Prometheus exporter for FortiGate® firewalls.
NOTE: This is not an official Fortinet product, it is developed fully independently by professionals and hobbyists alike.
Right now the exporter supports a quite limited set of metrics, but it is very easy to add! Open an issue if your favorite metric is missing.
For example PromQL usage, see EXAMPLES.
Supported metrics right now as follows.
Global:
- System/SensorInfo
fortigate_sensor_fan_rpm
fortigate_sensor_temperature_celsius
fortigate_sensor_voltage_volts
- System/Status
fortigate_version_info
- System/Time/Clock
fortigate_time_seconds
- System/Resource/Usage
fortigate_cpu_usage_ratio
fortigate_memory_usage_ratio
fortigate_current_sessions
- System/HAChecksums
fortigate_ha_member_has_role
- License/Status
fortigate_license_vdom_usage
fortigate_license_vdom_max
- WebUI/State
fortigate_last_reboot_seconds
fortigate_last_snapshot_seconds
Per-VDOM:
- System/VDOMResources
fortigate_vdom_cpu_usage_ratio
fortigate_vdom_memory_usage_ratio
fortigate_vdom_current_sessions
- Firewall/Policies
fortigate_policy_active_sessions
fortigate_policy_bytes_total
fortigate_policy_hit_count_total
fortigate_policy_packets_total
- System/Fortimanager/Status
fortigate_fortimanager_connection_status
fortigate_fortimanager_registration_status
- System/Interface
fortigate_interface_link_up
fortigate_interface_speed_bps
fortigate_interface_transmit_packets_total
fortigate_interface_receive_packets_total
fortigate_interface_transmit_bytes_total
fortigate_interface_receive_bytes_total
fortigate_interface_transmit_errors_total
fortigate_interface_receive_errors_total
- User/Fsso
fortigate_user_fsso_info
- VPN/Ssl/Connections
fortigate_vpn_connections
fortigate_vpn_users
- VPN/Ssl/Stats
fortigate_vpn_ssl_users
fortigate_vpn_ssl_tunnels
fortigate_vpn_ssl_connections
- VPN/IPSec
fortigate_ipsec_tunnel_receive_bytes_total
fortigate_ipsec_tunnel_transmit_bytes_total
fortigate_ipsec_tunnel_up
- Wifi/APStatus
fortigate_wifi_access_points
fortigate_wifi_fabric_clients
fortigate_wifi_fabric_max_allowed_clients
- Log/Fortianalyzer/Status
fortigate_log_fortianalyzer_registration_info
fortigate_log_fortianalyzer_logs_received
- Log/Fortianalyzer/Queue
fortigate_log_fortianalyzer_queue_connections
fortigate_log_fortianalyzer_queue_logs
- Log/DiskUsage
fortigate_log_disk_used_bytes
fortigate_log_disk_total_bytes
Per-HA-Member and VDOM:
- System/HAStatistics
fortigate_ha_member_info
fortigate_ha_member_cpu_usage_ratio
fortigate_ha_member_memory_usage_ratio
fortigate_ha_member_network_usage_ratio
fortigate_ha_member_sessions
fortigate_ha_member_packets_total
fortigate_ha_member_virus_events_total
fortigate_ha_member_bytes_total
fortigate_ha_member_ips_events_total
Per-Link and VDOM:
- System/LinkMonitor
fortigate_link_status
fortigate_link_latency_seconds
fortigate_link_latency_jitter_seconds
fortigate_link_packet_loss_ratio
fortigate_link_packet_sent_total
fortigate_link_packet_received_total
fortigate_link_active_sessions
fortigate_link_bandwidth_tx_byte_per_second
fortigate_link_bandwidth_rx_byte_per_second
fortigate_link_status_change_time_seconds
Per-SDWAN and VDOM:
- VirtualWAN/HealthCheck
fortigate_virtual_wan_status
fortigate_virtual_wan_latency_seconds
fortigate_virtual_wan_latency_jitter_seconds
fortigate_virtual_wan_packet_loss_ratio
fortigate_virtual_wan_packet_sent_total
fortigate_virtual_wan_packet_received_total
fortigate_virtual_wan_active_sessions
fortigate_virtual_wan_bandwidth_tx_byte_per_second
fortigate_virtual_wan_bandwidth_rx_byte_per_second
fortigate_virtual_wan_status_change_time_seconds
Per-BGP-Neighbor and VDOM:
- BGP/Neighbors/IPv4
fortigate_bgp_neighbor_ipv4_info
- BGP/Neighbors/IPv6
fortigate_bgp_neighbor_ipv6_info
- BGP/NeighborPaths/IPv4
fortigate_bgp_neighbor_ipv4_paths
fortigate_bgp_neighbor_ipv4_best_paths
- BGP/NeighborPaths/IPv6
fortigate_bgp_neighbor_ipv6_paths
fortigate_bgp_neighbor_ipv6_best_paths
Per-VirtualServer and VDOM:
- Firewall/LoadBalance
fortigate_lb_virtual_server_info
Per-RealServer for each VirtualServer and VDOM:
- Firewall/LoadBalance
fortigate_lb_real_server_info
fortigate_lb_real_server_mode
fortigate_lb_real_server_status
fortigate_lb_real_server_active_sessions
fortigate_lb_real_server_rtt_seconds
fortigate_lb_real_server_processed_bytes_total
Per-Certificate:
- System/AvailableCertificates
fortigate_certificate_info
fortigate_certificate_valid_from_seconds
fortigate_certificate_valid_to_seconds
fortigate_certificate_cmdb_references
Per-VDOM and Wifi-Client:
- Wifi/Clients
fortigate_wifi_client_info
fortigate_wifi_client_data_rate_bps
fortigate_wifi_client_bandwidth_rx_bps
fortigate_wifi_client_bandwidth_tx_bps
fortigate_wifi_client_signal_strength_dBm
fortigate_wifi_client_signal_noise_dBm
fortigate_wifi_client_tx_discard_ratio
fortigate_wifi_client_tx_retries_ratio
Per-VDOM and managed access point:
- Wifi/ManagedAP
fortigate_wifi_managed_ap_info
fortigate_wifi_managed_ap_join_time_seconds
fortigate_wifi_managed_ap_cpu_usage_ratio
fortigate_wifi_managed_ap_memory_free_bytes
fortigate_wifi_managed_ap_memory_bytes_total
Per-VDOM, managed access point and radio:
- Wifi/ManagedAP
fortigate_wifi_managed_ap_radio_info
fortigate_wifi_managed_ap_radio_client_count
fortigate_wifi_managed_ap_radio_operating_tx_power_ratio
fortigate_wifi_managed_ap_radio_operating_channel_utilization_ratio
fortigate_wifi_managed_ap_radio_bandwidth_rx_bps
fortigate_wifi_managed_ap_radio_rx_bytes_total
fortigate_wifi_managed_ap_radio_tx_bytes_total
fortigate_wifi_managed_ap_radio_interfering_aps
fortigate_wifi_managed_ap_radio_tx_power_ratio
fortigate_wifi_managed_ap_radio_tx_discard_ratio
fortigate_wifi_managed_ap_radio_tx_retries_ratio
Per-VDOM, managed access point and interface:
- Wifi/ManagedAP
fortigate_wifi_managed_ap_interface_rx_bytes_total
fortigate_wifi_managed_ap_interface_tx_bytes_total
fortigate_wifi_managed_ap_interface_rx_packets_total
fortigate_wifi_managed_ap_interface_tx_packets_total
fortigate_wifi_managed_ap_interface_rx_errors_total
fortigate_wifi_managed_ap_interface_tx_errors_total
fortigate_wifi_managed_ap_interface_rx_dropped_packets_total
fortigate_wifi_managed_ap_interface_tx_dropped_packets_total
Per-VDOM, managed switch and interface:
- Switch/ManagedSwitch
fortigate_managed_switch_collisions_total
fortigate_managed_switch_crc_alignments_total
fortigate_managed_switch_fragments_total
fortigate_managed_switch_info
fortigate_managed_switch_jabbers_total
fortigate_managed_switch_l3_packets_total
fortigate_managed_switch_max_poe_budget_watt
fortigate_managed_switch_port_info
fortigate_managed_switch_port_power_status
fortigate_managed_switch_port_power_watt
fortigate_managed_switch_port_status
fortigate_managed_switch_rx_bcast_packets_total
fortigate_managed_switch_rx_bytes_total
fortigate_managed_switch_rx_drops_total
fortigate_managed_switch_rx_errors_total
fortigate_managed_switch_rx_mcast_packets_total
fortigate_managed_switch_rx_oversize_total
fortigate_managed_switch_rx_packets_total
fortigate_managed_switch_rx_ucast_packets_total
fortigate_managed_switch_tx_bcast_packets_total
fortigate_managed_switch_tx_bytes_total
fortigate_managed_switch_tx_drops_total
fortigate_managed_switch_tx_errors_total
fortigate_managed_switch_tx_mcast_packets_total
fortigate_managed_switch_tx_oversize_total
fortigate_managed_switch_tx_packets_total
fortigate_managed_switch_tx_ucast_packets_total
fortigate_managed_switch_under_size_total
Example:
$ ./fortigate_exporter -auth-file ~/fortigate-key.yaml
# or
$ docker run -d -p 9710:9710 -v /path/to/fortigate-key.yaml:/config/fortigate-key.yaml quay.io/bluecmd/fortigate_exporter:master
Where fortigate-key.yaml
contains pairs of FortiGate targets and API keys in the following format:
"https://my-fortigate":
token: api-key-goes-here
# If you have a smaller fortigate unit you might want
# to exclude sensors as they do not have any
probes:
exclude:
- System/SensorInfo
"https://my-other-fortigate:8443":
token: api-key-goes-here
NOTE: Currently only token authentication is supported. FortiGate does not allow usage of tokens on non-HTTPS connections, which means that currently you need HTTPS to be configured properly.
You can select which probes you want to run on a per target basis.
- Probes can be included or excluded under the optional
probes
section by defininginclude
and/orexclude
lists. - Each probe name, that can be run by the fortigate exporter, is compared to the
include
/exclude
lists. - Inclusion/exclusion of a probe is based on a prefix match, therefore lists must contains entries starting with a probe name to be included/excluded.
- Prefix match is case sensitive.
include
list is evaluated beforeexclude
list, thereforeexclude
list can exclude a previously included probe.
Example:
"https://my-fortigate":
token: api-key-goes-here
probes:
include:
- System
- VPN
- Firewall/Policies
# Include only probes with name starting with: System or VPN + probe: Firewall/Policies
# Other probes are excluded because there were not explictly included
"https://my-other-fortigate:8443":
token: api-key-goes-here
probes:
exclude:
- Wifi
- Firewall/LoadBalance
# Exclude probes with name starting with: Wifi + probe: Firewall/LoadBalance
# All other probes are included by default because include list is empty
"https://my-other-orther-fortigate:8443":
token: api-key-goes-here
probes:
include:
- System
- Firewall
exclude:
- System/LinkMonitor
# Inlcude probes with name starting with: System and Firewall
# Then exclude probe: System/LinkMonitor
Special cases:
- If
probes
isn't set or is empty, all probes will be run against the target. - If
include
list is empty, by default, all probes will be selected to be run against the target. - If
include
contains an entry- ''
, then all probes are included (equivalent to not defininginclude
) - If
exclude
contains an entry- ''
, then all probes are excluded (equivalent to not defining the target)
To probe a FortiGate, do something like curl 'localhost:9710/probe?target=https://my-fortigate'
In use cases where the Fortigates that is to be scraped through the fortigate-exporter is configured in
Prometheus using some discovery method it becomes problematic that the fortigate-key.yaml
configuration also
has to be updated for each fortigate, and that the fortigate-exporter needs to be restarted on each change.
For that scenario the token can be passed as a query parameter, token
, to the fortigate.
Example:
curl 'localhost:9710/probe?target=https://192.168.2.31&token=ghi6eItWzWewgbrFMsazvBVwDjZzzb'
It is also possible to pass a profile
query parameter. The value will match an entry in the fortigate-key.yaml
file, but only to use the probes
section for include/exclude directives.
Example:
curl 'localhost:9710/probe?target=https://192.168.2.31&token=ghi6eItWzWewgbrFMsazvBVwDjZzzb&profile=fs124e'
The profile=fs124e
would match the following entry in fortigate-key.yaml
.
Example:
fs124e:
# token: not used
probes:
include:
- System
- Firewall
exclude:
- System/LinkMonitor
flag | default value | description |
---|---|---|
-auth-file | fortigate-key.yaml | path to the location of the key file |
-listen | :9710 | address to listen for incoming requests |
-scrape-timeout | 30 | timeout in seconds |
-https-timeout | 10 | timeout in seconds for establishment of HTTPS connections |
-insecure | not set | allows to turn off security validation of TLS certificates |
-extra-ca-certs | (none) | comma-separated files containing extra PEMs to trust for TLS connections in addition to the system trust store |
-max-bgp-paths | 10000 | Sets maximum amount of BGP paths to fetch, value is per IP stack version (IPv4 & IPv6) |
-max-vpn-users | 0 | Sets maximum amount of VPN users to fetch (0 eq. none by default) |
Read permission is enough for Fortigate exporter purpose. To improve security, limit permissions to required ones only (least privilege principle).
probe name | permission | API URL |
---|---|---|
Default Global | any | api/v2/monitor/system/status |
BGP/NeighborPaths/IPv4 | netgrp.route-cfg | api/v2/monitor/router/bgp/paths |
BGP/NeighborPaths/IPv6 | netgrp.route-cfg | api/v2/monitor/router/bgp/paths6 |
BGP/Neighbors/IPv4 | netgrp.route-cfg | api/v2/monitor/router/bgp/neighbors |
BGP/Neighbors/IPv6 | netgrp.route-cfg | api/v2/monitor/router/bgp/neighbors6 |
Firewall/LoadBalance | fwgrp.others | api/v2/monitor/firewall/load-balance |
Firewall/Policies | fwgrp.policy | api/v2/monitor/firewall/policy/select api/v2/monitor/firewall/policy6/select api/v2/cmdb/firewall/policy api/v2/cmdb/firewall/policy6 |
License/Status | any | api/v2/monitor/license/status/select |
Log/Fortianalyzer/Status | loggrp.config | api/v2/monitor/log/fortianalyzer |
Log/Fortianalyzer/Queue | loggrp.config | api/v2/monitor/log/fortianalyzer-queue |
Log/DiskUsage | loggrp.config | api/v2/monitor/log/current-disk-usage |
System/AvailableCertificates | any | api/v2/monitor/system/available-certificates |
System/Fortimanager/Status | sysgrp.cfg | api/v2/monitor/system/fortimanager/status |
System/HAStatistics | sysgrp.cfg | api/v2/monitor/system/ha-statistics api/v2/cmdb/system/ha |
System/Interface | netgrp.cfg | api/v2/monitor/system/interface/select |
System/LinkMonitor | sysgrp.cfg | api/v2/monitor/system/link-monitor |
System/Resource/Usage | sysgrp.cfg | api/v2/monitor/system/resource/usage |
System/SensorInfo | sysgrp.cfg | api/v2/monitor/system/sensor-info |
System/Status | any | api/v2/monitor/system/status |
System/Time/Clock | sysgrp.cfg | api/v2/monitor/system/time |
System/VDOMResources | sysgrp.cfg | api/v2/monitor/system/resource/usage |
User/Fsso | authgrp | api/v2/monitor/user/fsso |
VPN/IPSec | vpngrp | api/v2/monitor/vpn/ipsec |
VPN/Ssl/Connections | vpngrp | api/v2/monitor/vpn/ssl |
VPN/Ssl/Stats | vpngrp | api/v2/monitor/vpn/ssl/stats |
VirtualWAN/HealthCheck | netgrp.cfg | api/v2/monitor/virtual-wan/health-check |
Wifi/APStatus | wifi | api/v2/monitor/wifi/ap_status |
Wifi/Clients | wifi | api/v2/monitor/wifi/client |
Wifi/ManagedAP | wifi | api/v2/monitor/wifi/managed_ap |
Switch/ManagedSwitch | switch | api/v2/monitor/switch-controller/managed-switch |
If you omit to grant some of these permissions you will receive log messages warning about | ||
403 errors and relevant metrics will be unavailable, but other metrics will still work. | ||
If you do not need some probes to be run, do not grant permission for them and use include/exclude feature (see Usage section). |
The following example Admin Profile describes the permissions that needs to be granted to the monitor user in order for all metrics to be available.
config system accprofile
edit "monitor"
# global scope will fail on non multi-VDOM firewall
set scope global
set authgrp read
# As of FortiOS 6.2.1 it seems `fwgrp-permissions.other` is removed,
# use 'fwgrp read' to get load balance servers metrics
set fwgrp custom
set loggrp custom
set netgrp custom
set sysgrp custom
set vpngrp read
set wifi read
# will fail for most recent FortiOS
set system-diagnostics disable
config fwgrp-permission
set policy read
set others read
end
config netgrp-permission
set cfg read
set route-cfg read
end
config loggrp-permission
set config read
end
config sysgrp-permission
set cfg read
end
next
end
An example configuration for Prometheus looks something like this:
- job_name: 'fortigate_exporter'
metrics_path: /probe
static_configs:
- targets:
- https://my-fortigate
- https://my-other-fortigate:8443
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
# Drop the https:// and port (if specified) for the 'instance=' label
regex: '(?:.+)(?::\/\/)([^:]*).*'
- target_label: __address__
replacement: '[::1]:9710'
If using Dynamic configuration:
- job_name: 'fortigate_exporter'
metrics_path: /probe
file_sd_configs:
- files:
- /etc/prometheus/file_sd/fws/*.yml
params:
profile:
- fs124e
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [token]
target_label: __param_token
- source_labels: [__param_target]
regex: '(?:.+)(?::\/\/)([^:]*).*'
target_label: instance
- target_label: __address__
replacement: '[::1]:9710'
- action: labeldrop
regex: token
Make sure to use the last labeldrop on the
token
label so that the tokens is not be part of your time series.
Since
token
is a label it will be shown in the Prometheus webgui athttp://<your prometheus>:9090/targets
.Make sure you protect your Prometheus if you add the token part of your prometheus config
Some options to protect Prometheus:
- Only expose UI to localhost --web.listen-address="127.0.0.1:9090"
- Basic authentication access - https://prometheus.io/docs/guides/basic-auth/
- It is your responsibility!
You can either use the automatic builds on quay.io or build yourself like this:
docker build -t fortigate_exporter .
docker run -d -p 9710:9710 -v /path/to/fortigate-key.yaml:/config/fortigate-key.yaml fortigate_exporter
prometheus_fortigate_exporter:
build: ./
ports:
- 9710:9710
volumes:
- /path/to/fortigate-key.yaml:/config/fortigate-key.yaml
# Applying multiple parameters
command: ["-auth-file", "/config/fortigate-key.yaml", "-insecure"]
restart: unless-stopped
This is a collection of known issues that for some reason cannot be fixed, but might be possible to work around.
- Probing causing httpsd memory leak in FortiOS 6.2.x (Workaround)
Please file an issue describing what metrics you'd like to see. Include as much details as possible please, e.g. how the perfect Prometheus metric would look for your use-case.
An alternative to using this exporter is to use generic SNMP polling, e.g. using a Prometheus SNMP exporter (official, alternative). Note that there are limitations (e.g. 1) in what FortiGate supports querying via SNMP.
Fortinet®, and FortiGate® are registered trademarks of Fortinet, Inc.
This is not an official Fortinet product.