Report a Bug · Request a Feature
- To dampfhamm3r he had the idea for the project and needed a lot of perseverance to work on it.
- To ELLR he supported us and carried out code reviews
- To yogibaer75 he answered many of our questions at the CheckMK conference.
- To thl-cmk who took the time to do a review.
- To sva-mh he contributed the first bugfixes for CheckMK 2.3.
- To bitwiz for helping to improve the special agent.
See GitHub Releases, where you can download the latest .mkp file.
This is the repository for the Fortinet Firewall Special Agent. Due to conflicts with the built-in CheckMK checks, the rules are renamed to FortiOS.
To create an API token for Checkmk, follow these steps:
-
Create an administrator profile:
Go toSystem→Admin Profiles→Create New- Name:
checkmk-readonly - Permissions: Set all to
Read - Permit usage of CLI diagnostic commands:
False
- Name:
-
Create REST API Administrator:
Go toSystem→Administrators→Create New→REST API Administrator- Username:
checkmk - Administrator Profile:
checkmk-readonly(or how you named it) - Virtual Domains: select all VDOMs
- PKI Group:
False - CORS Allow Origin:
False - Trusted Hosts:
True→ enter theIP OF YOUR CHECKMK INSTANCE
- Username:
- Install the plugin via Extensions
- Create a password under
Setup→General→Passwords - Search for FortiOS special angent and configure a rule
- Adjust the rule according to your requirements:
- API Token: choose
From password store; select the password you just created - Port:
8443is default - Certificate Verification: Specify if the certificate should be validated
- Number of retries: retry attempts made by the special agent
- Timeout for connection: you may leave at default value, please increase in case of slow WAN
- API Token: choose
To have the piggyback data delivered, the DCD must be set up.
Go to Setup → DCD (dynamic configuration daemon)
- Title:
<DCD configuration name> - Site:
<CheckMK site> - Connector type:
Piggyback data - Sync interval:
1min - Create hosts in:
<Folder for piggyback hosts> - Discovery services during creation:
Selected
To use the inventory, you have to create a rule.
Go to Setup → HW/SW inventory rules → Do hardware/software inventory
Specify the settings to fit your needs.
To monitor switch ports, the following should be noted:
- If no
FortiOS switch interface discoveryrule is configured, all interfaces will be discovered regardless of their state - When a rule is configured, a pattern can be specified; all switch ports whose description contains this pattern will be monitored.
- Or, conversely, you can exclude interfaces from discovery if their description contains a specific string
- You may choose to discover only interfaces with a switch port description
For the best development experience use VSCode with the Remote Containers extension. This maps your workspace into a checkmk docker container giving you access to the python environment and libraries the installed extension has.
See CONTRIBUTING.md
First, create a password named <forti_api_token> in the CheckMK password store. Note the password ID.
To call the special agent manually, please use this command:
/opt/omd/sites/$USER/bin/python3 local/lib/python3/cmk_addons/plugins/fortios/special_agents/agent_fortios.py --api-token <forti_api_token_id>:var/check_mk/stored_passwords --port 8443 --no-cert-check <HOST_IP>
The following directories in this repo are getting mapped into the Checkmk site.
cmk_addons/plugins/<package-name>is being mapped into<$OMD_ROOT>/local/lib/python3/cmk_addons/plugins/<package-name>libis being mapped into<$OMD_ROOT>/local/lib/python3/cmkplugins_legacyis being mapped into<$OMD_ROOT>/local/share/check_mk
To build the package hit Crtl+Shift+B to execute the build task in VSCode.
pytest can be executed from the terminal or the test ui.
The provided Github Workflows run pytest and ruff in the same checkmk docker container as vscode.