How do you add a violation to alert you when a Fortinet VPN is down? (After a Snapshot is processed, that is).  Or, how does one quickly check the VPN status for a particular Snapshot to compare state? How about simply verifying that the proper TCP port is being used for the VPN tunnel?Â
(You know what the answer is already… It’s NQE, of course).
The purpose of this NQE for Fortinet VPN tunnels is:
- Show the status of all VPN tunnels.
- Add a Violation that can be added to the NQE Verifications.
- Provide a searchable and sortable report for all VPN tunnels.
This NQE leverages the Fortinet “get vpn ipsec tunnel summary” command that is run during Collection. See the prior example for finding the commandType and whether the command is already in the Forward Networks collection, or whether a custom command should be created.
Â
/**
* @intent Fortinet VPN Status
* @description Enumerate the output of "get vpn ipsec tunnel summary" for all Fortinet devices.
* When the selectors(total,up): 1/0, this indicates that the VPN tunnel is down per:
* https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-VPNs-tunnels/ta-p/195955
* Use the Violation NQE method to indicate when a tunnel is down.
* https://fwd.app/docs/nqe/
* https://fwd.app/docs/enterprise/applications/verify/checks_nqe/
*/
pattern_vpn =
```
get vpn ipsec tunnel summary
{tunnel_name:string} {tunnel_ip_port:string} selectors(total,up): {selector_total_up:string} rx(pkt,err): {rx_pkt_err:string} tx(pkt,err): {tx_pkt_err:string}
```;
//
parseSlashPair(s) =
patternMatch(replace(s, "/", " "), `{first:number} {second:number}`);
parseColonPair(s) =
patternMatch(replace(s, ":", " "), `{first:string} {second:number}`);
//
foreach device in network.devices
where device.platform.vendor == Vendor.FORTINET
// let platform = device.platform
let outputs = device.outputs
foreach command in outputs.commands
where command.commandType == CommandType.VPN_TUNNELS
// where command.commandText == "get vpn ipsec tunnel summary"
let configurations = parseConfigBlocks(OS.FORTINET, command.response)
foreach vpn_child in blockMatches(configurations, pattern_vpn)
// let vpnStatus = parseSlashPair(vpn_child.data.selector_total_up).second
//
select {
violation: parseSlashPair(vpn_child.data.selector_total_up).second == 0,
deviceName: device.name,
tunnelName: vpn_child.data.tunnel_name,
tunnelDest: vpn_child.data.tunnel_ip_port,
tunnelIP: parseColonPair(vpn_child.data.tunnel_ip_port).first,
tunnelPort: parseColonPair(vpn_child.data.tunnel_ip_port).second,
selectorsUp: vpn_child.data.selector_total_up,
rxPkt: vpn_child.data.rx_pkt_err,
txPkt: vpn_child.data.tx_pkt_err
}
Since this NQE was developed for a specific customer, the example output will not be shown.
Please provide feedback on what additional information is desired for Fortinet VPN tunnels.
