Ad Widget

Collapse

Monitoring FortiGate VPN tunnels

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • madis
    Junior Member
    • Nov 2021
    • 9
    #1

    Monitoring FortiGate VPN tunnels

    So I need to monitor statuses of several VPN tunnels. FortiGate has a great OID for that, fgVpnTunEntStatus (1.3.6.1.4.1.12356.101.12.2.2.1.20).
    snmpwalk gives me the expected output:
    Code:
    [root@zabbix ~]# snmpwalk -v2c -c public 10.10.10.254 1.3.6.1.4.1.12356.101.12.2 .2.1.20
SNMPv2-SMI::enterprises.12356.101.12.2.2.1.20.20.1 = INTEGER: 2
SNMPv2-SMI::enterprises.12356.101.12.2.2.1.20.21.1 = INTEGER: 2
    or
    Code:
    [root@zabbix ~]# snmpwalk -v2c -c public 10.10.10.254 FORTINET-FORTIGATE-MIB::fg VpnTunEntStatus
FORTINET-FORTIGATE-MIB::fgVpnTunEntStatus.20.1 = INTEGER: up(2)
FORTINET-FORTIGATE-MIB::fgVpnTunEntStatus.21.1 = INTEGER: up(2)
    In Zabbix I make an item prototype:
    Code:
    Name: VPN tunnel status[{#SNMPVALUE}]
Type: SNMP agent
Key: fgVpnTunEntStatus[{#SNMPVALUE}]
SNMP OID: FORTINET-FORTIGATE-MIB::fgVpnTunEntStatus.{#SNMPINDEX}
Type of information: Numeric (unsigned)
    Now when I run a Test, I get the response:
    Code:
    snmp_parse_oid(): cannot parse OID "FORTINET-FORTIGATE-MIB::fgVpnTunEntStatus.{#SNMPINDEX}"
    It's the same when SNMP OID is replaced with a numeric representation:
    Code:
    snmp_parse_oid(): cannot parse OID "10.10.10.254 1.3.6.1.4.1.12356.101.12.2 .2.1.20.{#SNMPINDEX}".
    If I add a plain text widget on a dashboard, the VPN tunnel status [tunnel name] are listed, but the status is "not supported".

    If I substitute the {#SNMPINDEX} in SNMP OID with a real index, for example .20.1, the test runs successfully and I get a result "2".
    If I substitute the Type of information with Text, the test still fails, in the plain text widget the items are marked as "not supported", but they all return a value "1"
    Click image for larger version Name: Capture.png Views: 9344 Size: 3.1 KB ID: 434566

    The VPN Tunnel status item prototype is made under Network interfaces discovery rule:
    Code:
    Key: ifName
SNMP OID: discovery[{#SNMPVALUE},.1.3.6.1.2.1.31.1.1.1.1]
    I also tried to make a new discovery rule for VPN interfaces, from there I get the following results:
    Code:
    discovery[{#SNMPVALUE},.1.3.6.1.4.1.12356.101.12.2.2.1.20]

[{"{#SNMPINDEX}":"20.1","{#SNMPVALUE}":"2"},{"{#SNMPINDEX}":"21.1","{#SNMPVALUE}":"2"},...
    From there I can see that the numbers added to the OID really are called with a variable #SNMPINDEX.

    As this is my first time with Zabbix, I'm a bit perplexed...
    Tags: None
    • MrB
      Junior Member
      • Nov 2021
      • 3
      #2
      I've been trying to do pretty much the same thing over the last couple of days, where I wanted to see the status of all my phase 2 tunnels. I got it working thanks in part to your post! Here's what I did:

      Create a new discovery rule, which will discover the phase 2 names:

      Code:
      Name: VPN Phase 2
Type: SNMP agent
Key: fgVpnTunEntPhase2Name
SNMP OID: discovery[{#SNMPVALUE},.1.3.6.1.4.1.12356.101.12.2.2.1.3]
      Then, I created an item prototype to get the status of each of the tunnels discovered:

      Code:
      Name: {#SNMPVALUE}: Tunnel Status
Type: SNMP agent
Key: 1.3.6.1.4.1.12356.101.12.2.2.1.20.{#SNMPINDEX}
      The result is that I've got all my phase 2 tunnels discovered with their respective statuses. I think I'm also going add a couple more item prototypes to get traffic stats with fgVpnTunEntInOctets and fgVpnTunEntOutOctets.

      In reference to #SNMPINDEX, this is "A built-in macro containing index of the discovered OID is applied to discovered entities. The discovered entities are grouped by {#SNMPINDEX} macro value."

      Hope this helps...

        Comment

        • madis
          Junior Member
          • Nov 2021
          • 9
          #3
          Thanks MrB for making this week a successful one for me!
          Just to clarify for other readers, in the Item prototype, there are Key and SNMP OID fields - you only describe a Key field in your post. My final prototype looks like that:
          Code:
          Name: Tunnel Status: {#SNMPVALUE}
Type: SNMP agent
Key: fgVpnTunEntStatus[{#SNMPVALUE}]
SNMP OID: 1.3.6.1.4.1.12356.101.12.2.2.1.20.{#SNMPINDEX}
          Thanks again!

            Comment

            • MrB
              Junior Member
              • Nov 2021
              • 3
              #4
              Aah yes, I messed up that second code block. What you have posted is the same as what I have.

              Glad you got it working!

                Comment

                • bilal.habib
                  Junior Member
                  • Apr 2020
                  • 22
                  #5
                  You are both awesome!

                    Comment

                    • bilal.habib
                      Junior Member
                      • Apr 2020
                      • 22
                      #6
                      For trigger you can use this


                      HTML Code:
                      Name: VPN Tunnel Down [{#SNMPVALUE}]
Expression: last(/Template Net Fortinet FortiGate SNMP/fgVpnTunEntStatus[{#SNMPVALUE}],#1)=1
                      Ofc you can change expression to what you wish

                        Comment

                        • madis
                          Junior Member
                          • Nov 2021
                          • 9
                          #7
                          To add to this topic, there is a different OID for a dialup VPN tunnel:
                          Code:
                          fgVpn2DialupTable 1.3.6.1.4.1.12356.101.12.4.1
                          or even higher level OID to get all the info:
                          Code:
                          fgVpn 1.3.6.1.4.1.12356.101.12
                          More info can be found at https://docs.fortinet.com/document/f...new-oids-6-4-2 and https://oidref.com/1.3.6.1.4.1.12356.101.12

                          What I can't find is an OID that would show the status of a dialup tunnel, similarly to fgVpnTunEntStatus for a regular tunnel. Can anyone suggest a workaround?
                          Last edited by madis; 30-06-2022, 20:44.

                            Comment

                            • Cassemiro
                              Junior Member
                              • Apr 2024
                              • 2
                              #8
                              good afternoon,
                              managed to find out how to monitor phase 1 of the fortgate vpn through zabbix?

                                Comment

                                • MarkS
                                  Junior Member
                                  • Oct 2023
                                  • 1
                                  #9
                                  Hi All. Does anybody found: how monitor dialup VPN tunnel statuses?

                                    Comment

                                    Previous template Next
                                    Working...