Monitoring FortiGate Firewalls with Paessler PRTG

 Originally published on March 31, 2022 by Jasmin Kahriman
Last updated on May 04, 2022 • 10 minute read

The first time I had the opportunity to play with Fortinet devices, I asked myself: “How did I miss this? “ Fortinet provides quality hardware, user-friendly UIs, and easy-to-read documentation. They manufacture different products including FortiWifi, FortiAP, FortiAnalyzer, FortiDDoS, FortiGate, and others. This article is about FortiGate, powerful next-generation firewalls.

With more than 14.3% of the market share, Fortinet has a strong presence in the security appliances market. They share the stage with big vendors such as Palo Alto, Cisco, Check Point, and others.

Paessler PRTG - Large Infrastructures - Get in contact

FortiGate is used by our customers, so naturally we decided to create native sensors for monitoring FortiGate devices. Paessler PRTG provides you with two sensors, FortiGate System Statistics and FortiGate VPN Overview.

Note: Both sensors are in beta status. That means the operating methods and the available settings can change at any time. Do not expect that all functions work properly, or that this sensor works as expected at all. Be aware that this sensor can be removed from PRTG at any time.

🥯 New handling of beta sensors in Paessler PRTG

If you are running PRTG Network Monitor version 20.4.64 or later, you need to enable experimental features under Setup > System Administration > Monitoring > Experimental Features > Beta sensors > Enable, as shown in the screenshot below.

fortigate-firewall-sensor-in-paessler-prtg-01

Enable Beta sensors

FortiGate System Statistics and FortiGate VPN Overview require an API token for monitoring the FortiGate. Firstly, you need to create a new REST API user by navigating to System > Administrators > Create New > Rest API Admin.

fortigate-firewall-sensor-in-paessler-prtg-07

Create a Rest API Admin user

Fill out the information (Username, Administrator profile), disable PKI Group (if there are no any), and add the subnet to restrict logins to trusted hosts.

fortigate-firewall-sensor-in-paessler-prtg-08

Define user parameters

Once you clicked OK, FortiGate will create the user and generate an API token. Copy the key and proceed with the second step.

fortigate-firewall-sensor-in-paessler-prtg-09

A new API key is generated

Secondly, you need to add an API token in FortiGate´s settings that are higher in the object hierarchy, for example, in the settings of the parent device. The example is shown in the screenshot below.

fortigate-firewall-sensor-in-paessler-prtg-03

Add API token to FortiGate

For testing purposes, I use the FortiGate 200E firewall. It is powered by Intel® Celeron® CPU G1820 @ 2.70GHz 2 cores, 4 GB RAM, and 15331 MB of compact flash size. However, these sensors work on any FortiGate device. If you are interested in other details for this device, check them out here.

fortigate-firewall-sensor-in-paessler-prtg-04

FortiGate 200E

Let´s now evaluate these two sensors. Oh, before I forget, both sensors support IPv4 and IPv6 and have a very low-performance impact on the PRTG core server.

For writing this article, I ran my workloads on a powerful mini PC – Intel NUC powered with the latest generation CPU i7, with 64 GB RAM DDR4, 256 M.2 SSD. Intel® NUC Mini PCs with Windows 10 are fully complete and ready to work out of the box. You can learn more here Intel® NUC Products.

 

FortiGate System Statistics (BETA)

The FortiGate System Statistics sensor monitors the system health of a Fortinet FortiGate firewall via REST API. This sensor type measures whether the conserve mode is active or inactive. The conserve mode is a self-protection measure when the system detects memory shortage. Besides that, it also measures CPU and memory usage, number of sensors, session rate, and system uptime status. These are exactly the metrics you needed, aren't they?

This sensor uses lookups to determine the status values of one or more channels. This means that possible states are defined in a lookup file. You can change the behavior of a channel by editing the lookup file that the channel uses.

fortigate-firewall-sensor-in-paessler-prtg-05

FortiGate System Statistics

FortiGate VPN Overview (BETA)

The second sensor helps you to monitor VPN (virtual private network) connections of the FortiGate system via REST API. It shows exactly what is relevant to VPN, from the number of connected SSL clients to the number of UP and DOWN IPsec tunnels.

This sensor helps you track your VPN connections. If one of them goes down, you will know it.

fortigate-firewall-sensor-in-paessler-prtg-06

FortiGate VPN Overview

These were two native FortiGate sensors, and I am curious about your feedback. Have you tested these sensors? Do you have any feedback for us?

I hope you enjoyed reading this article. I welcome you to read my blog TechwithJasmin.com and I’m looking forward to connecting with you via LinkedIn.