README.md

Checkmk special agent Fortinet

CheckMK special agent extension for Fortigate Firewalls and Switches

Report a Bug · Request a Feature

Special thanks

• To dampfhamm3r he had the idea for the project and needed a lot of perseverance to work on it.
• To ELLR he supported us and carried out code reviews
• To yogibaer75 he answered many of our questions at the CheckMK conference.

Plugin download

See GitHub build action, where you can download the latest .mkp file.

• Click on the latest run
• Download the artifact at the bottom of the site

Description

This is the repository for the Fortinet Firewall Special Agent. Due to conflicts with the built-in CheckMK checks, the rules are renamed to FortiOS.

CheckMK Permission Config for API

To create an API token for Checkmk, follow these steps:

1. Create an administrator profile:
   Go to System → Admin Profiles → Create New

   • Name: checkmk-readonly
   • Permissions: Set all to Read
   • Permit usage of CLI diagnostic commands: False

2. Create REST API Administrator:
   Go to System → Administrators → Create New → REST API Administrator

   • Username: checkmk
   • Administrator Profile: checkmk-readonly (or how you named it)
   • Virtual Domains: select all VDOMs
   • PKI Group: False
   • CORS Allow Origin: False
   • Trusted Hosts: True → enter the IP OF YOUR CHECKMK INSTANCE

Configure the special agent

1. Install the plugin via Extensions
2. Search for FortiOS special angent and configure a rule
3. Confirgure the rule for your needs:
   • API Token: TOKEN YOUR CREATED ABOVE
   • Port: 8443 is default
   • SSL certificate checking: it's recommended to trust the certificate via CheckMK and not to deactivate the checks!
   • Timeout: you may leave at default value, please increase in case of slow WAN

DCD Configuration for Network Switches

To have the piggyback data delivered, the DCD must be set up.

Go to Setup → DCD (dynamic configuration daemon)

• Title: local
• SIte: cmk
• Connector type: Piggyback data
• Sync interval: 1min
• Create hosts in: Main
• Discovery services during creation: Selected

Configure Inventory Rule

To use the inventory, you have to create a rule.
Go to Setup → HW/SW inventory rules → Do hardware/software inventory
Specify the settings to fit your needs.

Switchport Monitoring

To monitor switch ports, the following should be noted:

• If the FortiOS Switch Interface Discovery rule is not configured, all interfaces will be discovered.
• If the rule is configured, a pattern must be specified for the description.
• Currently, the description is visible in the service summary output. This should be changed later.
• Currently, all interface data is output in 'Service Details'. This makes debugging easier.

Development

For the best development experience use VSCode with the Remote Containers extension. This maps your workspace into a checkmk docker container giving you access to the python environment and libraries the installed extension has.

Contribution

See CONTRIBUTING.md

Special Agent Call

To call the special agent manually, please use this command.

 /opt/omd/sites/cmk/bin/python3 agent_fortios.py --api-token <TOKEN> --port 8443 --no-cert-check <HOST_IP>

Directories

The following directories in this repo are getting mapped into the Checkmk site.

• agents, checkman, checks, doc, inventory, notifications, pnp-templates, web are mapped into local/share/check_mk/
• agent_based is mapped to local/lib/check_mk/base/plugins/agent_based
• nagios_plugins is mapped to local/lib/nagios/plugins
• bakery is mapped to local/lib/check_mk/base/cee/plugins/bakery
• temp is mapped to local/tmp for storing static agent output

Continuous integration

Local

To build the package hit Crtl+Shift+B to execute the build task in VSCode.

pytest can be executed from the terminal or the test ui.

Github Workflow

The provided Github Workflows run pytest and ruff in the same checkmk docker container as vscode.