Fortigate SSL VPN statistics monitoring & graphs

Tags: #<Tag:0x00007fec75d70f78>

I would like to see support for graphs counts of clients connecting to a Fortigate SSL VPN; other statistics would also be useful (unique users; average time connected per session; average bytes in/out per session). Client count information similar to the graphs produced in the latest LibreNMS wireless code update would be ideal.

Sanitised snmpbulkwalk output below (from a Fortigate 1500D) showing three concurrently connected users with MIB objects as per http://www.mibdepot.com/cgi-bin/getmib3.cgi?win=mib_a&r=fortinet&f=fortinet-fortigate-mib&v=v2&t=tree

 /usr/bin/snmpbulkwalk -OsqnU  -M /opt/librenms/mibs device .1.3.6.1.4.1.12356.101.12.2.3.1
.1.3.6.1.4.1.12356.101.12.2.3.1.1.1 2                         ! fgVpnSslState
.1.3.6.1.4.1.12356.101.12.2.3.1.2.1 3                         ! fgVpnSslStatsLoginUsers
.1.3.6.1.4.1.12356.101.12.2.3.1.3.1 6                         ! fgVpnSslStatsMaxUsers
.1.3.6.1.4.1.12356.101.12.2.3.1.4.1 4                         ! fgVpnSslStatsActiveWebSessions
.1.3.6.1.4.1.12356.101.12.2.3.1.5.1 9                         ! fgVpnSslStatsMaxWebSessions
.1.3.6.1.4.1.12356.101.12.2.3.1.6.1 3                         ! fgVpnSslStatsActiveTunnels
.1.3.6.1.4.1.12356.101.12.2.3.1.7.1 3                         ! fgVpnSslStatsMaxTunnels

 /usr/bin/snmpbulkwalk -OsqnU  -M /opt/librenms/mibs device .1.3.6.1.4.1.12356.101.12.2.4.1
.1.3.6.1.4.1.12356.101.12.2.4.1.1.1 1                         ! fgVpnSslTunnelIndex
.1.3.6.1.4.1.12356.101.12.2.4.1.1.2 2
.1.3.6.1.4.1.12356.101.12.2.4.1.1.3 3
.1.3.6.1.4.1.12356.101.12.2.4.1.2.1 1                         ! fgVpnSslTunnelVdom
.1.3.6.1.4.1.12356.101.12.2.4.1.2.2 1
.1.3.6.1.4.1.12356.101.12.2.4.1.2.3 1
.1.3.6.1.4.1.12356.101.12.2.4.1.3.1 "user1"                   ! fgVpnSslTunnelUserName (Username)
.1.3.6.1.4.1.12356.101.12.2.4.1.3.2 "user2"
.1.3.6.1.4.1.12356.101.12.2.4.1.3.3 "user3"
.1.3.6.1.4.1.12356.101.12.2.4.1.4.1 10.23.209.138           ! fgVpnSslTunnelSrcIp (Client source IP)
.1.3.6.1.4.1.12356.101.12.2.4.1.4.2 10.23.15.19
.1.3.6.1.4.1.12356.101.12.2.4.1.4.3 10.23.215.230
.1.3.6.1.4.1.12356.101.12.2.4.1.5.1 10.15.26.1              ! fgVpnSslTunnelIp (Client SSL VPN allocated IP)
.1.3.6.1.4.1.12356.101.12.2.4.1.5.2 10.15.26.2
.1.3.6.1.4.1.12356.101.12.2.4.1.5.3 10.15.26.3
.1.3.6.1.4.1.12356.101.12.2.4.1.6.1 593                       ! fgVpnSslTunnelUpTime (Seconds connected to SSL VPN)
.1.3.6.1.4.1.12356.101.12.2.4.1.6.2 92
.1.3.6.1.4.1.12356.101.12.2.4.1.6.3 15
.1.3.6.1.4.1.12356.101.12.2.4.1.7.1 521220                    ! fgVpnSslTunnelBytesIn (bytes out from client)
.1.3.6.1.4.1.12356.101.12.2.4.1.7.2 24421
.1.3.6.1.4.1.12356.101.12.2.4.1.7.3 953
.1.3.6.1.4.1.12356.101.12.2.4.1.8.1 1151950                   ! fgVpnSslTunnelBytesOut (bytes in to client)
.1.3.6.1.4.1.12356.101.12.2.4.1.8.2 22216
.1.3.6.1.4.1.12356.101.12.2.4.1.8.3 2870

Thanks

1 Like

Should be pretty simple. I’ll work on this as I get time. I’ve got some use for it as well.

2 Likes

@alanbboyd I started working on this, but it’s a bit more complicated than I originally thought. The Fortigate reports the SSL stats per VDOM, so I need to figure out a way to create a graph per VDOM, or a single graph that shows all VDOMs. I’ll link the pull request when it’s ready.

1 Like

No problem, thanks for the update.

Hi @network-guy.

Was this ever implemented?

Best wishes
Frey Alfredsson

I’m looking for this too.
Any update?

Thanks for the hard work!
Just find out that there are COUNT for SSLVPN now and wondering how to add to the widget.
I did find [Device Count] ing Graph and this will display all of the COUNT items of that device.
But I just want [SSL VPN Logged users]
Is it possible?

1 Like

Yip thanks for the Devs, this is a great feature

And a big thankyou from me - VPN usage graphs are building up nicely. Lovely! :grinning:

2 Likes