Áú»¢¶Ä²©

Fortinet

Fortinet

Fortinet develops and sells cybersecurity solutions, including but not limited to physical products such as firewalls, plus software and services such as anti-virus protection, intrusion prevention systems and endpoint security components.

Dostupn¨¢ ?±ð?±ð²Ô¨ª




This template is for Áú»¢¶Ä²© version: 7.2
Also available for: 7.0 6.4 6.0

Source:

FortiGate by HTTP

Overview

This template is designed for the effortless deployment of FortiGate monitoring by Áú»¢¶Ä²© via HTTP and doesn't require any external scripts.

Requirements

Áú»¢¶Ä²© version: 7.2 and higher.

Tested versions

This template has been tested on:

  • FortiGate v7.4.0

Configuration

Áú»¢¶Ä²© should be configured according to the instructions in the Templates out of the box section.

Setup

  1. On the FortiGate GUI, select System > Admin Profiles > Create New.
  2. Enter a profile name (ex. zabbix_ro) and enable all the Read permissions. Please note the profile name, it will be used a bit later.
  3. Go to System > Administrators > Create New > REST API Admin.
  4. Enter the API-user's name and select the profile name you created in step 2.
  5. The trusted host can be specified to ensure that only Áú»¢¶Ä²© server can reach the FortiGate.
  6. Click OK and an API token will be generated. Make a note of the API token as it's only shown once and cannot be retrieved.
  7. Put the API token into {$FGATE.API.TOKEN} macro.
  8. Set your FortiGate GUI IP/FQDN as {$FGATE.API.FQDN} macro value.
  9. If FortiGate GUI uses HTTPS, put https value into {$FGATE.SCHEME} macro and 443 into {$FGATE.API.PORT} macro.
  10. If FortiGate GUI port differs from the standard one, specify it in {$FGATE.API.PORT} macro.

Please, refer to the about the FortiGate REST API Authentication.

Macros used

Name Description Default
{$FGATE.SCHEME}

Request scheme which may be http or https.

 http
{$FGATE.API.FQDN}

FortiGate API FQDN/IP (ex. ngfw.example.com).
{$FGATE.API.TOKEN}

FortiGate API token.
{$FGATE.API.PORT}

The port of FortiGate API endpoint.

 80
{$FGATE.DATA.TIMEOUT}

Response timeout for an API.

 15s
{$FGATE.HTTP.PROXY}

HTTP proxy for API requests. You can specify it using the format [protocol://][username[:password]@]proxy.example.com[:port]. See the documentation at /documentation/7.2/manual/config/items/itemtypes/http
{$FIRMWARE.UPDATES.CONTROL}

This macro is used in "New available firmware found" trigger.

 1
{$CPU.UTIL.WARN}

Threshold of CPU utilization for warning trigger in %.

 85
{$CPU.UTIL.CRIT}

Threshold of CPU utilization for critical trigger in %.

 95
{$MEMORY.UTIL.WARN}

Threshold of memory utilization for warning trigger in %.

 80
{$MEMORY.UTIL.CRIT}

Threshold of memory utilization for critical trigger in %.

 90
{$DISK.FREE.WARN}

Threshold of disk free space for warning trigger in %.

 20
{$DISK.FREE.CRIT}

Threshold of disk free space for critical trigger in %.

 10
{$NET.IF.CONTROL}

Macro for operational state of the interface for "Link down" trigger. Can be used with interface name as context.

 1
{$NET.IF.ERRORS.WARN}

Threshold of error packets rate for warning trigger. Can be used with interface name as context.

 2
{$NET.IF.UTIL.MAX}

Threshold of interface bandwidth utilization for warning trigger in %. Can be used with interface name as context.

 95
{$NET.IF.IFDESCR.MATCHES}

This macro is used in Network interfaces discovery. Can be overridden on the host or linked template level.

 .*
{$NET.IF.IFDESCR.NOT_MATCHES}

This macro is used in Network interfaces discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$NET.IF.IFNAME.MATCHES}

This macro is used in Network interfaces discovery. Can be overridden on the host or linked template level.

 .*
{$NET.IF.IFNAME.NOT_MATCHES}

This macro is used in Network interfaces discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$NET.IF.IFTYPE.MATCHES}

This macro is used in Network interfaces discovery. Can be overridden on the host or linked template level.

 .*
{$NET.IF.IFTYPE.NOT_MATCHES}

This macro is used in Network interfaces discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$NET.IF.IFALIAS.MATCHES}

This macro is used in Network interfaces discovery. Can be overridden on the host or linked template level.

 .*
{$NET.IF.IFALIAS.NOT_MATCHES}

This macro is used in Network interfaces discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$NET.IF.IFSTATUS.MATCHES}

This macro is used in Network interfaces discovery. Can be overridden on the host or linked template level.

 .*
{$NET.IF.IFSTATUS.NOT_MATCHES}

This macro is used in Network interfaces discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$FWP.FWACTION.MATCHES}

This macro is used in Firewall policies discovery. Can be overridden on the host or linked template level.

 .*
{$FWP.FWACTION.NOT_MATCHES}

This macro is used in Firewall policies discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$FWP.FWTYPE.MATCHES}

This macro is used in Firewall policies discovery. Can be overridden on the host or linked template level.

 .*
{$FWP.FWTYPE.NOT_MATCHES}

This macro is used in Firewall policies discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$FWP.FWNAME.MATCHES}

This macro is used in Firewall policies discovery. Can be overridden on the host or linked template level.

 .*
{$FWP.FWNAME.NOT_MATCHES}

This macro is used in Firewall policies discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$SERVICE.EXPIRY.WARN}

Number of days until the license expires.

 7
{$SERVICE.LICENSE.CONTROL}

This macro is used in Service discovery. Can be used with interface name as context.

 1
{$SERVICE.KEY.MATCHES}

This macro is used in Service discovery. Can be overridden on the host or linked template level.

 .*
{$SERVICE.KEY.NOT_MATCHES}

This macro is used in Service discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$SERVICE.STATUS.MATCHES}

This macro is used in Service discovery. Can be overridden on the host or linked template level.

 .*
{$SERVICE.STATUS.NOT_MATCHES}

This macro is used in Service discovery. Can be overridden on the host or linked template level.

 (no_support|no_license)
{$SERVICE.TYPE.MATCHES}

This macro is used in Service discovery. Can be overridden on the host or linked template level.

 .*
{$SERVICE.TYPE.NOT_MATCHES}

This macro is used in Service discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$SDWAN.MEMBER.IF.CONTROL}

Macro for the interface state for "Link down" trigger. Can be used with interface name as context.

 1
{$SDWAN.MEMBER.ID.MATCHES}

This macro is used in SD-WAN members discovery. Can be overridden on the host or linked template level.

 .*
{$SDWAN.MEMBER.ID.NOT_MATCHES}

This macro is used in SD-WAN members discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$SDWAN.MEMBER.NAME.MATCHES}

This macro is used in SD-WAN members discovery. Can be overridden on the host or linked template level.

 .*
{$SDWAN.MEMBER.NAME.NOT_MATCHES}

This macro is used in SD-WAN members discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$SDWAN.MEMBER.STATUS.MATCHES}

This macro is used in SD-WAN members discovery. Can be overridden on the host or linked template level.

 .*
{$SDWAN.MEMBER.STATUS.NOT_MATCHES}

This macro is used in SD-WAN members discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$SDWAN.MEMBER.ZONE.MATCHES}

This macro is used in SD-WAN members discovery. Can be overridden on the host or linked template level.

 .*
{$SDWAN.MEMBER.ZONE.NOT_MATCHES}

This macro is used in SD-WAN members discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$SDWAN.HEALTH.IF.CONTROL}

Macro for the interface state for "Link down" trigger. Can be used with interface name as context.

 1
{$SDWAN.HEALTH.ID.MATCHES}

This macro is used in SD-WAN health-checks discovery. Can be overridden on the host or linked template level.

 .*
{$SDWAN.HEALTH.ID.NOT_MATCHES}

This macro is used in SD-WAN health-checks discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$SDWAN.HEALTH.NAME.MATCHES}

This macro is used in SD-WAN health-checks discovery. Can be overridden on the host or linked template level.

 .*
{$SDWAN.HEALTH.NAME.NOT_MATCHES}

This macro is used in SD-WAN health-checks discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$SDWAN.HEALTH.IFNAME.MATCHES}

This macro is used in SD-WAN health-checks discovery. Can be overridden on the host or linked template level.

 .*
{$SDWAN.HEALTH.IFNAME.NOT_MATCHES}

This macro is used in SD-WAN health-checks discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$SDWAN.HEALTH.STATUS.MATCHES}

This macro is used in SD-WAN health-checks discovery. Can be overridden on the host or linked template level.

 .*
{$SDWAN.HEALTH.STATUS.NOT_MATCHES}

This macro is used in SD-WAN health-checks discovery. Can be overridden on the host or linked template level.

 CHANGE_IF_NEEDED
{$SDWAN.HEALTH.IF.LOSS.WARN}

Threshold of packets loss for warning trigger in %. Can be used with interface name as context.

 20

Items

Name Description Type Key and additional info
Check port availability Simple check net.tcp.service["{$FGATE.SCHEME}","{$FGATE.API.FQDN}","{$FGATE.API.PORT}"]

Preprocessing

  • Discard unchanged with heartbeat: 10m
Get system info

Item for gathering device system info from FortiGate API.

 HTTP agent fgate.system.get_data

Preprocessing

  • Check for not supported value: any error

    ??Custom on fail: Set value to: {"error":"Not supported value received"}
Device system info item errors

Item for gathering errors of the device system info.

 Dependent item fgate.system.data_errors

Preprocessing

  • JSON Path: $.error

    ??Custom on fail: Set value to: ``

  • Discard unchanged with heartbeat: 1h
API availability status

Checking API availability by response.

 Dependent item fgate.api.status

Preprocessing

  • JSON Path: $.build

    ??Custom on fail: Set value to: 0

  • In range: -> 0

    ??Custom on fail: Set value to: 1
Get firmware info

Item for gathering device firmware info from FortiGate API.

 HTTP agent fgate.firmware.get_data

Preprocessing

  • Check for not supported value: any error

    ??Custom on fail: Set value to: {"error":"Not supported value received"}
Device firmware info item errors

Item for gathering errors of the device firmware info.

 Dependent item fgate.firmware.data_errors

Preprocessing

  • JSON Path: $.error

    ??Custom on fail: Set value to: ``

  • Discard unchanged with heartbeat: 1h
Get service licenses

Item for gathering information about service licenses from FortiGate API.

 Script fgate.service.get_data
Service licenses item errors

Item for gathering errors of the service licenses data.

 Dependent item fgate.service.data_errors

Preprocessing

  • JSON Path: $.error

    ??Custom on fail: Discard value

  • Discard unchanged with heartbeat: 1h
Get resources data

Item for gathering device resource data from FortiGate API.

 Script fgate.resources.get_data
Device resources item errors

Item for gathering errors of the device resources.

 Dependent item fgate.resources.data_errors

Preprocessing

  • JSON Path: $.error

    ??Custom on fail: Discard value

  • Discard unchanged with heartbeat: 1h
Get interfaces data

Item for gathering network interfaces info from FortiGate API.

 Script fgate.netif.get_data
Device interfaces item errors

Item for gathering errors of network interfaces.

 Dependent item fgate.netif.data_errors

Preprocessing

  • JSON Path: $.error

    ??Custom on fail: Discard value

  • Discard unchanged with heartbeat: 1h
Get SD-WAN data

Item for gathering SD-WAN information from FortiGate API.

 Script fgate.sdwan.get_data
Get SD-WAN item errors

Item for gathering errors of SD-WAN.

 Dependent item fgate.sdwan.data_errors

Preprocessing

  • JSON Path: $.error

    ??Custom on fail: Discard value

  • Discard unchanged with heartbeat: 1h
Get firewall data

Item for gathering firewall policies info from FortiGate API.

 Script fgate.fwp.get_data
Firewall data item errors

Item for gathering errors of firewall policies.

 Dependent item fgate.fwp.data_errors

Preprocessing

  • JSON Path: $.error

    ??Custom on fail: Discard value

  • Discard unchanged with heartbeat: 1h
Available firmware versions

Number of available firmware versions to download.

 Dependent item fgate.device.firmwares_avail

Preprocessing

  • JSON Path: $.results.available.length()

    ??Custom on fail: Discard value

  • Discard unchanged with heartbeat: 12h
Device firmware version

Current version of the device firmware.

 Dependent item fgate.device.firmware

Preprocessing

  • JSON Path: $.results.current

  • JavaScript: The text is too long. Please see the template.

  • Discard unchanged with heartbeat: 1d
Device model name

The model name of the device.

 Dependent item fgate.device.model

Preprocessing

  • JSON Path: $.results

  • JavaScript: The text is too long. Please see the template.

  • Discard unchanged with heartbeat: 1d
Device serial number

The device serial number.

 Dependent item fgate.device.serialnumber

Preprocessing

  • JSON Path: $.serial

  • Discard unchanged with heartbeat: 1d
Current VDOM

Name of the current Virtual Domain.

 Dependent item fgate.device.vdom

Preprocessing

  • JSON Path: $.vdom

  • Discard unchanged with heartbeat: 12h
System name

The system host name.

 Dependent item fgate.name

Preprocessing

  • JSON Path: $.results.hostname

  • Discard unchanged with heartbeat: 12h
System uptime

The system uptime is calculated on the basis of boot time.

 Dependent item fgate.uptime

Preprocessing

  • JSON Path: $.results.utc_last_reboot

  • JavaScript: The text is too long. Please see the template.
Number of CPUs

Number of processors according to the current license.

 Dependent item fgate.cpu.num

Preprocessing

  • JSON Path: $.data.vm.cpu_used

  • Discard unchanged with heartbeat: 1d
CPU utilization

CPU utilization, expressed in %.

 Dependent item fgate.cpu.util

Preprocessing

  • JSON Path: $.data.cpu
Total memory

Total memory, expressed in bytes.

 Dependent item fgate.memory.total

Preprocessing

  • JSON Path: $.data.vm.mem_used

  • Discard unchanged with heartbeat: 1d
Memory utilization

Memory utilization, expressed in %.

 Dependent item fgate.memory.util

Preprocessing

  • JSON Path: $.data.mem
Total disk space

The total space of the current disk, in bytes.

 Dependent item fgate.fs.total

Preprocessing

  • JSON Path: $.data.disk_total

  • Discard unchanged with heartbeat: 1d
Used disk space

The used space of the current disk, in bytes.

 Dependent item fgate.fs.used

Preprocessing

  • JSON Path: $.data.disk_used
Free disk space

The free space of the current disk, in bytes.

 Dependent item fgate.fs.free

Preprocessing

  • JSON Path: $.data.disk_free
Disk utilization

Disk utilization, expressed in %.

 Dependent item fgate.fs.util

Preprocessing

  • JSON Path: $.data.disk

Triggers

Name Description Expression Severity Dependencies and additional info
FortiGate: Port {$FGATE.API.PORT} is unavailable last(/FortiGate by HTTP/net.tcp.service["{$FGATE.SCHEME}","{$FGATE.API.FQDN}","{$FGATE.API.PORT}"])=0 Average Manual close: Yes
FortiGate: There are errors in the 'Get system info' metric length(last(/FortiGate by HTTP/fgate.system.data_errors))>0 and length(last(/FortiGate by HTTP/fgate.system.data_errors,#1:now-1m))>0 and nodata(/FortiGate by HTTP/fgate.system.data_errors,2m)=0 Warning Depends on:
  • FortiGate: Unexpected response from API
FortiGate: Unexpected response from API

Received an unexpected response from API. It may be unavailable.

 last(/FortiGate by HTTP/fgate.api.status)=0 Average Depends on:
  • FortiGate: Port {$FGATE.API.PORT} is unavailable
FortiGate: There are errors in the 'Get firmware info' metric length(last(/FortiGate by HTTP/fgate.firmware.data_errors))>0 and length(last(/FortiGate by HTTP/fgate.firmware.data_errors,#1:now-1m))>0 and nodata(/FortiGate by HTTP/fgate.firmware.data_errors,2m)=0 Warning Depends on:
  • FortiGate: Unexpected response from API
FortiGate: There are errors in the 'Get service licenses' metric length(last(/FortiGate by HTTP/fgate.service.data_errors))>0 and length(last(/FortiGate by HTTP/fgate.service.data_errors,#1:now-1m))>0 and nodata(/FortiGate by HTTP/fgate.service.data_errors,2m)=0 Warning Depends on:
  • FortiGate: Unexpected response from API
FortiGate: There are errors in the 'Get resources data' metric length(last(/FortiGate by HTTP/fgate.resources.data_errors))>0 and length(last(/FortiGate by HTTP/fgate.resources.data_errors,#1:now-1m))>0 and nodata(/FortiGate by HTTP/fgate.resources.data_errors,2m)=0 Warning Depends on:
  • FortiGate: Unexpected response from API
FortiGate: There are errors in the 'Get interfaces data' metric length(last(/FortiGate by HTTP/fgate.netif.data_errors))>0 and length(last(/FortiGate by HTTP/fgate.netif.data_errors,#1:now-1m))>0 and nodata(/FortiGate by HTTP/fgate.netif.data_errors,2m)=0 Warning Depends on:
  • FortiGate: Unexpected response from API
FortiGate: There are errors in the 'Get SD-WAN data' metric length(last(/FortiGate by HTTP/fgate.sdwan.data_errors))>0 and length(last(/FortiGate by HTTP/fgate.sdwan.data_errors,#1:now-1m))>0 and nodata(/FortiGate by HTTP/fgate.sdwan.data_errors,2m)=0 Warning Depends on:
  • FortiGate: Unexpected response from API
FortiGate: There are errors in the 'Get firewall policies data' metric length(last(/FortiGate by HTTP/fgate.fwp.data_errors))>0 and length(last(/FortiGate by HTTP/fgate.fwp.data_errors,#1:now-1m))>0 and nodata(/FortiGate by HTTP/fgate.fwp.data_errors,2m)=0 Warning Depends on:
  • FortiGate: Unexpected response from API
FortiGate: New available firmware found

New available firmware versions found to download.

This trigger expression works as follows:
1. It can be triggered if there are one or more available firmware versions.
2. {$FIRMWARE.UPDATES.CONTROL}=1 - a user can redefine context macro to value - 0. That marks this notification as not important. No new trigger will be fired if new firmware is found.

 {$FIRMWARE.UPDATES.CONTROL}=1 and last(/FortiGate by HTTP/fgate.device.firmwares_avail)>0 Info Manual close: Yes
FortiGate: Device has been replaced

Device serial number has changed. Acknowledge to close the problem manually.

 last(/FortiGate by HTTP/fgate.device.serialnumber,#1)<>last(/FortiGate by HTTP/fgate.device.serialnumber,#2) and length(last(/FortiGate by HTTP/fgate.device.serialnumber))>0 Info Manual close: Yes
FortiGate: System name has changed

The name of the system has changed. Acknowledge to close the problem manually.

 last(/FortiGate by HTTP/fgate.name,#1)<>last(/FortiGate by HTTP/fgate.name,#2) and length(last(/FortiGate by HTTP/fgate.name))>0 Info Manual close: Yes
FortiGate: Device has been restarted

Uptime is less than 10 minutes.

 last(/FortiGate by HTTP/fgate.uptime)<10m Info Manual close: Yes
FortiGate: CPU utilization is too high

The CPU utilization is too high. The system might be slow to respond.

 min(/FortiGate by HTTP/fgate.cpu.util,5m)>{$CPU.UTIL.CRIT} High
FortiGate: CPU utilization is high

The CPU utilization is high.

 min(/FortiGate by HTTP/fgate.cpu.util,5m)>{$CPU.UTIL.WARN} Warning Depends on:
  • FortiGate: CPU utilization is too high
FortiGate: Memory utilization is too high

Free memory size is too low.

 min(/FortiGate by HTTP/fgate.memory.util,5m)>{$MEMORY.UTIL.CRIT} High
FortiGate: Memory utilization is high

The system is running out of free memory.

 min(/FortiGate by HTTP/fgate.memory.util,5m)>{$MEMORY.UTIL.WARN} Average Depends on:
  • FortiGate: Memory utilization is too high
FortiGate: Free disk space is too low

Left disk space is too low.

 (100-last(/FortiGate by HTTP/fgate.fs.util))<{$DISK.FREE.CRIT} High
FortiGate: Free disk space is low

Left disk space is not enough.

 (100-last(/FortiGate by HTTP/fgate.fs.util))<{$DISK.FREE.WARN} Warning Depends on:
  • FortiGate: Free disk space is too low

LLD rule Firewall policies discovery

Name Description Type Key and additional info
Firewall policies discovery

Discovery for FortiGate firewall policies.

 Dependent item fgate.fwp.discovery

Preprocessing

  • JSON Path: $.data

  • Discard unchanged with heartbeat: 1h

Item prototypes for Firewall policies discovery

Name Description Type Key and additional info
FW Policy [{#FWNAME}]: Get data

Item for gathering data for the {#FWNAME} firewall policy.

 Dependent item fgate.fwp.get_data[{#FWUUID}]

Preprocessing

  • JSON Path: $.data[?(@.uuid == "{#FWUUID}")].first()

    ??Custom on fail: Discard value
FW Policy [{#FWNAME}]: Active sessions

Number of active sessions covered by this rule.

 Dependent item fgate.fwp.sessions[{#FWUUID}]

Preprocessing

  • JSON Path: $.active_sessions
FW Policy [{#FWNAME}]: Software processed bytes

Number of bytes processed only by the software firewall.

 Dependent item fgate.fwp.sw_bytes[{#FWUUID}]

Preprocessing

  • JSON Path: $.software_bytes

  • Change per second
FW Policy [{#FWNAME}]: Hardware processed bytes

Number of bytes processed only by the hardware (ASIC) firewall.

 Dependent item fgate.fwp.hw_bytes[{#FWUUID}]

Preprocessing

  • JSON Path: $.asic_bytes

  • Change per second
FW Policy [{#FWNAME}]: Total bytes processed

Number of bytes processed by both the software and hardware (ASIC) firewall.

 Dependent item fgate.fwp.bytes[{#FWUUID}]

Preprocessing

  • JSON Path: $.bytes

  • Change per second
FW Policy [{#FWNAME}]: Hits into the policy

Number of packets hit into the firewall policy per second.

 Dependent item fgate.fwp.hits[{#FWUUID}]

Preprocessing

  • JSON Path: $.hit_count

    ??Custom on fail: Set value to: 0

  • Change per second
FW Policy [{#FWNAME}]: Last using time

The time at which the firewall policy was used the last time.

 Dependent item fgate.fwp.last_used[{#FWUUID}]

Preprocessing

  • JSON Path: $.last_used

    ??Custom on fail: Discard value
FW Policy [{#FWNAME}]: Action

The firewall policy action (accept / deny / ipsec).

 Dependent item fgate.fwp.action[{#FWUUID}]

Preprocessing

  • JSON Path: $.action

  • JavaScript: The text is too long. Please see the template.

  • Discard unchanged with heartbeat: 12h
FW Policy [{#FWNAME}]: Status

The firewall policy status.

 Dependent item fgate.fwp.status[{#FWUUID}]

Preprocessing

  • JSON Path: $.status

  • JavaScript: The text is too long. Please see the template.

  • Discard unchanged with heartbeat: 1h

LLD rule Service discovery

Name Description Type Key and additional info
Service discovery

Discovery for FortiGate services.

 Dependent item fgate.service.discovery

Preprocessing

  • JSON Path: $.lld

  • Discard unchanged with heartbeat: 6h

Item prototypes for Service discovery

Name Description Type Key and additional info
Service [{#NAME}]: Get data

Item for gathering data about license for the {#NAME} service.

 Dependent item fgate.service.get_data["{#KEY}"]

Preprocessing

  • JSON Path: $.data["{#KEY}"]

    ??Custom on fail: Discard value
Service [{#NAME}]: License status

Current license status of the {#NAME} service.

 Dependent item fgate.service.license["{#KEY}"]

Preprocessing

  • JSON Path: $.status

    ??Custom on fail: Discard value

  • JavaScript: The text is too long. Please see the template.

  • Discard unchanged with heartbeat: 1h
Service [{#NAME}]: Service type

Current type of the {#NAME} service.

 Dependent item fgate.service.type["{#KEY}"]

Preprocessing

  • JSON Path: $.type

    ??Custom on fail: Discard value

  • Discard unchanged with heartbeat: 1h
Service [{#NAME}]: Service version

Current version of the {#NAME} service.

 Dependent item fgate.service.version["{#KEY}"]

Preprocessing

  • JSON Path: $.version

    ??Custom on fail: Discard value

  • Discard unchanged with heartbeat: 1h
Service [{#NAME}]: Expiration date

Expiration date for the license of the current service.

 Dependent item fgate.service.expire["{#KEY}"]

Preprocessing

  • JSON Path: $.expires

    ??Custom on fail: Discard value

  • Discard unchanged with heartbeat: 1h
Service [{#NAME}]: Last update time

Last update time of the current service.

 Dependent item fgate.service.update_time["{#KEY}"]

Preprocessing

  • JSON Path: $.last_update

    ??Custom on fail: Discard value

  • Discard unchanged with heartbeat: 1h
Service [{#NAME}]: Last attempt to update

Last update attempt time of the current service.

 Dependent item fgate.service.update_attempt["{#KEY}"]

Preprocessing

  • JSON Path: $.last_update_attempt

    ??Custom on fail: Discard value

  • Discard unchanged with heartbeat: 1h
Service [{#NAME}]: Update method

Current update method of the {#NAME} service.

 Dependent item fgate.service.update_method["{#KEY}"]

Preprocessing

  • JSON Path: $.last_update_method_status

    ??Custom on fail: Discard value

  • Discard unchanged with heartbeat: 1h
Service [{#NAME}]: Update result

Last update result of the {#NAME} service.

 Dependent item fgate.service.update_result["{#KEY}"]

Preprocessing

  • JSON Path: $.last_update_result_status

    ??Custom on fail: Discard value

  • Discard unchanged with heartbeat: 1h

Trigger prototypes for Service discovery

Name Description Expression Severity Dependencies and additional info
FortiGate: Service [{#NAME}]: License status is unsuccessful

This trigger expression works as follows:
1. It can be triggered if the license status is unsuccessful.
2. {$SERVICE.LICENSE.CONTROL:"{#IFNAME}"}=1 - a user can redefine context macro to value - 0. That marks the license of this service as not important. No new trigger will be fired if this license is unsuccessful.

 {$SERVICE.LICENSE.CONTROL:"{#KEY}"}=1 and last(/FortiGate by HTTP/fgate.service.license["{#KEY}"])>5 Average Manual close: Yes
FortiGate: Service [{#NAME}]: License expires soon

This trigger expression works as follows:
1. It can be triggered if the license expires soon.
2. {$SERVICE.LICENSE.CONTROL:"{#IFNAME}"}=1 - a user can redefine context macro to value - 0. That marks the license of this service as not important. No new trigger will be fired if this license expires.

 {$SERVICE.LICENSE.CONTROL:"{#KEY}"}=1 and (last(/FortiGate by HTTP/fgate.service.expire["{#KEY}"]) - now()) / 86400 < {$SERVICE.EXPIRY.WARN:"{#KEY}"} and last(/FortiGate by HTTP/fgate.service.expire["{#KEY}"]) > now() Warning Manual close: Yes

LLD rule SD-WAN members discovery

Name Description Type Key and additional info
SD-WAN members discovery

Discovery for FortiGate SD-WAN members.

 Dependent item fgate.sdwan_member.discovery

Preprocessing

  • JSON Path: $.data.member_lld

  • Discard unchanged with heartbeat: 1h

Item prototypes for SD-WAN members discovery

Name Description Type Key and additional info
SD-WAN [{#ZONE}]:[{#NAME}]: Get data

Item for gathering data about the {#NAME} interface in the {#ZONE} zone.

 Dependent item fgate.sdwan_member.get_data[{#ID}]

Preprocessing

  • JSON Path: $.data.member_lld[?(@.interface == "{#NAME}")].first()

    ??Custom on fail: Discard value
SD-WAN [{#ZONE}]:[{#NAME}]: Member status

Current status of the {#NAME} interface in the {#ZONE} zone.

 Dependent item fgate.sdwan_member.status[{#ID}]

Preprocessing

  • JSON Path: $.status

  • JavaScript: The text is too long. Please see the template.

  • Discard unchanged with heartbeat: 1h
SD-WAN [{#ZONE}]:[{#NAME}]: Link status

Current link status of the {#NAME} interface in the {#ZONE} zone.

 Dependent item fgate.sdwan_member.link_status[{#ID}]

Preprocessing

  • JSON Path: $.link

  • JavaScript: The text is too long. Please see the template.
SD-WAN [{#ZONE}]:[{#NAME}]: Sessions

Number of active sessions opened through the {#NAME} interface in the {#ZONE} zone.

 Dependent item fgate.sdwan_member.sessions[{#ID}]

Preprocessing

  • JSON Path: $.session
SD-WAN [{#ZONE}]:[{#NAME}]: Bytes sent per second

Bytes sent through the {#NAME} interface in the {#ZONE} zone per second.

 Dependent item fgate.sdwan_member.tx_bytes[{#ID}]

Preprocessing

  • JSON Path: $.tx_bytes

    ??Custom on fail: Set value to: 0

  • Change per second
SD-WAN [{#ZONE}]:[{#NAME}]: Bytes received per second

Bytes received from the {#NAME} interface in the {#ZONE} zone per second.

 Dependent item fgate.sdwan_member.rx_bytes[{#ID}]

Preprocessing

  • JSON Path: $.rx_bytes

    ??Custom on fail: Set value to: 0

  • Change per second
SD-WAN [{#ZONE}]:[{#NAME}]: Output bandwidth

Transmitting bandwidth of the {#NAME} interface in the {#ZONE} zone.

 Dependent item fgate.sdwan_member.tx_bandwidth[{#ID}]

Preprocessing

  • JSON Path: $.tx_bandwidth

    ??Custom on fail: Set value to: 0

  • Change per second
SD-WAN [{#ZONE}]:[{#NAME}]: Input bandwidth

Receiving bandwidth of the {#NAME} interface in the {#ZONE} zone.

 Dependent item fgate.sdwan_member.rx_bandwidth[{#ID}]

Preprocessing

  • JSON Path: $.rx_bandwidth

    ??Custom on fail: Set value to: 0

  • Change per second
SD-WAN [{#ZONE}]:[{#NAME}]: State changing time

Last state changing time of the {#NAME} interface in the {#ZONE} zone.

 Dependent item fgate.service.state_changed[{#ID}]

Preprocessing

  • JSON Path: $.state_changed

    ??Custom on fail: Discard value

  • Discard unchanged with heartbeat: 1h

Trigger prototypes for SD-WAN members discovery

Name Description Expression Severity Dependencies and additional info
FortiGate: SD-WAN [{#ZONE}]:[{#NAME}]: Link down

This trigger expression works as follows:
1. It can be triggered if the interface status is down.
2. {$SDWAN.MEMBER.IF.CONTROL:"{#NAME}"}=1 - a user can redefine context macro to value - 0. That marks this interface as not important. No new trigger will be fired if this interface is down.
3. {TEMPLATE_NAME:METRIC.diff()}=1 - the trigger fires only if the interface status was up to (1) sometime before.

WARNING: If closed manually, it will not fire again on the next poll because of .diff.

 {$SDWAN.MEMBER.IF.CONTROL:"{#NAME}"}=1 and last(/FortiGate by HTTP/fgate.sdwan_member.link_status[{#ID}])=1 and (last(/FortiGate by HTTP/fgate.sdwan_member.link_status[{#ID}],#1)<>last(/FortiGate by HTTP/fgate.sdwan_member.link_status[{#ID}],#2)) Average Manual close: Yes

LLD rule SD-WAN health-checks discovery

Name Description Type Key and additional info
SD-WAN health-checks discovery

Discovery for FortiGate SD-WAN health-checks.

 Dependent item fgate.sdwan_health.discovery

Preprocessing

  • JSON Path: $.data.health_lld

  • Discard unchanged with heartbeat: 1h

Item prototypes for SD-WAN health-checks discovery

Name Description Type Key and additional info
SD-WAN [{#NAME}]:[{#IFNAME}]: Get data

Item for gathering data about the {#IFNAME} interface in the {#NAME} health-check.

 Dependent item fgate.sdwan_health.get_data["{#HID}.{#MID}"]

Preprocessing

  • JSON Path: The text is too long. Please see the template.

    ??Custom on fail: Discard value
SD-WAN [{#NAME}]:[{#IFNAME}]: Interface status

Current status of the {#IFNAME} interface in the {#NAME} health-check.

 Dependent item fgate.sdwan_health.status["{#HID}.{#MID}"]

Preprocessing

  • JSON Path: $.status

  • JavaScript: The text is too long. Please see the template.
SD-WAN [{#NAME}]:[{#IFNAME}]: Jitter

Current jitter value for the {#IFNAME} interface in the {#NAME} health-check.

 Dependent item fgate.sdwan_health.jitter["{#HID}.{#MID}"]

Preprocessing

  • JSON Path: $.jitter

    ??Custom on fail: Discard value
SD-WAN [{#NAME}]:[{#IFNAME}]: Latency

Current latency value for the {#IFNAME} interface in the {#NAME} health-check.

 Dependent item fgate.sdwan_health.latency["{#HID}.{#MID}"]

Preprocessing

  • JSON Path: $.latency

    ??Custom on fail: Discard value
SD-WAN [{#NAME}]:[{#IFNAME}]: Packets loss

Percent of lost packets for the {#IFNAME} interface in the {#NAME} health-check.

 Dependent item fgate.sdwan_health.loss["{#HID}.{#MID}"]

Preprocessing

  • JSON Path: $.packet_loss

    ??Custom on fail: Discard value
SD-WAN [{#NAME}]:[{#IFNAME}]: Packets sent per second

Number of packets sent through the {#IFNAME} interface in the {#NAME} health-check per second.

 Dependent item fgate.sdwan_health.sent["{#HID}.{#MID}"]

Preprocessing

  • JSON Path: $.packet_sent

    ??Custom on fail: Discard value

  • Change per second
SD-WAN [{#NAME}]:[{#IFNAME}]: Packets received per second

Number of packets received from the {#IFNAME} interface in the {#NAME} health-check per second.

 Dependent item fgate.sdwan_health.received["{#HID}.{#MID}"]

Preprocessing

  • JSON Path: $.packet_received

    ??Custom on fail: Discard value

  • Change per second

Trigger prototypes for SD-WAN health-checks discovery

Name Description Expression Severity Dependencies and additional info
FortiGate: SD-WAN [{#NAME}]:[{#IFNAME}]: Link down

This trigger expression works as follows:
1. It can be triggered if the interface status is down.
2. {$SDWAN.HEALTH.IF.CONTROL:"{#NAME}"}=1 - a user can redefine context macro to value - 0. That marks this interface as not important. No new trigger will be fired if this interface is down/error.
3. {TEMPLATE_NAME:METRIC.diff()}=1 - the trigger fires only if the interface status was up to (1) sometime before.

WARNING: If closed manually, it will not fire again on the next poll because of .diff.

 {$SDWAN.HEALTH.IF.CONTROL:"{#NAME}"}=1 and last(/FortiGate by HTTP/fgate.sdwan_health.status["{#HID}.{#MID}"])=1 and (last(/FortiGate by HTTP/fgate.sdwan_health.status["{#HID}.{#MID}"],#1)<>last(/FortiGate by HTTP/fgate.sdwan_health.status["{#HID}.{#MID}"],#2)) Average Manual close: Yes
FortiGate: SD-WAN [{#NAME}]:[{#IFNAME}]: Link state is error

This trigger expression works as follows:
1. It can be triggered if the interface status is error.
2. {$SDWAN.HEALTH.IF.CONTROL:"{#IFNAME}"}=1 - a user can redefine context macro to value - 0. That marks this interface as not important. No new trigger will be fired if this interface is down/error.
3. {TEMPLATE_NAME:METRIC.diff()}=1 - the trigger fires only if the interface status was up to (1) sometime before.

WARNING: If closed manually, it will not fire again on the next poll because of .diff.

 {$SDWAN.HEALTH.IF.CONTROL:"{#IFNAME}"}=1 and last(/FortiGate by HTTP/fgate.sdwan_health.status["{#HID}.{#MID}"])=2 and (last(/FortiGate by HTTP/fgate.sdwan_health.status["{#HID}.{#MID}"],#1)<>last(/FortiGate by HTTP/fgate.sdwan_health.status["{#HID}.{#MID}"],#2)) Average Manual close: Yes
FortiGate: SD-WAN [{#NAME}]:[{#IFNAME}]: High packets loss

High level of packets loss detected.

 min(/FortiGate by HTTP/fgate.sdwan_health.loss["{#HID}.{#MID}"],5m)>{$SDWAN.HEALTH.IF.LOSS.WARN:"{#IFNAME}"} Warning

LLD rule Network interfaces discovery

Name Description Type Key and additional info
Network interfaces discovery

Discovery for FortiGate network interfaces.

 Dependent item fgate.netif.discovery

Preprocessing

  • JSON Path: $.data

  • Discard unchanged with heartbeat: 6h

Item prototypes for Network interfaces discovery

Name Description Type Key and additional info
Interface [{#IFNAME}({#IFALIAS})]: Get data

Item for gathering data for the {#IFKEY} interface.

 Dependent item fgate.netif.get_data[{#IFKEY}]

Preprocessing

  • JSON Path: $.data[?(@.id == "{#IFKEY}")].first()

    ??Custom on fail: Discard value
Interface [{#IFNAME}({#IFALIAS})]: Link status

Current link status of the interface.

 Dependent item fgate.netif.status[{#IFKEY}]

Preprocessing

  • JSON Path: $.link

  • Boolean to decimal
Interface [{#IFNAME}({#IFALIAS})]: Bits received

The total number of octets received on the interface per second.

 Dependent item fgate.netif.in[{#IFKEY}]

Preprocessing

  • JSON Path: $.rx_bytes

    ??Custom on fail: Set value to: 0

  • Change per second

  • Custom multiplier: 8
Interface [{#IFNAME}({#IFALIAS})]: Inbound packets

The total number of packets received on the interface per second.

 Dependent item fgate.netif.in_packets[{#IFKEY}]

Preprocessing

  • JSON Path: $.rx_packets

    ??Custom on fail: Set value to: 0

  • Change per second
Interface [{#IFNAME}({#IFALIAS})]: Bits sent

The total number of octets transmitted out of the interface.

 Dependent item fgate.netif.out[{#IFKEY}]

Preprocessing

  • JSON Path: $.tx_bytes

    ??Custom on fail: Set value to: 0

  • Change per second

  • Custom multiplier: 8
Interface [{#IFNAME}({#IFALIAS})]: Outbound packets

The total number of packets transmitted out of the interface per second.

 Dependent item fgate.netif.out_packets[{#IFKEY}]

Preprocessing

  • JSON Path: $.tx_packets

    ??Custom on fail: Set value to: 0

  • Change per second
Interface [{#IFNAME}({#IFALIAS})]: Inbound packets with errors

The total number of errors received.

 Dependent item fgate.netif.in_errors[{#IFKEY}]

Preprocessing

  • JSON Path: $.rx_errors

    ??Custom on fail: Set value to: 0

  • Change per second
Interface [{#IFNAME}({#IFALIAS})]: Outbound packets with errors

The total number of errors transmitted.

 Dependent item fgate.netif.out_errors[{#IFKEY}]

Preprocessing

  • JSON Path: $.tx_errors

    ??Custom on fail: Set value to: 0

  • Change per second
Interface [{#IFNAME}({#IFALIAS})]: Interface type

Type of the interface.

 Dependent item fgate.netif.type[{#IFKEY}]

Preprocessing

  • JSON Path: $.type

  • JavaScript: The text is too long. Please see the template.

  • Discard unchanged with heartbeat: 1h
Interface [{#IFNAME}({#IFALIAS})]: Speed

Speed of the interface.

 Dependent item fgate.netif.speed[{#IFKEY}]

Preprocessing

  • JSON Path: $.speed

    ??Custom on fail: Set value to: 0

  • Custom multiplier: 1000000

  • Discard unchanged with heartbeat: 1h

Trigger prototypes for Network interfaces discovery

Name Description Expression Severity Dependencies and additional info
FortiGate: Interface [{#IFNAME}({#IFALIAS})]: Link down

This trigger expression works as follows:
1. It can be triggered if the interface link status is down.
2. {$NET.IF.CONTROL:"{#IFNAME}"}=1 - a user can redefine context macro to value - 0. That marks this interface as not important. No new trigger will be fired if this interface link is down.
3. {TEMPLATE_NAME:METRIC.diff()}=1 - the trigger fires only if the interface link status was up to (1) sometime before.

WARNING: If closed manually, it will not fire again on the next poll because of .diff.

 {$NET.IF.CONTROL:"{#IFNAME}"}=1 and last(/FortiGate by HTTP/fgate.netif.status[{#IFKEY}])=1 and (last(/FortiGate by HTTP/fgate.netif.status[{#IFKEY}],#1)<>last(/FortiGate by HTTP/fgate.netif.status[{#IFKEY}],#2)) Average Manual close: Yes
FortiGate: Interface [{#IFNAME}({#IFALIAS})]: High bandwidth usage

The utilization of the network interface is close to its estimated maximum bandwidth.

 (avg(/FortiGate by HTTP/fgate.netif.in[{#IFKEY}],15m)>({$NET.IF.UTIL.MAX:"{#IFNAME}"}/100)*last(/FortiGate by HTTP/fgate.netif.speed[{#IFKEY}]) or avg(/FortiGate by HTTP/fgate.netif.out[{#IFKEY}],15m)>({$NET.IF.UTIL.MAX:"{#IFNAME}"}/100)*last(/FortiGate by HTTP/fgate.netif.speed[{#IFKEY}])) and last(/FortiGate by HTTP/fgate.netif.speed[{#IFKEY}])>0 Warning Manual close: Yes
Depends on:
  • FortiGate: Interface [{#IFNAME}({#IFALIAS})]: Link down
FortiGate: Interface [{#IFNAME}({#IFALIAS})]: High error rate

It recovers when it is below 80% of the {$NET.IF.ERRORS.WARN:"{#IFKEY}"} threshold.

 min(/FortiGate by HTTP/fgate.netif.in_errors[{#IFKEY}],5m)>{$NET.IF.ERRORS.WARN:"{#IFKEY}"} or min(/FortiGate by HTTP/fgate.netif.in_errors[{#IFKEY}],5m)>{$NET.IF.ERRORS.WARN:"{#IFKEY}"} Warning Manual close: Yes
Depends on:
  • FortiGate: Interface [{#IFNAME}({#IFALIAS})]: Link down
FortiGate: Interface [{#IFNAME}({#IFALIAS})]: Ethernet has changed to lower speed than it was before

This Ethernet connection has transitioned down from its known maximum speed. This might be a sign of autonegotiation issues. Acknowledge to close the problem manually.

 change(/FortiGate by HTTP/fgate.netif.speed[{#IFKEY}])<0 and last(/FortiGate by HTTP/fgate.netif.speed[{#IFKEY}])>0 and last(/FortiGate by HTTP/fgate.netif.status[{#IFKEY}])<>0 Info Manual close: Yes
Depends on:
  • FortiGate: Interface [{#IFNAME}({#IFALIAS})]: Link down

Feedback

Please report any issues with the template at

You can also provide feedback, discuss the template, or ask for help at ZABBIX forums

?l¨¢nky a dokumentace

+ Navrhn¨§te nov? ?l¨¢nek

Nena?li jste integraci, kterou pot?ebujete?

Po?¨¢dejte o vlastn¨ª integraci

Integra?n¨ª t?m Áú»¢¶Ä²© vyvine vlastn¨ª integraci na z¨¢klad¨§ va?ich po?adavk? a osv¨§d?en?ch postup? Áú»¢¶Ä²©u.

±Ê´Ç?¨¢»å²¹³Ù

Nahrajte svou integraci

Vyvinuli jste ji? vysoce kvalitn¨ª integraci a chcete ji nahr¨¢t do integra?n¨ªho ¨²lo?i?t¨§ Áú»¢¶Ä²©?

Navrhnout