Monitoring Fortigate with Telegraf, InfluxDB and Grafana
In this post we are going to try to collect certain metrics from Fortigate, if we have this fabulous UTM firewall (or now called Next-Generation Firewall) we will be able to obtain this data through SNMP and visualize it in real time, thanks to Telegraf, InfluxDB and Grafana, It's a great thing!
We know that by SNMP a Fortigate spits out a lot of information, apart from the most common values such as CPU usage, Memory, Uptime, Sessions, Disk usage, or the traffic on each network interface, but also the status of the Antivirus for example, or if it has detected any viruses, or if you have blocked it… Well, through the Telegraf agent we can perform these SNMP queries to Fortigate, and store them in our beloved InfluxDB, ¿For what? and then visualize that data in a more attractive way with Grafana.
Therefore, We've already seen how to deploy The TICK Stack (Telegraf, InfluxDB, Chronograf and Kapacitor) although we will really only need TIG (Telegraf, InfluxDB and Grafana), the only thing we need next is in a Telegraf agent to put the necessary configuration to connect by SNMP to the Fortigate (and obviously in the Fortigate configure SNMP).
In the Telegraf configuration file we add:
[[inputs.snmp]]
agents = [ "DIRECCION_IP_FORTIGATE:161" ]
timeout = "5s"
retries = 3
version = 2
community = "COMUNIDAD_SNMP"
max_repetitions = 10
name = "FORTI"
interval = "1s"
[[inputs.snmp.field]]
name = "Uptime"
Hey = "iso.3.6.1.2.1.1.3.0"
[[inputs.snmp.field]]
name = "Memory"
Hey = "iso.3.6.1.4.1.12356.101.4.5.3.1.7.1"
[[inputs.snmp.field]]
name = "CPU"
Hey = ".1.3.6.1.4.1.12356.101.4.1.3.0"
[[inputs.snmp.field]]
name = "Sessions"
Hey = "1.3.6.1.4.1.12356.101.4.1.8.0"
[[inputs.snmp.field]]
name = "AV"
Hey = ".1.3.6.1.4.1.12356.101.8.2.1.1.1"
[[inputs.snmp.field]]
name = "Net"
Hey = "1.3.6.1.4.1.12356.101.13.2.1.1.5.1"
[[inputs.snmp.field]]
name = "Disk usage"
Hey = "1.3.6.1.4.1.12356.101.4.1.6.0"
[[inputs.snmp.field]]
name = "Virus Detected"
Hey = "1.3.6.1.4.1.12356.101.8.2.1.1.1"
[[inputs.snmp.field]]
name = "Blocked Virus"
Hey = "1.3.6.1.4.1.12356.101.8.2.1.1.2"
[[inputs.snmp.field]]
name = "LAN - Entrance"
Hey = "1.3.6.1.2.1.31.1.1.1.6.8"
[[inputs.snmp.field]]
name = "LAN - Exit"
Hey = "1.3.6.1.2.1.31.1.1.1.10.8"
[[inputs.snmp.field]]
name = "WAN - Entrance"
Hey = "1.3.6.1.2.1.31.1.1.1.6.1"
[[inputs.snmp.field]]
name = "WAN - Exit"
Hey = "1.3.6.1.2.1.31.1.1.1.10.1"
...
As we can see, in the Telegraf configuration file we are adding an SNMP input against Fortigate, We indicate the interval of the check-ups, In this case I have it at 1s, This is, every second it queries and stores the data. And finally, we add the specific OIDs that we are interested in absorbing. I leave you the examples of the spoken ones in the intro of this post, Let's monitor your CPU, Memory, Disk usage, Uptime, Sessions, AV Status, Viruses detected, Blocked viruses, Status and traffic of each interface (WAN, LAN, DMZ, GUESTS, MANAGEMENT…)
Save the file and restart Telegraf, With this we should have it ready, We can prove that the configuration is valid as well:
systemctl restart telegraf.service telegraf --test
And we have two options, we go directly to Grafana and start drawing the panel that interests us, Or if you're like me, that you don't control Flux, remember that with Chronograf you can quickly get the queries out of the mouse.
Remember that in order for Grafana to connect against your InfluxDB we have previously had to create a Datasource or connector, We saw that in the first post in case you needed it.
And with a little patience you can make drawings of this style or better, where with a soft drink of 1 Second, you have incredible data from the state. Or good, to make reports or view usage in the latest 24 hours or to taste!
Well, as always, I encourage you to control your infrastructure, Every device that serves a service must be supervised and what less than that the company's firewall is perimeter, internal… Thank you very much to all of you if you have come this far and wish you all the best! ¡Hugs!
