Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix bug in OID handling #92

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
+65 −65
Open

Fix bug in OID handling #92

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
130 changes: 65 additions & 65 deletions fortigate/check_fortigate.pl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,11 @@
# - allow "any" value for critical/waring when in "wtp" mode (tested on Forti900D)
# Release 1.8.13 (2024-11-22) Luca Gubler
# - Refactor deprecated `when` and `given` statements and use `if/elsif/else` statements
# Release 1.8.14 (2024-11-22) Luca Gubler
# - Fixed an issue with the `cpu-sys` check where the OID `.1.3.6.1.4.1.12356.101.4.1.3.0.1` was not correctly used.
# - Updated the `get_health_value` subroutine to dynamically append `.1` to OIDs based on device type and check type.
# - Added a `modify_oid` parameter to `get_health_value` for greater flexibility with OID handling.
# - Updated all relevant calls to `get_health_value` to ensure proper behavior for specific checks.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
Expand Down Expand Up @@ -146,7 +151,7 @@
use Date::Parse;

my $script = "check_fortigate.pl";
my $script_version = "1.8.13";
my $script_version = "1.8.14";

# for more information.
my %status = ( # Enumeration for the output Nagios states
Expand Down Expand Up @@ -359,109 +364,109 @@
if ( $curr_serial =~ /^(FL|FAZ)/ ) { # FL|FAZ = FORTIANALYZER
my $type_lc = lc($type);
if ( $type_lc eq "cpu" ) {
($return_state, $return_string) = get_health_value($oid_faz_cpu_used, "CPU", "%");
($return_state, $return_string) = get_health_value($oid_faz_cpu_used, "CPU", "%", 0);
} elsif ( $type_lc eq "mem" ) {
($return_state, $return_string) = get_faz_health_value($oid_faz_mem_used, $oid_faz_mem_avail, "Memory", "%");
} elsif ( $type_lc eq "disk" ) {
($return_state, $return_string) = get_faz_health_value($oid_faz_disk_used, $oid_faz_disk_avail, "Disk", "%");
} else {
($return_state, $return_string) = ('UNKNOWN', "UNKNOWN: This device supports only selected type -T cpu|mem|disk $curr_device is a FORTIANALYZER (S/N: $curr_serial)");
($return_state, $return_string) = ('UNKNOWN',"UNKNOWN: This device supports only selected type -T cpu|mem|disk $curr_device is a FORTIANALYZER (S/N: $curr_serial)");
}
} elsif ( $curr_serial =~ /^FAC/ ) { # FAC = FortiAuthenticator
my $type_lc = lc($type);
if ( $type_lc eq "cpu" ) {
($return_state, $return_string) = get_health_value($oid_fac_cpu, "CPU", "%");
($return_state, $return_string) = get_health_value($oid_fac_cpu, "CPU", "%", 0);
} elsif ( $type_lc eq "mem" ) {
($return_state, $return_string) = get_health_value($oid_fac_mem, "Memory", "%");
($return_state, $return_string) = get_health_value($oid_fac_mem, "Memory", "%", 0);
} elsif ( $type_lc eq "ldisk" ) {
($return_state, $return_string) = get_health_value($oid_fac_ldisk, "Log Disk", "%");
($return_state, $return_string) = get_health_value($oid_fac_ldisk, "Log Disk", "%", 0);
} elsif ( $type_lc eq "ha" ) {
$oid_ha = $oid_fac_ha; # hack to get "ha" check going
($return_state, $return_string) = get_ha_mode();
} elsif ( $type_lc eq "firmware" ) {
$oid_firmware = $oid_fac_firmware; # hack to get "firmware" check going
($return_state, $return_string) = get_firmware_state();
} else {
($return_state, $return_string) = ('UNKNOWN', "UNKNOWN: This device supports only selected type -T cpu|firmware|ha|mem|ldisk, $curr_device is a FORTIAUTHENTICATOR (S/N: $curr_serial)");
($return_state, $return_string) = ('UNKNOWN',"UNKNOWN: This device supports only selected type -T cpu|firmware|ha|mem|ldisk, $curr_device is a FORTIAUTHENTICATOR (S/N: $curr_serial)");
}
} elsif ( $curr_serial =~ /^FMG/ ) { # FMG = FortiManager
my $type_lc = lc($type);
if ( $type_lc eq "cpu" ) {
($return_state, $return_string) = get_health_value($oid_fmg_cpu_used, "CPU", "%");
($return_state, $return_string) = get_health_value($oid_fmg_cpu_used, "CPU", "%", 0);
} elsif ( $type_lc eq "mem" ) {
($return_state, $return_string) = get_fmg_health_value($oid_fmg_mem_used, $oid_fmg_mem_avail, "Memory", "%");
} elsif ( $type_lc eq "disk" ) {
($return_state, $return_string) = get_fmg_health_value($oid_fmg_disk_used, $oid_fmg_disk_avail, "Disk", "%");
} elsif ( $type_lc eq "fmgdevice" ) {
($return_state, $return_string) = get_fmg_device_state();
} else {
($return_state, $return_string) = ('UNKNOWN', "UNKNOWN: This device supports only selected type -T cpu|mem|disk|fmgdevice $curr_device is a FORTIMANAGER (S/N: $curr_serial)");
($return_state, $return_string) = ('UNKNOWN',"UNKNOWN: This device supports only selected type -T cpu|mem|disk|fmgdevice $curr_device is a FORTIMANAGER (S/N: $curr_serial)");
}
} elsif ( $curr_serial =~ /^FE/ ) { # FE = FORTIMAIL
my $type_lc = lc($type);
if ( $type_lc eq "cpu" ) {
($return_state, $return_string) = get_health_value($oid_fe_cpu, "CPU", "%");
($return_state, $return_string) = get_health_value($oid_fe_cpu, "CPU", "%", 0);
} elsif ( $type_lc eq "mem" ) {
($return_state, $return_string) = get_health_value($oid_fe_mem, "Memory", "%");
($return_state, $return_string) = get_health_value($oid_fe_mem, "Memory", "%", 0);
} elsif ( $type_lc eq "disk" ) {
($return_state, $return_string) = get_health_value($oid_fe_mdisk, "Disk", "%");
($return_state, $return_string) = get_health_value($oid_fe_mdisk, "Disk", "%", 0);
} elsif ( $type_lc eq "ldisk" ) {
($return_state, $return_string) = get_health_value($oid_fe_ldisk, "Log Disk", "%");
($return_state, $return_string) = get_health_value($oid_fe_ldisk, "Log Disk", "%", 0);
} elsif ( $type_lc eq "load" ) {
($return_state, $return_string) = get_health_value($oid_fe_load, "Load", "%");
($return_state, $return_string) = get_health_value($oid_fe_load, "Load", "%", 0);
} elsif ( $type_lc eq "ses" ) {
($return_state, $return_string) = get_health_value($oid_fe_ses, "Session", "");
($return_state, $return_string) = get_health_value($oid_fe_ses, "Session", "", 0);
} else {
($return_state, $return_string) = ('UNKNOWN', "UNKNOWN: This device supports only selected type -T cpu|mem|disk|ldisk|load|ses, $curr_device is a FORTIMAIL (S/N: $curr_serial)");
($return_state, $return_string) = ('UNKNOWN',"UNKNOWN: This device supports only selected type -T cpu|mem|disk|ldisk|load|ses, $curr_device is a FORTIMAIL (S/N: $curr_serial)");
}
} elsif ( $curr_serial =~ /^FAD/ ) { # FAD = FortiADC
my $type_lc = lc($type);
if ( $type_lc eq "cpu" ) {
($return_state, $return_string) = get_health_value($oid_fad_cpu, "CPU", "%");
($return_state, $return_string) = get_health_value($oid_fad_cpu, "CPU", "%", 0);
} elsif ( $type_lc eq "mem" ) {
($return_state, $return_string) = get_health_value($oid_fad_mem, "Memory", "%");
($return_state, $return_string) = get_health_value($oid_fad_mem, "Memory", "%", 0);
} elsif ( $type_lc eq "ldisk" ) {
($return_state, $return_string) = get_health_value($oid_fad_ldisk, "Log Disk", "%");
($return_state, $return_string) = get_health_value($oid_fad_ldisk, "Log Disk", "%", 0);
} elsif ( $type_lc eq "load" ) {
($return_state, $return_string) = get_health_value($oid_fad_load, "Load", "%");
($return_state, $return_string) = get_health_value($oid_fad_load, "Load", "%", 0);
} else {
($return_state, $return_string) = ('UNKNOWN', "UNKNOWN: This device supports only selected type -T cpu|mem|ldisk|load, $curr_device is a FortiADC (S/N: $curr_serial)");
($return_state, $return_string) = ('UNKNOWN',"UNKNOWN: This device supports only selected type -T cpu|mem|ldisk|load, $curr_device is a FortiADC (S/N: $curr_serial)");
}
} elsif ( $curr_serial =~ /^FG100A/ ) { # 100A = Legacy Device
my $type_lc = lc($type);
if ( $type_lc eq "cpu" ) {
($return_state, $return_string) = get_health_value($oid_legacy_cpu, "CPU", "%");
($return_state, $return_string) = get_health_value($oid_legacy_cpu, "CPU", "%", 0);
} elsif ( $type_lc eq "mem" ) {
($return_state, $return_string) = get_health_value($oid_legacy_mem, "Memory", "%");
($return_state, $return_string) = get_health_value($oid_legacy_mem, "Memory", "%", 0);
} elsif ( $type_lc eq "ses" ) {
($return_state, $return_string) = get_health_value($oid_legacy_ses, "Session", "");
($return_state, $return_string) = get_health_value($oid_legacy_ses, "Session", "", 0);
} elsif ( $type_lc eq "net" ) {
($return_state, $return_string) = get_health_value($oid_legacy_net, "Network", "");
($return_state, $return_string) = get_health_value($oid_legacy_net, "Network", "", 0);
} elsif ( $type_lc eq "pktloss" ) {
($return_state, $return_string) = get_pktloss_value();
} elsif ( $type_lc eq "pktloss2" ) {
($return_state, $return_string) = get_pktloss_value2();
} else {
($return_state, $return_string) = ('UNKNOWN', "UNKNOWN: This device supports only selected type -T cpu|mem|ses|net, $curr_device is a Legacy Fortigate (S/N: $curr_serial)");
($return_state, $return_string) = ('UNKNOWN',"UNKNOWN: This device supports only selected type -T cpu|mem|ses|net, $curr_device is a Legacy Fortigate (S/N: $curr_serial)");
}
} else { # OTHERS (FG = FORTIGATE...)
my $type_lc = lc($type);
if ( $type_lc eq "cpu" ) {
($return_state, $return_string) = get_health_value($oid_cpu, "CPU", "%");
($return_state, $return_string) = get_health_value($oid_cpu, "CPU", "%", 1);
} elsif ( $type_lc eq "cpu-sys" ) {
($return_state, $return_string) = get_health_value($oid_cpu_sys, "CPU", "%");
($return_state, $return_string) = get_health_value($oid_cpu_sys, "CPU", "%", 0);
} elsif ( $type_lc eq "mem" ) {
($return_state, $return_string) = get_health_value($oid_mem, "Memory", "%");
($return_state, $return_string) = get_health_value($oid_mem, "Memory", "%", 1);
} elsif ( $type_lc eq "mem-sys" ) {
($return_state, $return_string) = get_health_value($oid_mem_sysmem, "Memory", "%");
($return_state, $return_string) = get_health_value($oid_mem_sysmem, "Memory", "%", 0);
} elsif ( $type_lc eq "net" ) {
($return_state, $return_string) = get_health_value($oid_net, "Network", "kb");
($return_state, $return_string) = get_health_value($oid_net, "Network", "kb", 1);
} elsif ( $type_lc eq "ses" ) {
($return_state, $return_string) = get_health_value($oid_ses_ha, "Session", "");
($return_state, $return_string) = get_health_value($oid_ses_ha, "Session", "", 1);
} elsif ( $type_lc eq "ses-ipv4" ) {
($return_state, $return_string) = get_health_value($oid_ses_device_ipv4, "Session IPv4", "");
($return_state, $return_string) = get_health_value($oid_ses_device_ipv4, "Session IPv4", "", 0);
} elsif ( $type_lc eq "ses-ipv6" ) {
($return_state, $return_string) = get_health_value($oid_ses_device_ipv6, "Session IPv6", "");
($return_state, $return_string) = get_health_value($oid_ses_device_ipv6, "Session IPv6", "", 0);
} elsif ( $type_lc eq "disk" ) {
($return_state, $return_string) = get_disk_usage();
} elsif ( $type_lc eq "ha" ) {
Expand Down Expand Up @@ -686,25 +691,25 @@ sub get_firmware_state {
}

sub get_health_value {
my $label = $_[1];
my $UOM = $_[2];
my ($oid_input, $label, $UOM, $modify_oid) = @_;
my $oid;

if ( $slave == 1 ) {
$oid = $_[0] . ".2";
$oid = $oid_input . ".2";
$label = "slave_" . $label;
} elsif ( $curr_serial =~ /^FG100A/ ) {
$oid = $_[0];
$oid = $oid_input;
} elsif ( $curr_serial =~ /^FG201/ ) {
$oid = $_[0];
} elsif ( $curr_serial =~ /^FG/ ) {
$oid = $_[0] . ".1";
$oid = $oid_input;
} elsif ( $curr_serial =~ /^FG/ && $modify_oid ) {
$oid = $oid_input . ".1";
} else {
$oid = $_[0];
$oid = $oid_input;
}

$value = get_snmp_value($session, $oid);

# strip any leading or trailing non zeros
# strip any leading or trailing non digits
$value =~ s/\D*(\d+)\D*/$1/g;

if ( $value >= $crit ) {
Expand Down Expand Up @@ -886,8 +891,6 @@ sub get_vpn_state {
my $ActiveSSL = 0;
my $ActiveSSLTunnel = 0;
my $return_string_errors = "";
my $return_string = "";
my $match_whitelist = undef;

use constant {
TUNNEL_DOWN => 1,
Expand Down Expand Up @@ -916,18 +919,10 @@ sub get_vpn_state {
%tunnels_names = map { (my $temp = $_ ) =~ s/^${oid_ipsectuntableroot}${oidf_tunname}\.//; $temp => $tunnels_names{$_} } keys %tunnels_names;
%tunnels_status = map { (my $temp = $_ ) =~ s/^${oid_ipsectuntableroot}${oidf_tunstatus}\.//; $temp => $tunnels_status{$_} } keys %tunnels_status;

if (defined($whitelist) and length($whitelist)) {
my @matches = grep { $tunnels_names{$_} =~ $whitelist } keys %tunnels_names;
if (@matches) {
delete $tunnels_names{$_} for grep { $tunnels_names{$_} !~ $whitelist } keys %tunnels_names;
$match_whitelist = 1;
} else {
# Whitelist not match - need invertigate
$return_string = "Whitelist not match any VPN name. ";
$match_whitelist = 0;
}
if (defined($whitelist) and length($whitelist))
{
delete $tunnels_names{$_} for grep { $tunnels_names{$_} !~ $whitelist } keys %tunnels_names;
}

if (defined($blacklist) and length($blacklist))
{
delete $tunnels_names{$_} for grep { $tunnels_names{$_} =~ $blacklist } keys %tunnels_names;
Expand All @@ -950,12 +945,12 @@ sub get_vpn_state {
}
#Set Unitstate
if (($mode >= 2 ) && ($vpnmode ne "ssl")) {
if ($ipstunsdown >= 1) { $return_state = "CRITICAL"; }
if (defined($match_whitelist) and $match_whitelist == 0) { $return_state = "UNKNOWN"; }
if ($ipstunsdown == 1) { $return_state = "WARNING"; }
if ($ipstunsdown >= 2) { $return_state = "CRITICAL"; }
}

# Write an output string...
$return_string = $return_state . ": " . $return_string . $curr_device . " (Master: " . $curr_serial .")";
$return_string = $return_state . ": " . $curr_device . " (Master: " . $curr_serial .")";

if ($vpnmode ne "ipsec") {
#Add the SSL tunnel count
Expand All @@ -969,6 +964,16 @@ sub get_vpn_state {
$perf="|'ActiveSSL-VPN'=".$ActiveSSL." 'ActiveIPSEC'=".$ipstunsopen;
$return_string .= $perf;

# Check to see if the output string contains either "unkw", "warning" or "down", and set an output state accordingly...
if($return_string =~/uknw/i){
$return_state = "UNKNOWN";
}
if($return_string =~/warning/i){
$return_state = "WARNING";
}
if($return_string =~/down/i){
$return_state = "CRITICAL";
}
return ($return_state, $return_string);
} # end vpn state

Expand Down Expand Up @@ -1210,14 +1215,9 @@ sub get_linkmonitor_hc {
$return_state = 'CRITICAL';
}
} else {
if($mode -eq "3"){
$return_string = "OK: device has no Link Monitor health checks available";
$return_state = "OK";
}else{
$return_string = "UNKNOWN: device has no Link Monitor health checks available";
$return_string = "UNKNOWN: device has no Link Monitor healt checks available";
$return_state = "UNKNOWN";
}
}
return ($return_state, $return_string);
} # end get_linkmonitor_hc
# Get License contract Information and checks if its expiring soon
Expand Down