Prometheus exporter for Fortigate firewalls.
Right now the exporter supports a quite limited set of metrics, but it is very easy to add! Open an issue if your favorite metric is missing.
For example PromQL usage, see EXAMPLES.
Supported metrics right now as follows.
Global:
fortigate_version_infofortigate_cpu_usage_ratiofortigate_memory_usage_ratiofortigate_current_sessionsfortigate_license_vdom_usagefortigate_license_vdom_max
Per-VDOM:
fortigate_vdom_cpu_usage_ratiofortigate_vdom_memory_usage_ratiofortigate_vdom_current_sessionsfortigate_policy_active_sessionsfortigate_policy_bytes_totalfortigate_policy_hit_count_totalfortigate_policy_packets_totalfortigate_interface_link_upfortigate_interface_speed_bpsfortigate_interface_transmit_packets_totalfortigate_interface_receive_packets_totalfortigate_interface_transmit_bytes_totalfortigate_interface_receive_bytes_totalfortigate_interface_transmit_errors_totalfortigate_interface_receive_errors_totalfortigate_vpn_connectionsfortigate_ipsec_tunnel_receive_bytes_totalfortigate_ipsec_tunnel_transmit_bytes_totalfortigate_ipsec_tunnel_up
Per-HA-Member and VDOM:
fortigate_ha_member_infofortigate_ha_member_cpu_usage_ratiofortigate_ha_member_memory_usage_ratiofortigate_ha_member_network_usage_ratiofortigate_ha_member_sessionsfortigate_ha_member_packets_totalfortigate_ha_member_virus_events_totalfortigate_ha_member_bytes_totalfortigate_ha_member_ips_events_total
Per-Link and VDOM:
fortigate_link_statusfortigate_link_latency_secondsfortigate_link_latency_jitter_secondsfortigate_link_packet_loss_ratiofortigate_link_packet_sent_totalfortigate_link_packet_received_totalfortigate_link_active_sessionsfortigate_link_bandwidth_tx_byte_per_secondfortigate_link_bandwidth_rx_byte_per_secondfortigate_link_status_change_time_seconds
Per-SDWAN and VDOM:
fortigate_virtual_wan_statusfortigate_virtual_wan_latency_secondsfortigate_virtual_wan_latency_jitter_secondsfortigate_virtual_wan_packet_loss_ratiofortigate_virtual_wan_packet_sent_totalfortigate_virtual_wan_packet_received_totalfortigate_virtual_wan_active_sessionsfortigate_virtual_wan_bandwidth_tx_byte_per_secondfortigate_virtual_wan_bandwidth_rx_byte_per_secondfortigate_virtual_wan_status_change_time_seconds
Per-VirtualServer and VDOM:
fortigate_lb_virtual_server_info
Per-RealServer for each VirtualServer and VDOM:
fortigate_lb_real_server_infofortigate_lb_real_server_modefortigate_lb_real_server_statusfortigate_lb_real_server_active_sessionsfortigate_lb_real_server_rtt_secondsfortigate_lb_real_server_processed_bytes_total
Per-Certificate
fortigate_certificate_infofortigate_certificate_valid_from_secondsfortigate_certificate_valid_to_secondsfortigate_certificate_cmdb_references
Example:
$ ./fortigate_exporter -auth-file ~/fortigate-key.yaml
# or
$ docker run -d -p 9710:9710 -v /path/to/fortigate-key.yaml:/config/fortigate-key.yaml quay.io/bluecmd/fortigate_exporter:master
Where fortigate-key.yaml contains pairs of Fortigate targets and API keys in the following format:
"https://my-fortigate":
token: api-key-goes-here
"https://my-other-fortigate:8443":
token: api-key-goes-here
NOTE: Currently only token authentication is supported. Fortigate does not allow usage of tokens on non-HTTPS connections, which means that currently you need HTTPS to be configured properly.
To probe a Fortigate, do something like curl 'localhost:9710/probe?target=https://my-fortigate'
| flag | default value | description |
|---|---|---|
| -auth-file | /config/fortigate-key.yaml | path to the location of the key file |
| -listen | :9710 | address to listen for incoming requests |
| -scrape-timeout | 30 | timeout in seconds |
| -https-timeout | 10 | timeout in seconds for establishment of HTTPS connections |
| -insecure | false | allows to turn off security validation of TLS certificates |
| -extra-ca-certs | (none) | comma-separated files containing extra PEMs to trust for TLS connections in addition to the system trust store |
The following example Admin Profile describes the permissions that needs to be granted to the monitor user in order for all metrics to be available. If you omit to grant some of these permissions you will receive log messages warning about 403 errors and relevant metrics will be unavailable, but other metrics will still work.
config system accprofile
edit "monitor"
set scope global
set secfabgrp read
set netgrp custom
# As of FortiOS 6.2.1 it seems `fwgrp-permissions.other` is removed,
# use 'fwgrp read' to get load balance servers metrics
set fwgrp custom
set vpngrp read
set system-diagnostics disable
config netgrp-permission
set cfg read
end
config sysgrp-permission
# Sysgrp.cfg is needed for the following optional functions:
# - HA group name
# If you do not wish to grant this permission, the relevant
# labels/metrics will be absent.
set cfg read
end
config fwgrp-permission
set policy read
# fwgrp.other is need for load balance servers
# set other read
end
next
end
An example configuration for Prometheus looks something like this:
- job_name: 'fortigate_exporter'
metrics_path: /probe
static_configs:
- targets:
- https://my-fortigate
- https://my-other-fortigate:8443
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
# Drop the https:// and port (if specified) for the 'instance=' label
regex: '(?:.+)(?::\/\/)([^:]*).*'
- target_label: __address__
replacement: '[::1]:9710'You can either use the automatic builds on quay.io or build yourself like this:
docker build -t fortigate_exporter .
docker run -d -p 9710:9710 -v /path/to/fortigate-key.yaml:/config/fortigate-key.yaml fortigate_exporterprometheus_fortigate_exporter:
build: ./
ports:
- 9710:9710
volumes:
- /path/to/fortigate-key.yaml:/config/fortigate-key.yaml
# Applying multiple parameters
command: ["-auth-file", "/config/fortigate-key.yaml", "-insecure", "true"]
restart: unless-stoppedThis is a collection of known issues that for some reason cannot be fixed, but might be possible to work around.
- Probing causing httpsd memory leak in FortiOS 6.2.x (Workaround)
Please file an issue describing what metrics you'd like to see. Include as much details as possible please, e.g. how the perfect Prometheus metric would look for your use-case.
An alternative to using this exporter is to use generic SNMP polling, e.g. using a Prometheus SNMP exporter (official, alternative). Note that there are limitations (e.g. 1) in what Fortigate supports querying via SNMP.