Prometheus exporter for FortiGate® firewalls.
NOTE: This is not an official Fortinet product, it is developed fully independently by professionals and hobbyists alike.
Right now the exporter supports a quite limited set of metrics, but it is very easy to add! Open an issue if your favorite metric is missing.
For example PromQL usage, see EXAMPLES.
Supported metrics right now as follows.
Global:
- System/SensorInfo
fortigate_sensor_fan_rpmfortigate_sensor_temperature_celsiusfortigate_sensor_voltage_volts
- System/Status
fortigate_version_info
- System/Time/Clock
fortigate_time_seconds
- System/Resource/Usage
fortigate_cpu_usage_ratiofortigate_memory_usage_ratiofortigate_current_sessions
- System/HAChecksums
fortigate_ha_member_has_role
- License/Status
fortigate_license_vdom_usagefortigate_license_vdom_max
- WebUI/State
fortigate_last_reboot_secondsfortigate_last_snapshot_seconds
Per-VDOM:
- System/VDOMResources
fortigate_vdom_cpu_usage_ratiofortigate_vdom_memory_usage_ratiofortigate_vdom_current_sessions
- Firewall/Policies
fortigate_policy_active_sessionsfortigate_policy_bytes_totalfortigate_policy_hit_count_totalfortigate_policy_packets_total
- System/Fortimanager/Status
fortigate_fortimanager_connection_statusfortigate_fortimanager_registration_status
- System/Interface
fortigate_interface_link_upfortigate_interface_speed_bpsfortigate_interface_transmit_packets_totalfortigate_interface_receive_packets_totalfortigate_interface_transmit_bytes_totalfortigate_interface_receive_bytes_totalfortigate_interface_transmit_errors_totalfortigate_interface_receive_errors_total
- User/Fsso
fortigate_user_fsso_info
- VPN/Ssl/Connections
fortigate_vpn_connectionsfortigate_vpn_users
- VPN/Ssl/Stats
fortigate_vpn_ssl_usersfortigate_vpn_ssl_tunnelsfortigate_vpn_ssl_connections
- VPN/IPSec
fortigate_ipsec_tunnel_receive_bytes_totalfortigate_ipsec_tunnel_transmit_bytes_totalfortigate_ipsec_tunnel_up
- Wifi/APStatus
fortigate_wifi_access_pointsfortigate_wifi_fabric_clientsfortigate_wifi_fabric_max_allowed_clients
- Log/Fortianalyzer/Status
fortigate_log_fortianalyzer_registration_infofortigate_log_fortianalyzer_logs_received
- Log/Fortianalyzer/Queue
fortigate_log_fortianalyzer_queue_connectionsfortigate_log_fortianalyzer_queue_logs
- Log/DiskUsage
fortigate_log_disk_used_bytesfortigate_log_disk_total_bytes
Per-HA-Member and VDOM:
- System/HAStatistics
fortigate_ha_member_infofortigate_ha_member_cpu_usage_ratiofortigate_ha_member_memory_usage_ratiofortigate_ha_member_network_usage_ratiofortigate_ha_member_sessionsfortigate_ha_member_packets_totalfortigate_ha_member_virus_events_totalfortigate_ha_member_bytes_totalfortigate_ha_member_ips_events_total
Per-Link and VDOM:
- System/LinkMonitor
fortigate_link_statusfortigate_link_latency_secondsfortigate_link_latency_jitter_secondsfortigate_link_packet_loss_ratiofortigate_link_packet_sent_totalfortigate_link_packet_received_totalfortigate_link_active_sessionsfortigate_link_bandwidth_tx_byte_per_secondfortigate_link_bandwidth_rx_byte_per_secondfortigate_link_status_change_time_seconds
Per-SDWAN and VDOM:
- VirtualWAN/HealthCheck
fortigate_virtual_wan_statusfortigate_virtual_wan_latency_secondsfortigate_virtual_wan_latency_jitter_secondsfortigate_virtual_wan_packet_loss_ratiofortigate_virtual_wan_packet_sent_totalfortigate_virtual_wan_packet_received_totalfortigate_virtual_wan_active_sessionsfortigate_virtual_wan_bandwidth_tx_byte_per_secondfortigate_virtual_wan_bandwidth_rx_byte_per_secondfortigate_virtual_wan_status_change_time_seconds
Per-BGP-Neighbor and VDOM:
- BGP/Neighbors/IPv4
fortigate_bgp_neighbor_ipv4_info
- BGP/Neighbors/IPv6
fortigate_bgp_neighbor_ipv6_info
- BGP/NeighborPaths/IPv4
fortigate_bgp_neighbor_ipv4_pathsfortigate_bgp_neighbor_ipv4_best_paths
- BGP/NeighborPaths/IPv6
fortigate_bgp_neighbor_ipv6_pathsfortigate_bgp_neighbor_ipv6_best_paths
Per-VirtualServer and VDOM:
- Firewall/LoadBalance
fortigate_lb_virtual_server_info
Per-RealServer for each VirtualServer and VDOM:
- Firewall/LoadBalance
fortigate_lb_real_server_infofortigate_lb_real_server_modefortigate_lb_real_server_statusfortigate_lb_real_server_active_sessionsfortigate_lb_real_server_rtt_secondsfortigate_lb_real_server_processed_bytes_total
Per-Certificate:
- System/AvailableCertificates
fortigate_certificate_infofortigate_certificate_valid_from_secondsfortigate_certificate_valid_to_secondsfortigate_certificate_cmdb_references
Per-VDOM and Wifi-Client:
- Wifi/Clients
fortigate_wifi_client_infofortigate_wifi_client_data_rate_bpsfortigate_wifi_client_bandwidth_rx_bpsfortigate_wifi_client_bandwidth_tx_bpsfortigate_wifi_client_signal_strength_dBmfortigate_wifi_client_signal_noise_dBmfortigate_wifi_client_tx_discard_ratiofortigate_wifi_client_tx_retries_ratio
Per-VDOM and managed access point:
- Wifi/ManagedAP
fortigate_wifi_managed_ap_infofortigate_wifi_managed_ap_join_time_secondsfortigate_wifi_managed_ap_cpu_usage_ratiofortigate_wifi_managed_ap_memory_free_bytesfortigate_wifi_managed_ap_memory_bytes_total
Per-VDOM, managed access point and radio:
- Wifi/ManagedAP
fortigate_wifi_managed_ap_radio_infofortigate_wifi_managed_ap_radio_client_countfortigate_wifi_managed_ap_radio_operating_tx_power_ratiofortigate_wifi_managed_ap_radio_operating_channel_utilization_ratiofortigate_wifi_managed_ap_radio_bandwidth_rx_bpsfortigate_wifi_managed_ap_radio_rx_bytes_totalfortigate_wifi_managed_ap_radio_tx_bytes_totalfortigate_wifi_managed_ap_radio_interfering_apsfortigate_wifi_managed_ap_radio_tx_power_ratiofortigate_wifi_managed_ap_radio_tx_discard_ratiofortigate_wifi_managed_ap_radio_tx_retries_ratio
Per-VDOM, managed access point and interface:
- Wifi/ManagedAP
fortigate_wifi_managed_ap_interface_rx_bytes_totalfortigate_wifi_managed_ap_interface_tx_bytes_totalfortigate_wifi_managed_ap_interface_rx_packets_totalfortigate_wifi_managed_ap_interface_tx_packets_totalfortigate_wifi_managed_ap_interface_rx_errors_totalfortigate_wifi_managed_ap_interface_tx_errors_totalfortigate_wifi_managed_ap_interface_rx_dropped_packets_totalfortigate_wifi_managed_ap_interface_tx_dropped_packets_total
Per-VDOM, managed switch and interface:
- Switch/ManagedSwitch
fortigate_managed_switch_collisions_totalfortigate_managed_switch_crc_alignments_totalfortigate_managed_switch_fragments_totalfortigate_managed_switch_infofortigate_managed_switch_jabbers_totalfortigate_managed_switch_l3_packets_totalfortigate_managed_switch_max_poe_budget_wattfortigate_managed_switch_port_infofortigate_managed_switch_port_power_statusfortigate_managed_switch_port_power_wattfortigate_managed_switch_port_statusfortigate_managed_switch_rx_bcast_packets_totalfortigate_managed_switch_rx_bytes_totalfortigate_managed_switch_rx_drops_totalfortigate_managed_switch_rx_errors_totalfortigate_managed_switch_rx_mcast_packets_totalfortigate_managed_switch_rx_oversize_totalfortigate_managed_switch_rx_packets_totalfortigate_managed_switch_rx_ucast_packets_totalfortigate_managed_switch_tx_bcast_packets_totalfortigate_managed_switch_tx_bytes_totalfortigate_managed_switch_tx_drops_totalfortigate_managed_switch_tx_errors_totalfortigate_managed_switch_tx_mcast_packets_totalfortigate_managed_switch_tx_oversize_totalfortigate_managed_switch_tx_packets_totalfortigate_managed_switch_tx_ucast_packets_totalfortigate_managed_switch_under_size_total
Example:
$ ./fortigate_exporter -auth-file ~/fortigate-key.yaml
# or
$ docker run -d -p 9710:9710 -v /path/to/fortigate-key.yaml:/config/fortigate-key.yaml quay.io/bluecmd/fortigate_exporter:master
Where fortigate-key.yaml contains pairs of FortiGate targets and API keys in the following format:
"https://my-fortigate":
token: api-key-goes-here
# If you have a smaller fortigate unit you might want
# to exclude sensors as they do not have any
probes:
exclude:
- System/SensorInfo
"https://my-other-fortigate:8443":
token: api-key-goes-here
NOTE: Currently only token authentication is supported. FortiGate does not allow usage of tokens on non-HTTPS connections, which means that currently you need HTTPS to be configured properly.
You can select which probes you want to run on a per target basis.
- Probes can be included or excluded under the optional
probessection by definingincludeand/orexcludelists. - Each probe name, that can be run by the fortigate exporter, is compared to the
include/excludelists. - Inclusion/exclusion of a probe is based on a prefix match, therefore lists must contains entries starting with a probe name to be included/excluded.
- Prefix match is case sensitive.
includelist is evaluated beforeexcludelist, thereforeexcludelist can exclude a previously included probe.
Example:
"https://my-fortigate":
token: api-key-goes-here
probes:
include:
- System
- VPN
- Firewall/Policies
# Include only probes with name starting with: System or VPN + probe: Firewall/Policies
# Other probes are excluded because there were not explictly included
"https://my-other-fortigate:8443":
token: api-key-goes-here
probes:
exclude:
- Wifi
- Firewall/LoadBalance
# Exclude probes with name starting with: Wifi + probe: Firewall/LoadBalance
# All other probes are included by default because include list is empty
"https://my-other-orther-fortigate:8443":
token: api-key-goes-here
probes:
include:
- System
- Firewall
exclude:
- System/LinkMonitor
# Inlcude probes with name starting with: System and Firewall
# Then exclude probe: System/LinkMonitor
Special cases:
- If
probesisn't set or is empty, all probes will be run against the target. - If
includelist is empty, by default, all probes will be selected to be run against the target. - If
includecontains an entry- '', then all probes are included (equivalent to not defininginclude) - If
excludecontains an entry- '', then all probes are excluded (equivalent to not defining the target)
To probe a FortiGate, do something like curl 'localhost:9710/probe?target=https://my-fortigate'
In use cases where the Fortigates that is to be scraped through the fortigate-exporter is configured in
Prometheus using some discovery method it becomes problematic that the fortigate-key.yaml configuration also
has to be updated for each fortigate, and that the fortigate-exporter needs to be restarted on each change.
For that scenario the token can be passed as a query parameter, token, to the fortigate.
Example:
curl 'localhost:9710/probe?target=https://192.168.2.31&token=ghi6eItWzWewgbrFMsazvBVwDjZzzb'It is also possible to pass a profile query parameter. The value will match an entry in the fortigate-key.yaml
file, but only to use the probes section for include/exclude directives.
Example:
curl 'localhost:9710/probe?target=https://192.168.2.31&token=ghi6eItWzWewgbrFMsazvBVwDjZzzb&profile=fs124e'The profile=fs124e would match the following entry in fortigate-key.yaml.
Example:
fs124e:
# token: not used
probes:
include:
- System
- Firewall
exclude:
- System/LinkMonitor| flag | default value | description |
|---|---|---|
| -auth-file | fortigate-key.yaml | path to the location of the key file |
| -listen | :9710 | address to listen for incoming requests |
| -scrape-timeout | 30 | timeout in seconds |
| -https-timeout | 10 | timeout in seconds for establishment of HTTPS connections |
| -insecure | not set | allows to turn off security validation of TLS certificates |
| -extra-ca-certs | (none) | comma-separated files containing extra PEMs to trust for TLS connections in addition to the system trust store |
| -max-bgp-paths | 10000 | Sets maximum amount of BGP paths to fetch, value is per IP stack version (IPv4 & IPv6) |
| -max-vpn-users | 0 | Sets maximum amount of VPN users to fetch (0 eq. none by default) |
Read permission is enough for Fortigate exporter purpose. To improve security, limit permissions to required ones only (least privilege principle).
| probe name | permission | API URL |
|---|---|---|
| Default Global | any | api/v2/monitor/system/status |
| BGP/NeighborPaths/IPv4 | netgrp.route-cfg | api/v2/monitor/router/bgp/paths |
| BGP/NeighborPaths/IPv6 | netgrp.route-cfg | api/v2/monitor/router/bgp/paths6 |
| BGP/Neighbors/IPv4 | netgrp.route-cfg | api/v2/monitor/router/bgp/neighbors |
| BGP/Neighbors/IPv6 | netgrp.route-cfg | api/v2/monitor/router/bgp/neighbors6 |
| Firewall/LoadBalance | fwgrp.others | api/v2/monitor/firewall/load-balance |
| Firewall/Policies | fwgrp.policy | api/v2/monitor/firewall/policy/select api/v2/monitor/firewall/policy6/select api/v2/cmdb/firewall/policy api/v2/cmdb/firewall/policy6 |
| License/Status | any | api/v2/monitor/license/status/select |
| Log/Fortianalyzer/Status | loggrp.config | api/v2/monitor/log/fortianalyzer |
| Log/Fortianalyzer/Queue | loggrp.config | api/v2/monitor/log/fortianalyzer-queue |
| Log/DiskUsage | loggrp.config | api/v2/monitor/log/current-disk-usage |
| System/AvailableCertificates | any | api/v2/monitor/system/available-certificates |
| System/Fortimanager/Status | sysgrp.cfg | api/v2/monitor/system/fortimanager/status |
| System/HAStatistics | sysgrp.cfg | api/v2/monitor/system/ha-statistics api/v2/cmdb/system/ha |
| System/Interface | netgrp.cfg | api/v2/monitor/system/interface/select |
| System/LinkMonitor | sysgrp.cfg | api/v2/monitor/system/link-monitor |
| System/Resource/Usage | sysgrp.cfg | api/v2/monitor/system/resource/usage |
| System/SensorInfo | sysgrp.cfg | api/v2/monitor/system/sensor-info |
| System/Status | any | api/v2/monitor/system/status |
| System/Time/Clock | sysgrp.cfg | api/v2/monitor/system/time |
| System/VDOMResources | sysgrp.cfg | api/v2/monitor/system/resource/usage |
| User/Fsso | authgrp | api/v2/monitor/user/fsso |
| VPN/IPSec | vpngrp | api/v2/monitor/vpn/ipsec |
| VPN/Ssl/Connections | vpngrp | api/v2/monitor/vpn/ssl |
| VPN/Ssl/Stats | vpngrp | api/v2/monitor/vpn/ssl/stats |
| VirtualWAN/HealthCheck | netgrp.cfg | api/v2/monitor/virtual-wan/health-check |
| Wifi/APStatus | wifi | api/v2/monitor/wifi/ap_status |
| Wifi/Clients | wifi | api/v2/monitor/wifi/client |
| Wifi/ManagedAP | wifi | api/v2/monitor/wifi/managed_ap |
| Switch/ManagedSwitch | switch | api/v2/monitor/switch-controller/managed-switch |
| If you omit to grant some of these permissions you will receive log messages warning about | ||
| 403 errors and relevant metrics will be unavailable, but other metrics will still work. | ||
If you do not need some probes to be run, do not grant permission for them and use include/exclude feature (see Usage section). |
The following example Admin Profile describes the permissions that needs to be granted to the monitor user in order for all metrics to be available.
config system accprofile
edit "monitor"
# global scope will fail on non multi-VDOM firewall
set scope global
set authgrp read
# As of FortiOS 6.2.1 it seems `fwgrp-permissions.other` is removed,
# use 'fwgrp read' to get load balance servers metrics
set fwgrp custom
set loggrp custom
set netgrp custom
set sysgrp custom
set vpngrp read
set wifi read
# will fail for most recent FortiOS
set system-diagnostics disable
config fwgrp-permission
set policy read
set others read
end
config netgrp-permission
set cfg read
set route-cfg read
end
config loggrp-permission
set config read
end
config sysgrp-permission
set cfg read
end
next
end
An example configuration for Prometheus looks something like this:
- job_name: 'fortigate_exporter'
metrics_path: /probe
static_configs:
- targets:
- https://my-fortigate
- https://my-other-fortigate:8443
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
# Drop the https:// and port (if specified) for the 'instance=' label
regex: '(?:.+)(?::\/\/)([^:]*).*'
- target_label: __address__
replacement: '[::1]:9710'If using Dynamic configuration:
- job_name: 'fortigate_exporter'
metrics_path: /probe
file_sd_configs:
- files:
- /etc/prometheus/file_sd/fws/*.yml
params:
profile:
- fs124e
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [token]
target_label: __param_token
- source_labels: [__param_target]
regex: '(?:.+)(?::\/\/)([^:]*).*'
target_label: instance
- target_label: __address__
replacement: '[::1]:9710'
- action: labeldrop
regex: tokenMake sure to use the last labeldrop on the
tokenlabel so that the tokens is not be part of your time series.
Since
tokenis a label it will be shown in the Prometheus webgui athttp://<your prometheus>:9090/targets.Make sure you protect your Prometheus if you add the token part of your prometheus config
Some options to protect Prometheus:
- Only expose UI to localhost --web.listen-address="127.0.0.1:9090"
- Basic authentication access - https://prometheus.io/docs/guides/basic-auth/
- It is your responsibility!
You can either use the automatic builds on quay.io or build yourself like this:
docker build -t fortigate_exporter .
docker run -d -p 9710:9710 -v /path/to/fortigate-key.yaml:/config/fortigate-key.yaml fortigate_exporterprometheus_fortigate_exporter:
build: ./
ports:
- 9710:9710
volumes:
- /path/to/fortigate-key.yaml:/config/fortigate-key.yaml
# Applying multiple parameters
command: ["-auth-file", "/config/fortigate-key.yaml", "-insecure"]
restart: unless-stoppedThis is a collection of known issues that for some reason cannot be fixed, but might be possible to work around.
- Probing causing httpsd memory leak in FortiOS 6.2.x (Workaround)
Please file an issue describing what metrics you'd like to see. Include as much details as possible please, e.g. how the perfect Prometheus metric would look for your use-case.
An alternative to using this exporter is to use generic SNMP polling, e.g. using a Prometheus SNMP exporter (official, alternative). Note that there are limitations (e.g. 1) in what FortiGate supports querying via SNMP.
Fortinet®, and FortiGate® are registered trademarks of Fortinet, Inc.
This is not an official Fortinet product.