And doing serious stuff as well……

NOTE: MIB numbering changes depending on version! This document refers to an older v3 MIB, if you are on v5 or later then the names and numbering has changed … sorry, blame Fortinet 😦

August 2014 – New Articles!

Recently (2013) I needed to enhance a monitoring system by including data transfer stats from our 12 firewalls running v3 software, without using any purchased software I decided to gather all the data using SNMP and then graph it in different ways. Once the Fortinet is setup to accept SNMP from your host (in my case just a CENTOS Linux server), you can use a number of simple tools to retrieve the values you need. See the Fortinet web site on how to setup the Fortigate for SNMP, its simple and should take a few minutes.

There are two tools worth using to explore the available Fortinet’s SNMP data, they are snmpwalk and snmpget. The snmpwalk allows you to pull all the data under a section of the SNMP tree while snmpget will retrieve a specific value and must be passed the fully qualified path to the value. An example of each is below.

Gathering Data using SNMPWALK

snmpwalk -v2c -m ALL -c public 192.168.1.1 enterprises.fortinet.8

Gathering Data using SNMPGET

snmpget -v2c -m ALL -c public 192.168.1.1 enterprises.fortinet.1.8.0

The MIB Files

The “-m ALL” parameter above is just a shortcut way so that you do not have to specify the exact MIB file. I downloaded the MIB files from the Fortinet web site and installed them into the /usr/share/snmp/mibs directory on the server. The other reason to specify an MIB file (or ALL in this case) is to use the more descriptive text “enterprises.fortinet” rather than the ASN notation.

.1.3.6.1.4.1.12356.1.8.0 = enterprises.fortinet.1.8.0

With MIB output is: FORTIOS-300-MIB::fnSysCpuUsage.0 = Gauge32: 2

Without MIB output is: SNMPv2-SMI::enterprises.12356.1.8.0 = Gauge32: 2

Useful Metrics

Below are some simple metrics that can be very useful for general monitoring of the performance of a Firewall Unit.

CPU Usage: enterprises.fortinet.1.8.0
Memory Usage: enterprises.fortinet.1.9.0
Sessions: enterprises.fortinet.1.10.0

Serious Example

The reason that led to me writing this article is I had to track packet and byte counts from all our Fortigates and distinguish between the WAN interfaces and the VPN tunnels so we could see how much was internet usage and office to office traffic.

After much investigation it occurred to me that the Fortigate keeps two separate counters for each Policy, one is a Packet Counter and the other is a Byte counter. So if you wish to see how much traffic is going out a specific interface such as WAN-1 and there are 5 policies relevant to that interface then you need to add up and total the byte counts for all active policies defined for WAN-1. So you would need to do 5 snmpget calls to get the 5 subtotals (10 if you want both packets and bytes).

There are two arrays of data that hold the counts:

  • fnFwPolicyPktCount
  • fnFwPolicyByteCount

You can see ALL the counters using the following command:

snmpwalk -v2c -m ALL -c public 10.0.0.254  enterprises.12356.8

A sample of the output is:

FORTIOS-300-MIB::fnFwPolicyPktCount.1.9 = Counter32: 208
FORTIOS-300-MIB::fnFwPolicyPktCount.1.10 = Counter32: 0
FORTIOS-300-MIB::fnFwPolicyPktCount.1.11 = Counter32: 14
FORTIOS-300-MIB::fnFwPolicyPktCount.1.12 = Counter32: 0
FORTIOS-300-MIB::fnFwPolicyPktCount.1.16 = Counter32: 0
FORTIOS-300-MIB::fnFwPolicyByteCount.1.9 = Counter32: 29051
FORTIOS-300-MIB::fnFwPolicyByteCount.1.10 = Counter32: 0
FORTIOS-300-MIB::fnFwPolicyByteCount.1.11 = Counter32: 1227
FORTIOS-300-MIB::fnFwPolicyByteCount.1.12 = Counter32: 0
FORTIOS-300-MIB::fnFwPolicyByteCount.1.16 = Counter32: 0

Note: I actually have 239 rules on this firewall so I have cut and paste the first 5

Lets say I want to fetch and process a particular Packet Counter and then the Byte Counter, such as 1.11, I will need to use snmpget to fetch it (twice). So below is the full ASN notation to get a single value (number 11 in this case) for both Packet and Byte counters:

snmpwalk -v2c -m ALL -c public 10.0.0.254  enterprises.12356.8.1.1.3.1.11
FORTIOS-300-MIB::fnFwPolicyPktCount.1.11 = Counter32: 14

snmpwalk -v2c -m ALL -c public 10.0.0.254  enterprises.12356.8.1.1.4.1.11
FORTIOS-300-MIB::fnFwPolicyByteCount.1.11 = Counter32: 1227

To show the output using different parts of the ASN so you get the idea, each command below does the same thing:

snmpget -v2c -m ALL -c public 10.0.0.254  enterprises.12356.8.1.1.4.1.11
FORTIOS-300-MIB::fnFwPolicyByteCount.1.11 = Counter32: 1227
snmpget -v2c -m ALL -c public 10.0.0.254  enterprises.fortinet.8.1.1.4.1.11
FORTIOS-300-MIB::fnFwPolicyByteCount.1.11 = Counter32: 1227
snmpget -v2c -m ALL -c public 10.0.0.254  enterprises.fortinet.fnFirewall.1.1.4.1.11
FORTIOS-300-MIB::fnFwPolicyByteCount.1.11 = Counter32: 1227

The key thing about the ASN used above is the 8.1.1.3.1.x and 8.1.1.4.1.x which is the particular value(s) we need to obtain for Packet and Byte counters.

Automating and Filtering

Since my Nagios server is a Linux box, I use CRON to automate the collection of data via NRPE when I am doing something unique like Graphing data, I also use it to gather SNMP data from things like PDU’s in my data centres as I don’t have an NRPE plugin yet. So in this case writing a script to go gather counts from particular Fortigates and writing them to a local file.

TODO – Script with value extraction

Using the bash utility cut I can do the following to obtain the value:

snmpget -v2c -m ALL -c gxspub 10.0.0.254  enterprises.fortinet.fnFirewall.1.1.4.1.11 | cut -f2 -d=

Which gives us:  Counter32: 1227 but using | cut -f4 -d\:
Which is splitting the text on the 4th “:” we get: 1227 the counter value for the policy.

Using the bash shell we can add the variables up and get the totals. You could use any language to parse the data but what we will do is write the values into a file every minute so processing will be done by a graphing program (think separation of concerns).

TODO – MORE TO COME!

-oOo-

Advertisements