Fortinet

Fortinet

Fortinet develops and sells cybersecurity solutions, including but not limited to physical products such as firewalls, plus software and services such as anti-virus protection, intrusion prevention systems and endpoint security components.

Available solutions




This template is for Zabbix version: 7.4
Also available for: 7.2 7.0 6.4 6.0

Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/net/fortinet/fortigate_http?at=release/7.4

FortiGate by HTTP

Overview

This template is designed for the effortless deployment of FortiGate monitoring by Zabbix via HTTP and doesn't require any external scripts.

Requirements

Zabbix version: 7.4 and higher.

Tested versions

This template has been tested on:

  • FortiGate v7.6.4

Configuration

Zabbix should be configured according to the instructions in the Templates out of the box section.

Setup

  1. On the FortiGate GUI, select System > Admin Profiles > Create New.
  2. Enter a profile name (ex. zabbix_ro) and enable all the Read permissions. Please note the profile name, it will be used a bit later.
  3. Go to System > Administrators > Create New > REST API Admin.
  4. Enter the API-user's name and select the profile name you created in step 2.
  5. The trusted host can be specified to ensure that only Zabbix server can reach the FortiGate.
  6. Click OK and an API token will be generated. Make a note of the API token as it's only shown once and cannot be retrieved.
  7. Put the API token into {$FGATE.API.TOKEN} macro.
  8. Set your FortiGate GUI IP/FQDN as {$FGATE.API.FQDN} macro value.
  9. If FortiGate GUI uses HTTPS, put https value into {$FGATE.SCHEME} macro and 443 into {$FGATE.API.PORT} macro.
  10. If FortiGate GUI port differs from the standard one, specify it in {$FGATE.API.PORT} macro.

NOTE: Starting from template version '7.4-1', the API token is used in the request header. For older template versions (where the API token is passed in the URL query parameter), when using FortiGate v7.4.5+, you must enable the following global setting: Using APIs

For added security, it is strongly recommended to use the latest template version, which passes the API token in the request header instead of the URL parameter.

Please, refer to the vendor documentation about the FortiGate REST API Authentication.

Macros used

Name Description Default
{$FGATE.SCHEME}

Request scheme which may be http or https.

 http
{$FGATE.API.FQDN}

FortiGate API FQDN/IP (ex. ngfw.example.com).
{$FGATE.API.TOKEN}

FortiGate API token.
{$FGATE.API.PORT}

The port of FortiGate API endpoint.

 80
{$FGATE.DATA.TIMEOUT}

Response timeout for an API.

 15s
{$FGATE.HTTP.PROXY}

HTTP proxy for API requests. You can specify it using the format [protocol://][username[:password]@]proxy.example.com[:port]. See the documentation at https://www.zabbix.com/documentation/7.4/manual/config/items/itemtypes/http
{$FIRMWARE.UPDATES.CONTROL}

This macro is used in "New available firmware found" trigger.

 1
{$CPU.UTIL.WARN}

Threshold of CPU utilization for warning trigger in %.

 85
{$CPU.UTIL.CRIT}

Threshold of CPU utilization for critical trigger in %.

 95
{$MEMORY.UTIL.WARN}

Threshold of memory utilization for warning trigger in %.

 80
{$MEMORY.UTIL.CRIT}

Threshold of memory utilization for critical trigger in %.

 90
{$DISK.FREE.WARN}

Threshold of disk free space for warning trigger in %.

 20
{$DISK.FREE.CRIT}

Threshold of disk free space for critical trigger in %.

 10
{$NET.IF.CONTROL}

Macro for operational state of the interface for "Link down" trigger. Can be used with interface name as context.

 1
{$NET.IF.ERRORS.WARN}

Threshold of error packets rate for warning trigger. Can be used with interface name as context.

 2
{$NET.IF.UTIL.MAX}

Threshold of interface bandwidth utilization for warning trigger in %. Can be used with interface name as context.

 95
{$NET.IF.IFDESCR.MATCHES}

This macro is used in Network interfaces discovery. Can be overridden on the host or linked template level.

 .*
{$NET.IF.IFDESCR.NOT_MATCHES}

This macro is used in Network interfaces discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$NET.IF.IFNAME.MATCHES}

This macro is used in Network interfaces discovery. Can be overridden on the host or linked template level.

 .*
{$NET.IF.IFNAME.NOT_MATCHES}

This macro is used in Network interfaces discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$NET.IF.IFTYPE.MATCHES}

This macro is used in Network interfaces discovery. Can be overridden on the host or linked template level.

 .*
{$NET.IF.IFTYPE.NOT_MATCHES}

This macro is used in Network interfaces discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$NET.IF.IFALIAS.MATCHES}

This macro is used in Network interfaces discovery. Can be overridden on the host or linked template level.

 .*
{$NET.IF.IFALIAS.NOT_MATCHES}

This macro is used in Network interfaces discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$NET.IF.IFSTATUS.MATCHES}

This macro is used in Network interfaces discovery. Can be overridden on the host or linked template level.

 .*
{$NET.IF.IFSTATUS.NOT_MATCHES}

This macro is used in Network interfaces discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$FWP.FWACTION.MATCHES}

This macro is used in Firewall policies discovery. Can be overridden on the host or linked template level.

 .*
{$FWP.FWACTION.NOT_MATCHES}

This macro is used in Firewall policies discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$FWP.FWTYPE.MATCHES}

This macro is used in Firewall policies discovery. Can be overridden on the host or linked template level.

 .*
{$FWP.FWTYPE.NOT_MATCHES}

This macro is used in Firewall policies discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$FWP.FWNAME.MATCHES}

This macro is used in Firewall policies discovery. Can be overridden on the host or linked template level.

 .*
{$FWP.FWNAME.NOT_MATCHES}

This macro is used in Firewall policies discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$SERVICE.EXPIRY.WARN}

Number of days until the license expires.

 7
{$SERVICE.LICENSE.CONTROL}

This macro is used in Service discovery. Can be used with interface name as context.

 1
{$SERVICE.KEY.MATCHES}

This macro is used in Service discovery. Can be overridden on the host or linked template level.

 .*
{$SERVICE.KEY.NOT_MATCHES}

This macro is used in Service discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$SERVICE.STATUS.MATCHES}

This macro is used in Service discovery. Can be overridden on the host or linked template level.

 .*
{$SERVICE.STATUS.NOT_MATCHES}

This macro is used in Service discovery. Can be overridden on the host or linked template level.

 (no_support|no_license)
{$SERVICE.TYPE.MATCHES}

This macro is used in Service discovery. Can be overridden on the host or linked template level.

 .*
{$SERVICE.TYPE.NOT_MATCHES}

This macro is used in Service discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$SDWAN.MEMBER.IF.CONTROL}

Macro for the interface state for "Link down" trigger. Can be used with interface name as context.

 1
{$SDWAN.MEMBER.ID.MATCHES}

This macro is used in SD-WAN members discovery. Can be overridden on the host or linked template level.

 .*
{$SDWAN.MEMBER.ID.NOT_MATCHES}

This macro is used in SD-WAN members discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$SDWAN.MEMBER.NAME.MATCHES}

This macro is used in SD-WAN members discovery. Can be overridden on the host or linked template level.

 .*
{$SDWAN.MEMBER.NAME.NOT_MATCHES}

This macro is used in SD-WAN members discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$SDWAN.MEMBER.STATUS.MATCHES}

This macro is used in SD-WAN members discovery. Can be overridden on the host or linked template level.

 .*
{$SDWAN.MEMBER.STATUS.NOT_MATCHES}

This macro is used in SD-WAN members discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$SDWAN.MEMBER.ZONE.MATCHES}

This macro is used in SD-WAN members discovery. Can be overridden on the host or linked template level.

 .*
{$SDWAN.MEMBER.ZONE.NOT_MATCHES}

This macro is used in SD-WAN members discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$SDWAN.HEALTH.IF.CONTROL}

Macro for the interface state for "Link down" trigger. Can be used with interface name as context.

 1
{$SDWAN.HEALTH.ID.MATCHES}

This macro is used in SD-WAN health-checks discovery. Can be overridden on the host or linked template level.

 .*
{$SDWAN.HEALTH.ID.NOT_MATCHES}

This macro is used in SD-WAN health-checks discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$SDWAN.HEALTH.NAME.MATCHES}

This macro is used in SD-WAN health-checks discovery. Can be overridden on the host or linked template level.

 .*
{$SDWAN.HEALTH.NAME.NOT_MATCHES}

This macro is used in SD-WAN health-checks discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$SDWAN.HEALTH.IFNAME.MATCHES}

This macro is used in SD-WAN health-checks discovery. Can be overridden on the host or linked template level.

 .*
{$SDWAN.HEALTH.IFNAME.NOT_MATCHES}

This macro is used in SD-WAN health-checks discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$SDWAN.HEALTH.STATUS.MATCHES}

This macro is used in SD-WAN health-checks discovery. Can be overridden on the host or linked template level.

 .*
{$SDWAN.HEALTH.STATUS.NOT_MATCHES}

This macro is used in SD-WAN health-checks discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$SDWAN.HEALTH.IF.LOSS.WARN}

Threshold of packets loss for warning trigger in %. Can be used with interface name as context.

 20

Items

Name Description Type Key and additional info
Check port availability Simple check net.tcp.service["{$FGATE.SCHEME}","{$FGATE.API.FQDN}","{$FGATE.API.PORT}"]

Preprocessing

  • Discard unchanged with heartbeat: 10m
Get system info

Item for gathering device system info from FortiGate API.

 HTTP agent fgate.system.get_data

Preprocessing

  • Check for not supported value: any error

    ⛔️Custom on fail: Set value to: {"error":"Not supported value received"}
Device system info item errors

Item for gathering errors of the device system info.

 Dependent item fgate.system.data_errors

Preprocessing

  • JSON Path: $.error

    ⛔️Custom on fail: Set value to: ``

  • Discard unchanged with heartbeat: 1h
API availability status

Checking API availability by response.

 Dependent item fgate.api.status

Preprocessing

  • JSON Path: $.build

    ⛔️Custom on fail: Set value to: 0

  • In range: -> 0

    ⛔️Custom on fail: Set value to: 1
Get firmware info

Item for gathering device firmware info from FortiGate API.

 HTTP agent fgate.firmware.get_data

Preprocessing

  • Check for not supported value: any error

    ⛔️Custom on fail: Set value to: {"error":"Not supported value received"}
Device firmware info item errors

Item for gathering errors of the device firmware info.

 Dependent item fgate.firmware.data_errors

Preprocessing

  • JSON Path: $.error

    ⛔️Custom on fail: Set value to: ``

  • Discard unchanged with heartbeat: 1h
Get service licenses

Item for gathering information about service licenses from FortiGate API.

 Script fgate.service.get_data
Service licenses item errors

Item for gathering errors of the service licenses data.

 Dependent item fgate.service.data_errors

Preprocessing

  • JSON Path: $.error

    ⛔️Custom on fail: Discard value

  • Discard unchanged with heartbeat: 1h
Get resources data

Item for gathering device resource data from FortiGate API.

 Script fgate.resources.get_data
Device resources item errors

Item for gathering errors of the device resources.

 Dependent item fgate.resources.data_errors

Preprocessing

  • JSON Path: $.error

    ⛔️Custom on fail: Discard value

  • Discard unchanged with heartbeat: 1h
Get interfaces data

Item for gathering network interfaces info from FortiGate API.

 Script fgate.netif.get_data
Device interfaces item errors

Item for gathering errors of network interfaces.

 Dependent item fgate.netif.data_errors

Preprocessing

  • JSON Path: $.error

    ⛔️Custom on fail: Discard value

  • Discard unchanged with heartbeat: 1h
Get SD-WAN data

Item for gathering SD-WAN information from FortiGate API.

 Script fgate.sdwan.get_data
Get SD-WAN item errors

Item for gathering errors of SD-WAN.

 Dependent item fgate.sdwan.data_errors

Preprocessing

  • JSON Path: $.error

    ⛔️Custom on fail: Discard value

  • Discard unchanged with heartbeat: 1h
Get firewall data

Item for gathering firewall policies info from FortiGate API.

 Script fgate.fwp.get_data
Firewall data item errors

Item for gathering errors of firewall policies.

 Dependent item fgate.fwp.data_errors

Preprocessing

  • JSON Path: $.error

    ⛔️Custom on fail: Discard value

  • Discard unchanged with heartbeat: 1h
Available firmware versions

Number of available firmware versions to download.

 Dependent item fgate.device.firmwares_avail

Preprocessing

  • JSON Path: $.results.available.length()

    ⛔️Custom on fail: Discard value

  • Discard unchanged with heartbeat: 12h
Device firmware version

Current version of the device firmware.

 Dependent item fgate.device.firmware

Preprocessing

  • JSON Path: $.results.current

  • JavaScript: The text is too long. Please see the template.

  • Discard unchanged with heartbeat: 1d
Device model name

The model name of the device.

 Dependent item fgate.device.model

Preprocessing

  • JSON Path: $.results

  • JavaScript: The text is too long. Please see the template.

  • Discard unchanged with heartbeat: 1d
Device serial number

The device serial number.

 Dependent item fgate.device.serialnumber

Preprocessing

  • JSON Path: $.serial

  • Discard unchanged with heartbeat: 1d
Current VDOM

Name of the current Virtual Domain.

 Dependent item fgate.device.vdom

Preprocessing

  • JSON Path: $.vdom

  • Discard unchanged with heartbeat: 12h
System name

The system host name.

 Dependent item fgate.name

Preprocessing

  • JSON Path: $.results.hostname

  • Discard unchanged with heartbeat: 12h
System uptime

The system uptime is calculated on the basis of boot time.

 Dependent item fgate.uptime

Preprocessing

  • JSON Path: $.results.utc_last_reboot

  • JavaScript: The text is too long. Please see the template.
Number of CPUs

Number of processors according to the current license.

 Dependent item fgate.cpu.num

Preprocessing

  • JSON Path: $.data.vm.cpu_used

  • Discard unchanged with heartbeat: 1d
CPU utilization

CPU utilization, expressed in %.

 Dependent item fgate.cpu.util

Preprocessing

  • JSON Path: $.data.cpu
Total memory

Total memory, expressed in bytes.

 Dependent item fgate.memory.total

Preprocessing

  • JSON Path: $.data.vm.mem_used

  • Discard unchanged with heartbeat: 1d
Memory utilization

Memory utilization, expressed in %.

 Dependent item fgate.memory.util

Preprocessing

  • JSON Path: $.data.mem
Total disk space

The total space of the current disk, in bytes.

 Dependent item fgate.fs.total

Preprocessing

  • JSON Path: $.data.disk_total

  • Discard unchanged with heartbeat: 1d
Used disk space

The used space of the current disk, in bytes.

 Dependent item fgate.fs.used

Preprocessing

  • JSON Path: $.data.disk_used
Free disk space

The free space of the current disk, in bytes.

 Dependent item fgate.fs.free

Preprocessing

  • JSON Path: $.data.disk_free
Disk utilization

Disk utilization, expressed in %.

 Dependent item fgate.fs.util

Preprocessing

  • JSON Path: $.data.disk

Triggers

Name Description Expression Severity Dependencies and additional info
FortiGate: Port {$FGATE.API.PORT} is unavailable last(/FortiGate by HTTP/net.tcp.service["{$FGATE.SCHEME}","{$FGATE.API.FQDN}","{$FGATE.API.PORT}"])=0 Average Manual close: Yes
FortiGate: There are errors in the 'Get system info' metric length(last(/FortiGate by HTTP/fgate.system.data_errors))>0 and length(last(/FortiGate by HTTP/fgate.system.data_errors,#1:now-1m))>0 and nodata(/FortiGate by HTTP/fgate.system.data_errors,2m)=0 Warning Depends on:
  • FortiGate: Unexpected response from API
FortiGate: Unexpected response from API

Received an unexpected response from API. It may be unavailable.

 last(/FortiGate by HTTP/fgate.api.status)=0 Average Depends on:
  • FortiGate: Port {$FGATE.API.PORT} is unavailable
FortiGate: There are errors in the 'Get firmware info' metric length(last(/FortiGate by HTTP/fgate.firmware.data_errors))>0 and length(last(/FortiGate by HTTP/fgate.firmware.data_errors,#1:now-1m))>0 and nodata(/FortiGate by HTTP/fgate.firmware.data_errors,2m)=0 Warning Depends on:
  • FortiGate: Unexpected response from API
FortiGate: There are errors in the 'Get service licenses' metric length(last(/FortiGate by HTTP/fgate.service.data_errors))>0 and length(last(/FortiGate by HTTP/fgate.service.data_errors,#1:now-1m))>0 and nodata(/FortiGate by HTTP/fgate.service.data_errors,2m)=0 Warning Depends on:
  • FortiGate: Unexpected response from API
FortiGate: There are errors in the 'Get resources data' metric length(last(/FortiGate by HTTP/fgate.resources.data_errors))>0 and length(last(/FortiGate by HTTP/fgate.resources.data_errors,#1:now-1m))>0 and nodata(/FortiGate by HTTP/fgate.resources.data_errors,2m)=0 Warning Depends on:
  • FortiGate: Unexpected response from API
FortiGate: There are errors in the 'Get interfaces data' metric length(last(/FortiGate by HTTP/fgate.netif.data_errors))>0 and length(last(/FortiGate by HTTP/fgate.netif.data_errors,#1:now-1m))>0 and nodata(/FortiGate by HTTP/fgate.netif.data_errors,2m)=0 Warning Depends on:
  • FortiGate: Unexpected response from API
FortiGate: There are errors in the 'Get SD-WAN data' metric length(last(/FortiGate by HTTP/fgate.sdwan.data_errors))>0 and length(last(/FortiGate by HTTP/fgate.sdwan.data_errors,#1:now-1m))>0 and nodata(/FortiGate by HTTP/fgate.sdwan.data_errors,2m)=0 Warning Depends on:
  • FortiGate: Unexpected response from API
FortiGate: There are errors in the 'Get firewall policies data' metric length(last(/FortiGate by HTTP/fgate.fwp.data_errors))>0 and length(last(/FortiGate by HTTP/fgate.fwp.data_errors,#1:now-1m))>0 and nodata(/FortiGate by HTTP/fgate.fwp.data_errors,2m)=0 Warning Depends on:
  • FortiGate: Unexpected response from API
FortiGate: New available firmware found

New available firmware versions found to download.

This trigger expression works as follows:
1. It can be triggered if there are one or more available firmware versions.
2. {$FIRMWARE.UPDATES.CONTROL}=1 - a user can redefine context macro to value - 0. That marks this notification as not important. No new trigger will be fired if new firmware is found.

 {$FIRMWARE.UPDATES.CONTROL}=1 and last(/FortiGate by HTTP/fgate.device.firmwares_avail)>0 Info Manual close: Yes
FortiGate: Device has been replaced

Device serial number has changed. Acknowledge to close the problem manually.

 last(/FortiGate by HTTP/fgate.device.serialnumber,#1)<>last(/FortiGate by HTTP/fgate.device.serialnumber,#2) and length(last(/FortiGate by HTTP/fgate.device.serialnumber))>0 Info Manual close: Yes
FortiGate: System name has changed

The name of the system has changed. Acknowledge to close the problem manually.

 last(/FortiGate by HTTP/fgate.name,#1)<>last(/FortiGate by HTTP/fgate.name,#2) and length(last(/FortiGate by HTTP/fgate.name))>0 Info Manual close: Yes
FortiGate: Device has been restarted

Uptime is less than 10 minutes.

 last(/FortiGate by HTTP/fgate.uptime)<10m Info Manual close: Yes
FortiGate: CPU utilization is too high

The CPU utilization is too high. The system might be slow to respond.

 min(/FortiGate by HTTP/fgate.cpu.util,5m)>{$CPU.UTIL.CRIT} High
FortiGate: CPU utilization is high

The CPU utilization is high.

 min(/FortiGate by HTTP/fgate.cpu.util,5m)>{$CPU.UTIL.WARN} Warning Depends on:
  • FortiGate: CPU utilization is too high
FortiGate: Memory utilization is too high

Free memory size is too low.

 min(/FortiGate by HTTP/fgate.memory.util,5m)>{$MEMORY.UTIL.CRIT} High
FortiGate: Memory utilization is high

The system is running out of free memory.

 min(/FortiGate by HTTP/fgate.memory.util,5m)>{$MEMORY.UTIL.WARN} Average Depends on:
  • FortiGate: Memory utilization is too high
FortiGate: Free disk space is too low

Left disk space is too low.

 (100-last(/FortiGate by HTTP/fgate.fs.util))<{$DISK.FREE.CRIT} High
FortiGate: Free disk space is low

Left disk space is not enough.

 (100-last(/FortiGate by HTTP/fgate.fs.util))<{$DISK.FREE.WARN} Warning Depends on:
  • FortiGate: Free disk space is too low

LLD rule Firewall policies discovery

Name Description Type Key and additional info
Firewall policies discovery

Discovery for FortiGate firewall policies.

 Dependent item fgate.fwp.discovery

Preprocessing

  • JSON Path: $.data

  • Discard unchanged with heartbeat: 1h

Item prototypes for Firewall policies discovery

Name Description Type Key and additional info
FW Policy [{#FWNAME}]: Get data

Item for gathering data for the {#FWNAME} firewall policy.

 Dependent item fgate.fwp.get_data[{#FWUUID}]

Preprocessing

  • JSON Path: $.data[?(@.uuid == "{#FWUUID}")].first()

    ⛔️Custom on fail: Discard value
FW Policy [{#FWNAME}]: Active sessions

Number of active sessions covered by this rule.

 Dependent item fgate.fwp.sessions[{#FWUUID}]

Preprocessing

  • JSON Path: $.active_sessions
FW Policy [{#FWNAME}]: Software processed bytes

Number of bytes processed only by the software firewall.

 Dependent item fgate.fwp.sw_bytes[{#FWUUID}]

Preprocessing

  • JSON Path: $.software_bytes

  • Change per second
FW Policy [{#FWNAME}]: Hardware processed bytes

Number of bytes processed only by the hardware (ASIC) firewall.

 Dependent item fgate.fwp.hw_bytes[{#FWUUID}]

Preprocessing

  • JSON Path: $.asic_bytes

  • Change per second
FW Policy [{#FWNAME}]: Total bytes processed

Number of bytes processed by both the software and hardware (ASIC) firewall.

 Dependent item fgate.fwp.bytes[{#FWUUID}]

Preprocessing

  • JSON Path: $.bytes

  • Change per second
FW Policy [{#FWNAME}]: Hits into the policy

Number of packets hit into the firewall policy per second.

 Dependent item fgate.fwp.hits[{#FWUUID}]

Preprocessing

  • JSON Path: $.hit_count

    ⛔️Custom on fail: Set value to: 0

  • Change per second
FW Policy [{#FWNAME}]: Last using time

The time at which the firewall policy was used the last time.

 Dependent item fgate.fwp.last_used[{#FWUUID}]

Preprocessing

  • JSON Path: $.last_used

    ⛔️Custom on fail: Discard value
FW Policy [{#FWNAME}]: Action

The firewall policy action (accept / deny / ipsec).

 Dependent item fgate.fwp.action[{#FWUUID}]

Preprocessing

  • JSON Path: $.action

  • JavaScript: The text is too long. Please see the template.

  • Discard unchanged with heartbeat: 12h
FW Policy [{#FWNAME}]: Status

The firewall policy status.

 Dependent item fgate.fwp.status[{#FWUUID}]

Preprocessing

  • JSON Path: $.status

  • JavaScript: The text is too long. Please see the template.

  • Discard unchanged with heartbeat: 1h

LLD rule Service discovery

Name Description Type Key and additional info
Service discovery

Discovery for FortiGate services.

 Dependent item fgate.service.discovery

Preprocessing

  • JSON Path: $.lld

  • Discard unchanged with heartbeat: 6h

Item prototypes for Service discovery

Name Description Type Key and additional info
Service [{#NAME}]: Get data

Item for gathering data about license for the {#NAME} service.

 Dependent item fgate.service.get_data["{#KEY}"]

Preprocessing

  • JSON Path: $.data["{#KEY}"]

    ⛔️Custom on fail: Discard value
Service [{#NAME}]: License status

Current license status of the {#NAME} service.

 Dependent item fgate.service.license["{#KEY}"]

Preprocessing

  • JSON Path: $.status

    ⛔️Custom on fail: Discard value

  • JavaScript: The text is too long. Please see the template.

  • Discard unchanged with heartbeat: 1h
Service [{#NAME}]: Service type

Current type of the {#NAME} service.

 Dependent item fgate.service.type["{#KEY}"]

Preprocessing

  • JSON Path: $.type

    ⛔️Custom on fail: Discard value

  • Discard unchanged with heartbeat: 1h
Service [{#NAME}]: Service version

Current version of the {#NAME} service.

 Dependent item fgate.service.version["{#KEY}"]

Preprocessing

  • JSON Path: $.version

    ⛔️Custom on fail: Discard value

  • Discard unchanged with heartbeat: 1h
Service [{#NAME}]: Expiration date

Expiration date for the license of the current service.

 Dependent item fgate.service.expire["{#KEY}"]

Preprocessing

  • JSON Path: $.expires

    ⛔️Custom on fail: Discard value

  • Discard unchanged with heartbeat: 1h
Service [{#NAME}]: Last update time

Last update time of the current service.

 Dependent item fgate.service.update_time["{#KEY}"]

Preprocessing

  • JSON Path: $.last_update

    ⛔️Custom on fail: Discard value

  • Discard unchanged with heartbeat: 1h
Service [{#NAME}]: Last attempt to update

Last update attempt time of the current service.

 Dependent item fgate.service.update_attempt["{#KEY}"]

Preprocessing

  • JSON Path: $.last_update_attempt

    ⛔️Custom on fail: Discard value

  • Discard unchanged with heartbeat: 1h
Service [{#NAME}]: Update method

Current update method of the {#NAME} service.

 Dependent item fgate.service.update_method["{#KEY}"]

Preprocessing

  • JSON Path: $.last_update_method_status

    ⛔️Custom on fail: Discard value

  • Discard unchanged with heartbeat: 1h
Service [{#NAME}]: Update result

Last update result of the {#NAME} service.

 Dependent item fgate.service.update_result["{#KEY}"]

Preprocessing

  • JSON Path: $.last_update_result_status

    ⛔️Custom on fail: Discard value

  • Discard unchanged with heartbeat: 1h

Trigger prototypes for Service discovery

Name Description Expression Severity Dependencies and additional info
FortiGate: Service [{#NAME}]: License status is unsuccessful

This trigger expression works as follows:
1. It can be triggered if the license status is unsuccessful.
2. {$SERVICE.LICENSE.CONTROL:"{#IFNAME}"}=1 - a user can redefine context macro to value - 0. That marks the license of this service as not important. No new trigger will be fired if this license is unsuccessful.

 {$SERVICE.LICENSE.CONTROL:"{#KEY}"}=1 and last(/FortiGate by HTTP/fgate.service.license["{#KEY}"])>5 Average Manual close: Yes
FortiGate: Service [{#NAME}]: License expires soon

This trigger expression works as follows:
1. It can be triggered if the license expires soon.
2. {$SERVICE.LICENSE.CONTROL:"{#IFNAME}"}=1 - a user can redefine context macro to value - 0. That marks the license of this service as not important. No new trigger will be fired if this license expires.

 {$SERVICE.LICENSE.CONTROL:"{#KEY}"}=1 and (last(/FortiGate by HTTP/fgate.service.expire["{#KEY}"]) - now()) / 86400 < {$SERVICE.EXPIRY.WARN:"{#KEY}"} and last(/FortiGate by HTTP/fgate.service.expire["{#KEY}"]) > now() Warning Manual close: Yes

LLD rule SD-WAN members discovery

Name Description Type Key and additional info
SD-WAN members discovery

Discovery for FortiGate SD-WAN members.

 Dependent item fgate.sdwan_member.discovery

Preprocessing

  • JSON Path: $.data.member_lld

  • Discard unchanged with heartbeat: 1h

Item prototypes for SD-WAN members discovery

Name Description Type Key and additional info
SD-WAN [{#ZONE}]:[{#NAME}]: Get data

Item for gathering data about the {#NAME} interface in the {#ZONE} zone.

 Dependent item fgate.sdwan_member.get_data[{#ID}]

Preprocessing

  • JSON Path: $.data.member_lld[?(@.interface == "{#NAME}")].first()

    ⛔️Custom on fail: Discard value
SD-WAN [{#ZONE}]:[{#NAME}]: Member status

Current status of the {#NAME} interface in the {#ZONE} zone.

 Dependent item fgate.sdwan_member.status[{#ID}]

Preprocessing

  • JSON Path: $.status

  • JavaScript: The text is too long. Please see the template.

  • Discard unchanged with heartbeat: 1h
SD-WAN [{#ZONE}]:[{#NAME}]: Link status

Current link status of the {#NAME} interface in the {#ZONE} zone.

 Dependent item fgate.sdwan_member.link_status[{#ID}]

Preprocessing

  • JSON Path: $.link

  • JavaScript: The text is too long. Please see the template.
SD-WAN [{#ZONE}]:[{#NAME}]: Sessions

Number of active sessions opened through the {#NAME} interface in the {#ZONE} zone.

 Dependent item fgate.sdwan_member.sessions[{#ID}]

Preprocessing

  • JSON Path: $.session
SD-WAN [{#ZONE}]:[{#NAME}]: Bytes sent per second

Bytes sent through the {#NAME} interface in the {#ZONE} zone per second.

 Dependent item fgate.sdwan_member.tx_bytes[{#ID}]

Preprocessing

  • JSON Path: $.tx_bytes

    ⛔️Custom on fail: Set value to: 0

  • Change per second
SD-WAN [{#ZONE}]:[{#NAME}]: Bytes received per second

Bytes received from the {#NAME} interface in the {#ZONE} zone per second.

 Dependent item fgate.sdwan_member.rx_bytes[{#ID}]

Preprocessing

  • JSON Path: $.rx_bytes

    ⛔️Custom on fail: Set value to: 0

  • Change per second
SD-WAN [{#ZONE}]:[{#NAME}]: Output bandwidth

Transmitting bandwidth of the {#NAME} interface in the {#ZONE} zone.

 Dependent item fgate.sdwan_member.tx_bandwidth[{#ID}]

Preprocessing

  • JSON Path: $.tx_bandwidth

    ⛔️Custom on fail: Set value to: 0

  • Change per second
SD-WAN [{#ZONE}]:[{#NAME}]: Input bandwidth

Receiving bandwidth of the {#NAME} interface in the {#ZONE} zone.

 Dependent item fgate.sdwan_member.rx_bandwidth[{#ID}]

Preprocessing

  • JSON Path: $.rx_bandwidth

    ⛔️Custom on fail: Set value to: 0

  • Change per second
SD-WAN [{#ZONE}]:[{#NAME}]: State changing time

Last state changing time of the {#NAME} interface in the {#ZONE} zone.

 Dependent item fgate.service.state_changed[{#ID}]

Preprocessing

  • JSON Path: $.state_changed

    ⛔️Custom on fail: Discard value

  • Discard unchanged with heartbeat: 1h

Trigger prototypes for SD-WAN members discovery

Name Description Expression Severity Dependencies and additional info
FortiGate: SD-WAN [{#ZONE}]:[{#NAME}]: Link down

This trigger expression works as follows:
1. It can be triggered if the interface status is down.
2. {$SDWAN.MEMBER.IF.CONTROL:"{#NAME}"}=1 - a user can redefine context macro to value - 0. That marks this interface as not important. No new trigger will be fired if this interface is down.
3. {TEMPLATE_NAME:METRIC.diff()}=1 - the trigger fires only if the interface status was up to (1) sometime before.

WARNING: If closed manually, it will not fire again on the next poll because of .diff.

 {$SDWAN.MEMBER.IF.CONTROL:"{#NAME}"}=1 and last(/FortiGate by HTTP/fgate.sdwan_member.link_status[{#ID}])=1 and (last(/FortiGate by HTTP/fgate.sdwan_member.link_status[{#ID}],#1)<>last(/FortiGate by HTTP/fgate.sdwan_member.link_status[{#ID}],#2)) Average Manual close: Yes

LLD rule SD-WAN health-checks discovery

Name Description Type Key and additional info
SD-WAN health-checks discovery

Discovery for FortiGate SD-WAN health-checks.

 Dependent item fgate.sdwan_health.discovery

Preprocessing

  • JSON Path: $.data.health_lld

  • Discard unchanged with heartbeat: 1h

Item prototypes for SD-WAN health-checks discovery

Name Description Type Key and additional info
SD-WAN [{#NAME}]:[{#IFNAME}]: Get data

Item for gathering data about the {#IFNAME} interface in the {#NAME} health-check.

 Dependent item fgate.sdwan_health.get_data["{#HID}.{#MID}"]

Preprocessing

  • JSON Path: The text is too long. Please see the template.

    ⛔️Custom on fail: Discard value
SD-WAN [{#NAME}]:[{#IFNAME}]: Interface status

Current status of the {#IFNAME} interface in the {#NAME} health-check.

 Dependent item fgate.sdwan_health.status["{#HID}.{#MID}"]

Preprocessing

  • JSON Path: $.status

  • JavaScript: The text is too long. Please see the template.
SD-WAN [{#NAME}]:[{#IFNAME}]: Jitter

Current jitter value for the {#IFNAME} interface in the {#NAME} health-check.

 Dependent item fgate.sdwan_health.jitter["{#HID}.{#MID}"]

Preprocessing

  • JSON Path: $.jitter

    ⛔️Custom on fail: Discard value
SD-WAN [{#NAME}]:[{#IFNAME}]: Latency

Current latency value for the {#IFNAME} interface in the {#NAME} health-check.

 Dependent item fgate.sdwan_health.latency["{#HID}.{#MID}"]

Preprocessing

  • JSON Path: $.latency

    ⛔️Custom on fail: Discard value
SD-WAN [{#NAME}]:[{#IFNAME}]: Packets loss

Percent of lost packets for the {#IFNAME} interface in the {#NAME} health-check.

 Dependent item fgate.sdwan_health.loss["{#HID}.{#MID}"]

Preprocessing

  • JSON Path: $.packet_loss

    ⛔️Custom on fail: Discard value
SD-WAN [{#NAME}]:[{#IFNAME}]: Packets sent per second

Number of packets sent through the {#IFNAME} interface in the {#NAME} health-check per second.

 Dependent item fgate.sdwan_health.sent["{#HID}.{#MID}"]

Preprocessing

  • JSON Path: $.packet_sent

    ⛔️Custom on fail: Discard value

  • Change per second
SD-WAN [{#NAME}]:[{#IFNAME}]: Packets received per second

Number of packets received from the {#IFNAME} interface in the {#NAME} health-check per second.

 Dependent item fgate.sdwan_health.received["{#HID}.{#MID}"]

Preprocessing

  • JSON Path: $.packet_received

    ⛔️Custom on fail: Discard value

  • Change per second

Trigger prototypes for SD-WAN health-checks discovery

Name Description Expression Severity Dependencies and additional info
FortiGate: SD-WAN [{#NAME}]:[{#IFNAME}]: Link down

This trigger expression works as follows:
1. It can be triggered if the interface status is down.
2. {$SDWAN.HEALTH.IF.CONTROL:"{#NAME}"}=1 - a user can redefine context macro to value - 0. That marks this interface as not important. No new trigger will be fired if this interface is down/error.
3. {TEMPLATE_NAME:METRIC.diff()}=1 - the trigger fires only if the interface status was up to (1) sometime before.

WARNING: If closed manually, it will not fire again on the next poll because of .diff.

 {$SDWAN.HEALTH.IF.CONTROL:"{#NAME}"}=1 and last(/FortiGate by HTTP/fgate.sdwan_health.status["{#HID}.{#MID}"])=1 and (last(/FortiGate by HTTP/fgate.sdwan_health.status["{#HID}.{#MID}"],#1)<>last(/FortiGate by HTTP/fgate.sdwan_health.status["{#HID}.{#MID}"],#2)) Average Manual close: Yes
FortiGate: SD-WAN [{#NAME}]:[{#IFNAME}]: Link state is error

This trigger expression works as follows:
1. It can be triggered if the interface status is error.
2. {$SDWAN.HEALTH.IF.CONTROL:"{#IFNAME}"}=1 - a user can redefine context macro to value - 0. That marks this interface as not important. No new trigger will be fired if this interface is down/error.
3. {TEMPLATE_NAME:METRIC.diff()}=1 - the trigger fires only if the interface status was up to (1) sometime before.

WARNING: If closed manually, it will not fire again on the next poll because of .diff.

 {$SDWAN.HEALTH.IF.CONTROL:"{#IFNAME}"}=1 and last(/FortiGate by HTTP/fgate.sdwan_health.status["{#HID}.{#MID}"])=2 and (last(/FortiGate by HTTP/fgate.sdwan_health.status["{#HID}.{#MID}"],#1)<>last(/FortiGate by HTTP/fgate.sdwan_health.status["{#HID}.{#MID}"],#2)) Average Manual close: Yes
FortiGate: SD-WAN [{#NAME}]:[{#IFNAME}]: High packets loss

High level of packets loss detected.

 min(/FortiGate by HTTP/fgate.sdwan_health.loss["{#HID}.{#MID}"],5m)>{$SDWAN.HEALTH.IF.LOSS.WARN:"{#IFNAME}"} Warning

LLD rule Network interfaces discovery

Name Description Type Key and additional info
Network interfaces discovery

Discovery for FortiGate network interfaces.

 Dependent item fgate.netif.discovery

Preprocessing

  • JSON Path: $.data

  • Discard unchanged with heartbeat: 6h

Item prototypes for Network interfaces discovery

Name Description Type Key and additional info
Interface [{#IFNAME}({#IFALIAS})]: Get data

Item for gathering data for the {#IFKEY} interface.

 Dependent item fgate.netif.get_data[{#IFKEY}]

Preprocessing

  • JSON Path: $.data[?(@.id == "{#IFKEY}")].first()

    ⛔️Custom on fail: Discard value
Interface [{#IFNAME}({#IFALIAS})]: Link status

Current link status of the interface.

 Dependent item fgate.netif.status[{#IFKEY}]

Preprocessing

  • JSON Path: $.link

  • Boolean to decimal
Interface [{#IFNAME}({#IFALIAS})]: Bits received

The total number of octets received on the interface per second.

 Dependent item fgate.netif.in[{#IFKEY}]

Preprocessing

  • JSON Path: $.rx_bytes

    ⛔️Custom on fail: Set value to: 0

  • Change per second

  • Custom multiplier: 8
Interface [{#IFNAME}({#IFALIAS})]: Inbound packets

The total number of packets received on the interface per second.

 Dependent item fgate.netif.in_packets[{#IFKEY}]

Preprocessing

  • JSON Path: $.rx_packets

    ⛔️Custom on fail: Set value to: 0

  • Change per second
Interface [{#IFNAME}({#IFALIAS})]: Bits sent

The total number of octets transmitted out of the interface.

 Dependent item fgate.netif.out[{#IFKEY}]

Preprocessing

  • JSON Path: $.tx_bytes

    ⛔️Custom on fail: Set value to: 0

  • Change per second

  • Custom multiplier: 8
Interface [{#IFNAME}({#IFALIAS})]: Outbound packets

The total number of packets transmitted out of the interface per second.

 Dependent item fgate.netif.out_packets[{#IFKEY}]

Preprocessing

  • JSON Path: $.tx_packets

    ⛔️Custom on fail: Set value to: 0

  • Change per second
Interface [{#IFNAME}({#IFALIAS})]: Inbound packets with errors

The total number of errors received.

 Dependent item fgate.netif.in_errors[{#IFKEY}]

Preprocessing

  • JSON Path: $.rx_errors

    ⛔️Custom on fail: Set value to: 0

  • Change per second
Interface [{#IFNAME}({#IFALIAS})]: Outbound packets with errors

The total number of errors transmitted.

 Dependent item fgate.netif.out_errors[{#IFKEY}]

Preprocessing

  • JSON Path: $.tx_errors

    ⛔️Custom on fail: Set value to: 0

  • Change per second
Interface [{#IFNAME}({#IFALIAS})]: Interface type

Type of the interface.

 Dependent item fgate.netif.type[{#IFKEY}]

Preprocessing

  • JSON Path: $.type

  • JavaScript: The text is too long. Please see the template.

  • Discard unchanged with heartbeat: 1h
Interface [{#IFNAME}({#IFALIAS})]: Speed

Speed of the interface.

 Dependent item fgate.netif.speed[{#IFKEY}]

Preprocessing

  • JSON Path: $.speed

    ⛔️Custom on fail: Set value to: 0

  • Custom multiplier: 1000000

  • Discard unchanged with heartbeat: 1h

Trigger prototypes for Network interfaces discovery

Name Description Expression Severity Dependencies and additional info
FortiGate: Interface [{#IFNAME}({#IFALIAS})]: Link down

This trigger expression works as follows:
1. It can be triggered if the interface link status is down.
2. {$NET.IF.CONTROL:"{#IFNAME}"}=1 - a user can redefine context macro to value - 0. That marks this interface as not important. No new trigger will be fired if this interface link is down.
3. {TEMPLATE_NAME:METRIC.diff()}=1 - the trigger fires only if the interface link status was up to (1) sometime before.

WARNING: If closed manually, it will not fire again on the next poll because of .diff.

 {$NET.IF.CONTROL:"{#IFNAME}"}=1 and last(/FortiGate by HTTP/fgate.netif.status[{#IFKEY}])=1 and (last(/FortiGate by HTTP/fgate.netif.status[{#IFKEY}],#1)<>last(/FortiGate by HTTP/fgate.netif.status[{#IFKEY}],#2)) Average Manual close: Yes
FortiGate: Interface [{#IFNAME}({#IFALIAS})]: High bandwidth usage

The utilization of the network interface is close to its estimated maximum bandwidth.

 (avg(/FortiGate by HTTP/fgate.netif.in[{#IFKEY}],15m)>({$NET.IF.UTIL.MAX:"{#IFNAME}"}/100)*last(/FortiGate by HTTP/fgate.netif.speed[{#IFKEY}]) or avg(/FortiGate by HTTP/fgate.netif.out[{#IFKEY}],15m)>({$NET.IF.UTIL.MAX:"{#IFNAME}"}/100)*last(/FortiGate by HTTP/fgate.netif.speed[{#IFKEY}])) and last(/FortiGate by HTTP/fgate.netif.speed[{#IFKEY}])>0 Warning Manual close: Yes
Depends on:
  • FortiGate: Interface [{#IFNAME}({#IFALIAS})]: Link down
FortiGate: Interface [{#IFNAME}({#IFALIAS})]: High error rate

It recovers when it is below 80% of the {$NET.IF.ERRORS.WARN:"{#IFKEY}"} threshold.

 min(/FortiGate by HTTP/fgate.netif.in_errors[{#IFKEY}],5m)>{$NET.IF.ERRORS.WARN:"{#IFKEY}"} or min(/FortiGate by HTTP/fgate.netif.in_errors[{#IFKEY}],5m)>{$NET.IF.ERRORS.WARN:"{#IFKEY}"} Warning Manual close: Yes
Depends on:
  • FortiGate: Interface [{#IFNAME}({#IFALIAS})]: Link down
FortiGate: Interface [{#IFNAME}({#IFALIAS})]: Ethernet has changed to lower speed than it was before

This Ethernet connection has transitioned down from its known maximum speed. This might be a sign of autonegotiation issues. Acknowledge to close the problem manually.

 change(/FortiGate by HTTP/fgate.netif.speed[{#IFKEY}])<0 and last(/FortiGate by HTTP/fgate.netif.speed[{#IFKEY}])>0 and last(/FortiGate by HTTP/fgate.netif.status[{#IFKEY}])<>0 Info Manual close: Yes
Depends on:
  • FortiGate: Interface [{#IFNAME}({#IFALIAS})]: Link down

Feedback

Please report any issues with the template at https://support.zabbix.com

You can also provide feedback, discuss the template, or ask for help at ZABBIX forums

Articles and documentation

+ Propose new article

Não encontrou a integração que vocá precisa?

Request custom integration

Zabbix integration team will develop custom integration based on your requirements and Zabbix best practices.

Request

Propose your integration

Have you already developed high quality integration and want to submit to Zabbix integration repository?

Propose