Ad Widget


Server behind firewall nat, cannot monitor a service on a single internal interface

  • Filter
  • Time
  • Show
Clear All
new posts

    Server behind firewall nat, cannot monitor a service on a single internal interface


    I am interested to see if anyone has any suggestions as to how i can achieve monitoring on a particular interface of a server behind a NAT firewall.

    We have one server stuck on a different network that for many stupid reasons we are not allowed to move to within the network that the Zabbix server is setup on. I am not allowed to add any more virtual machines to the remote network so cannot setup a proxy, nor am i allowed to install the proxy software on the box itself (again daft political and regulatory reasons)

    I have (after much arguing) installed the agent on the remote machine and have created two filtered port forwards (TCP:10050) on the firewalls that are between the networks to allow the agent and server to communicate, this bit is working I am receiving data for pretty much all my items.

    The problem i have is with one particular service that only listens on one internal IP of the remote server, not on all interfaces.

    the netstat entry is: tcp 0 0* LISTEN

    If I add a standard item (net.tcp.service[tcp,,30011]) to the host it constantly returns a fail (0). - This type of item works for all the other services that are listening on all IP's

    If I add in the internal IP to the item (net.tcp.service[tcp,,30011]) i get a "not supported on the agent" error, but i assume because that host does not have that IP listed in its entry on the Zabbix server.

    If i add the 192.x address to the host (not as default) I do not get the "not supported error" but then all the other items stop returning data.

    I am new to this Zabbix system so apologise if i have just done something daft, but can anyone see how i can get this service to monitor?


    Hi DigitalSushi, You might be able to work around the issue if you are able( allowed) to use iptables on your host.
    You can NAT a valid destination-IP/Port to the If needed nating the source -ip to match your routing in the last hop
    Regards M-H



    No announcement yet.