Hello Community,
We are currently developing a special agent for FortiGate firewalls (a complete replacement of SNMP checks), switches and access points.
Are there any interested parties who would like to test the agent as soon as it is ready?
Feature requests are also welcome.
BR,
Simon
Hi Simon,
yes, I would be interested 
Im happy to test it, as I have a lot customers with fortigate firewalls.
Do you have a Github Repo for the check ?
Hi Andre,
I will publish the repo as soon as the first codebase is ready.
Today I received some feedback on the code from @andreas-doehler, which I would like to incorporate first.
I’ll keep you up to date.
Hi Dimon,
I’m also interessted in testing the plugin.
BR
Torsten
Hi Simon,
Yes! I would to be okay if the testing group definitely.
Also what about some more detailed monitoring of the Fortigate Web Application Firewall (WAF)?
Thank you, Jakub
Hi Jakub,
Currently, the Fortigate WAF is not in scope.
Simon
Hello Simon,
I would be interested to test the agent.
BR
Mattias
Hello! I would also be interested!
Hi!
I would be interested!
Hello any news on this agent ?
Hello,
Internal testings with all models we have are still ongoing. Will publish it as soon as possible.
Thanks for your patience.
BR
Simon
Hi Simon,
I am interested as well
oh yes please
we have a ton of customer fortigates.
snmp tends to freeze / create high load randomly.
Hello,
A little update from my side. The tests (and the associated fixes ) are coming to an end. I’m looking forward to the release of the Special Agent. This will probably take place in the next few days.
Thank you for your patience.
Simon
That’s very interesting! Thanks @meis
Hello everyone,
Very happy that we finally managed to release the FortiOS Special Agent tonight.
We are very grateful for your feedback. Via pull request or issue or here in the forum.
Of course, feature requests via issues are also welcome.
The repository is now open source and is available here:
You can download version 1.0.0 of the plugin here:
Or now directly in the repository: checkmk_fortigate/checkmk_fortios-1.0.0.mkp at main · WagnerAG/checkmk_fortigate · GitHub
Many thanks to dampfhamm3r, ellr, yogibaer75 and thl-cmk for supporting this project.
Have fun testing it!
Best regards
Simon
Hello Simon !
I would like to have this, since we do have Forti firewalls in all our locations. Thank a lot !
Hello everyone,
Many thanks to sva-mh, he has provided a first version which is CheckMK 2.3 compatible. I have made this available separately in the cmk23 branch and also uplaoded the MKP. Feedback is welcome.
brilliant work, thanks a ton.
We have been looking for a way to avoid snmp monitoring forti devices (especially over wan) for ages.
THANKS!
Hello Simon,
a bit of feedback based on the 1.0.1 MKP for 2.3.0, with a few dozen FortiGate units checked:
I can send you the raw agent outputs to opensource@ if you want to take a look.
EDIT:
Very important - if you get a 429 Too many requests response on your first attempt you probably configured an incorrect API key (or someone removed the wrong REST API administrator from the FGT)
The agent should abort immediately in this case instead of trying its dozens of requests as this increases the amount of time that the IP address is going to stay blacklisted - switching to the correct API key does not help, lockout timer cannot be lowered or manually cleared (anymore, with current firmware versions). You’d need to reboot the entire FortiGate (or change the source IP address of Checkmk) in order to regain API access before the block timer has run its course.
See Fortinet Technical Tip: Administrative lockout durations for FortiGate API users
EDIT:
Example patch that I’ve just applied on my end:
--- a/local/share/check_mk/agents/special/agent_fortios 2025-07-06 16:09:39.108111513 +0200
+++ b/local/share/check_mk/agents/special/agent_fortios 2025-07-06 16:10:19.933485832 +0200
@@ -302,6 +302,10 @@
_LOGGER.error(f"Login failed: {e}")
raise AuthError(f"Login failed {e}") from e
+ if section_response.status_code == 429: # Too many requests, also used in case of auth error and subsequent blocking
+ _LOGGER.error(f"Collecting section: {spec.name} failed. Reason: HTTP status 429; error: ({section_response.status_code}) {section_response.reason}")
+ raise AuthError(f"IP address blacklisted or too many requests")
+
if section_response.status_code != 200:
_LOGGER.error(f"Collecting section: {spec.name} failed. Reason: HTTP status not 200; error: ({section_response.status_code}) {section_response.reason}")
raise APIEndpointNotFound(f"Spec name: {spec.name} failed. Reason: HTTP status not 200; error: ({section_response.status_code}) {section_response.reason}")
@@ -338,6 +342,12 @@
for spec in _filter_applicable_sections(_SECTIONS):
try:
data = fortios.collect_section_data(spec)
+
+ except AuthError:
+ # no use trying any other sections, abort entire run
+ _LOGGER.error(f"Login failed while trying to collect {spec.name}: {spec.path}")
+ sys.stdout.write("\n<<<>>>\n")
+ break
except Exception:
_LOGGER.error(f"Collecting {spec.name} failed: {spec.path}")
This now leads to a non-zero exit code (apparently agent returned 0 previously, which makes even less sense as it hides the agent malfunction from the user entirely)
and FortiGate is no longer hammered with 21 invalid queries in rapid succession (and repeated every minute) but just one:
