:9710 -v /path/to/fortigate-key.yaml:/config/fortigate-key.yaml quay.io/bluecmd/fortigate_exporter:master
Where fortigate-key.yaml
contains pairs of Fortigate targets and API keys in the following format:
"https://my-fortigate":
token: api-key-goes-here
"https://my-other-fortigate:8443":
token: api-key-goes-here
NOTE: Currently only token authentication is supported. Fortigate does not allow usage of tokens on non-HTTPS connections, which means that currently you need HTTPS to be configured properly.
To probe a Fortigate, do something like curl 'localhost:9710/probe?target=https://my-fortigate'
flag | default value | description |
---|---|---|
-auth-file | /config/fortigate-key.yaml | path to the location of the key file |
-listen | :9710 | address to listen for incoming requests |
-scrape-timeout | 30 | timeout in seconds |
-https-timeout | 10 | timeout in seconds for establishment of HTTPS connections |
-insecure | false | allows to turn off security validation of TLS certificates |
-extra-ca-certs | (none) | comma-separated files containing extra PEMs to trust for TLS connections in addition to the system trust store |
The following example Admin Profile describes the permissions that needs to be granted to the monitor user in order for all metrics to be available. If you omit to grant some of these permissions you will receive log messages warning about 403 errors and relevant metrics will be unavailable, but other metrics will still work.
config system accprofile
edit "monitor"
set scope global
set secfabgrp read
set netgrp custom
# As of FortiOS 6.2.1 it seems `fwgrp-permissions.other` is removed,
# use 'fwgrp read' to get load balance servers metrics
set fwgrp custom
set vpngrp read
set system-diagnostics disable
config netgrp-permission
set cfg read
end
config sysgrp-permission
# Sysgrp.cfg is needed for the following optional functions:
# - HA group name
# If you do not wish to grant this permission, the relevant
# labels/metrics will be absent.
set cfg read
end
config fwgrp-permission
set policy read
# fwgrp.other is need for load balance servers
# set other read
end
next
end
An example configuration for Prometheus looks something like this:
- job_name: 'fortigate_exporter'
metrics_path: /probe
static_configs:
- targets:
- https://my-fortigate
- https://my-other-fortigate:8443
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
# Drop the https:// and port (if specified) for the 'instance=' label
regex: '(?:.+)(?::\/\/)([^:]*).*'
- target_label: __address__
replacement: '[::1]:9710'
You can either use the automatic builds on quay.io or build yourself like this:
docker build -t fortigate_exporter .
docker run -d -p 9710:9710 -v /path/to/fortigate-key.yaml:/config/fortigate-key.yaml fortigate_exporter
prometheus_fortigate_exporter:
build: ./
ports:
- 9710:9710
volumes:
- /path/to/fortigate-key.yaml:/config/fortigate-key.yaml
# Applying multiple parameters
command: ["-auth-file", "/config/fortigate-key.yaml", "-insecure", "true"]
restart: unless-stopped
This is a collection of known issues that for some reason cannot be fixed, but might be possible to work around.
- Probing causing httpsd memory leak in FortiOS 6.2.x (Workaround)
Please file an issue describing what metrics you'd like to see. Include as much details as possible please, e.g. how the perfect Prometheus metric would look for your use-case.
An alternative to using this exporter is to use generic SNMP polling, e.g. using a Prometheus SNMP exporter (official, alternative). Note that there are limitations (e.g. 1) in what Fortigate supports querying via SNMP.