Skip to content


Switch branches/tags


Go Docker Docker Repository on Quay Matrix

Prometheus exporter for FortiGate® firewalls.

NOTE: This is not an official Fortinet product, it is developed fully independently by professionals and hobbyists alike.

Supported Metrics

Right now the exporter supports a quite limited set of metrics, but it is very easy to add! Open an issue if your favorite metric is missing.

For example PromQL usage, see EXAMPLES.

Supported metrics right now as follows.


  • System/SensorInfo
    • fortigate_sensor_fan_rpm
    • fortigate_sensor_temperature_celsius
    • fortigate_sensor_voltage_volts
  • System/Status
    • fortigate_version_info
  • System/Time/Clock
    • fortigate_time_seconds
  • System/Resource/Usage
    • fortigate_cpu_usage_ratio
    • fortigate_memory_usage_ratio
    • fortigate_current_sessions
  • License/Status
    • fortigate_license_vdom_usage
    • fortigate_license_vdom_max


  • System/VDOMResources
    • fortigate_vdom_cpu_usage_ratio
    • fortigate_vdom_memory_usage_ratio
    • fortigate_vdom_current_sessions
  • Firewall/Policies
    • fortigate_policy_active_sessions
    • fortigate_policy_bytes_total
    • fortigate_policy_hit_count_total
    • fortigate_policy_packets_total
  • System/Fortimanager/Status
    • fortigate_fortimanager_connection_status
    • fortigate_fortimanager_registration_status
  • System/Interface
    • fortigate_interface_link_up
    • fortigate_interface_speed_bps
    • fortigate_interface_transmit_packets_total
    • fortigate_interface_receive_packets_total
    • fortigate_interface_transmit_bytes_total
    • fortigate_interface_receive_bytes_total
    • fortigate_interface_transmit_errors_total
    • fortigate_interface_receive_errors_total
  • User/Fsso
    • fortigate_user_fsso_info
  • VPN/Ssl/Connections
    • fortigate_vpn_connections
    • fortigate_vpn_users
  • VPN/Ssl/Stats
    • fortigate_vpn_ssl_users
    • fortigate_vpn_ssl_tunnels
    • fortigate_vpn_ssl_connections
  • VPN/IPSec
    • fortigate_ipsec_tunnel_receive_bytes_total
    • fortigate_ipsec_tunnel_transmit_bytes_total
    • fortigate_ipsec_tunnel_up
  • Wifi/APStatus
    • fortigate_wifi_access_points
    • fortigate_wifi_fabric_clients
    • fortigate_wifi_fabric_max_allowed_clients
  • Log/Fortianalyzer/Status
    • fortigate_log_fortianalyzer_registration_info
    • fortigate_log_fortianalyzer_logs_received
  • Log/Fortianalyzer/Queue
    • fortigate_log_fortianalyzer_queue_connections
    • fortigate_log_fortianalyzer_queue_logs
  • Log/DiskUsage
    • fortigate_log_disk_used_bytes
    • fortigate_log_disk_total_bytes

Per-HA-Member and VDOM:

  • System/HAStatistics
    • fortigate_ha_member_info
    • fortigate_ha_member_cpu_usage_ratio
    • fortigate_ha_member_memory_usage_ratio
    • fortigate_ha_member_network_usage_ratio
    • fortigate_ha_member_sessions
    • fortigate_ha_member_packets_total
    • fortigate_ha_member_virus_events_total
    • fortigate_ha_member_bytes_total
    • fortigate_ha_member_ips_events_total

Per-Link and VDOM:

  • System/LinkMonitor
    • fortigate_link_status
    • fortigate_link_latency_seconds
    • fortigate_link_latency_jitter_seconds
    • fortigate_link_packet_loss_ratio
    • fortigate_link_packet_sent_total
    • fortigate_link_packet_received_total
    • fortigate_link_active_sessions
    • fortigate_link_bandwidth_tx_byte_per_second
    • fortigate_link_bandwidth_rx_byte_per_second
    • fortigate_link_status_change_time_seconds


  • VirtualWAN/HealthCheck
    • fortigate_virtual_wan_status
    • fortigate_virtual_wan_latency_seconds
    • fortigate_virtual_wan_latency_jitter_seconds
    • fortigate_virtual_wan_packet_loss_ratio
    • fortigate_virtual_wan_packet_sent_total
    • fortigate_virtual_wan_packet_received_total
    • fortigate_virtual_wan_active_sessions
    • fortigate_virtual_wan_bandwidth_tx_byte_per_second
    • fortigate_virtual_wan_bandwidth_rx_byte_per_second
    • fortigate_virtual_wan_status_change_time_seconds

Per-BGP-Neighbor and VDOM:

  • BGP/Neighbors/IPv4
    • fortigate_bgp_neighbor_ipv4_info
  • BGP/Neighbors/IPv6
    • fortigate_bgp_neighbor_ipv6_info
  • BGP/NeighborPaths/IPv4
    • fortigate_bgp_neighbor_ipv4_paths
    • fortigate_bgp_neighbor_ipv4_best_paths
  • BGP/NeighborPaths/IPv6
    • fortigate_bgp_neighbor_ipv6_paths
    • fortigate_bgp_neighbor_ipv6_best_paths

Per-VirtualServer and VDOM:

  • Firewall/LoadBalance
    • fortigate_lb_virtual_server_info

Per-RealServer for each VirtualServer and VDOM:

  • Firewall/LoadBalance
    • fortigate_lb_real_server_info
    • fortigate_lb_real_server_mode
    • fortigate_lb_real_server_status
    • fortigate_lb_real_server_active_sessions
    • fortigate_lb_real_server_rtt_seconds
    • fortigate_lb_real_server_processed_bytes_total


  • System/AvailableCertificates
    • fortigate_certificate_info
    • fortigate_certificate_valid_from_seconds
    • fortigate_certificate_valid_to_seconds
    • fortigate_certificate_cmdb_references

Per-VDOM and Wifi-Client:

  • Wifi/Clients
    • fortigate_wifi_client_info
    • fortigate_wifi_client_data_rate_bps
    • fortigate_wifi_client_bandwidth_rx_bps
    • fortigate_wifi_client_bandwidth_tx_bps
    • fortigate_wifi_client_signal_strength_dBm
    • fortigate_wifi_client_signal_noise_dBm
    • fortigate_wifi_client_tx_discard_ratio
    • fortigate_wifi_client_tx_retries_ratio

Per-VDOM and managed access point:

  • Wifi/ManagedAP
    • fortigate_wifi_managed_ap_info
    • fortigate_wifi_managed_ap_join_time_seconds
    • fortigate_wifi_managed_ap_cpu_usage_ratio
    • fortigate_wifi_managed_ap_memory_free_bytes
    • fortigate_wifi_managed_ap_memory_bytes_total

Per-VDOM, managed access point and radio:

  • Wifi/ManagedAP
    • fortigate_wifi_managed_ap_radio_info
    • fortigate_wifi_managed_ap_radio_client_count
    • fortigate_wifi_managed_ap_radio_operating_tx_power_ratio
    • fortigate_wifi_managed_ap_radio_operating_channel_utilization_ratio
    • fortigate_wifi_managed_ap_radio_bandwidth_rx_bps
    • fortigate_wifi_managed_ap_radio_rx_bytes_total
    • fortigate_wifi_managed_ap_radio_tx_bytes_total
    • fortigate_wifi_managed_ap_radio_interfering_aps
    • fortigate_wifi_managed_ap_radio_tx_power_ratio
    • fortigate_wifi_managed_ap_radio_tx_discard_ratio
    • fortigate_wifi_managed_ap_radio_tx_retries_ratio

Per-VDOM, managed access point and interface:

  • Wifi/ManagedAP
    • fortigate_wifi_managed_ap_interface_rx_bytes_total
    • fortigate_wifi_managed_ap_interface_tx_bytes_total
    • fortigate_wifi_managed_ap_interface_rx_packets_total
    • fortigate_wifi_managed_ap_interface_tx_packets_total
    • fortigate_wifi_managed_ap_interface_rx_errors_total
    • fortigate_wifi_managed_ap_interface_tx_errors_total
    • fortigate_wifi_managed_ap_interface_rx_dropped_packets_total
    • fortigate_wifi_managed_ap_interface_tx_dropped_packets_total



$ ./fortigate_exporter -auth-file ~/fortigate-key.yaml
# or
$ docker run -d -p 9710:9710 -v /path/to/fortigate-key.yaml:/config/fortigate-key.yaml

Where fortigate-key.yaml contains pairs of FortiGate targets and API keys in the following format:

  token: api-key-goes-here
  # If you have a smaller fortigate unit you might want
  # to exclude sensors as they do not have any
      - System/SensorInfo

  token: api-key-goes-here

NOTE: Currently only token authentication is supported. FortiGate does not allow usage of tokens on non-HTTPS connections, which means that currently you need HTTPS to be configured properly.

You can select which probes you want to run on a per target basis.

  • Probes can be included or excluded under the optional probes section by defining include and/or exclude lists.
  • Each probe name, that can be run by the fortigate exporter, is compared to the include/exclude lists.
  • Inclusion/exclusion of a probe is based on a prefix match, therefore lists must contains entries starting with a probe name to be included/excluded.
  • Prefix match is case sensitive.
  • include list is evaluated before exclude list, therefore exclude list can exclude a previously included probe.


  token: api-key-goes-here
      - System
      - VPN
      - Firewall/Policies
      # Include only probes with name starting with: System or VPN + probe: Firewall/Policies
      # Other probes are excluded because there were not explictly included
  token: api-key-goes-here
      - Wifi
      - Firewall/LoadBalance
      # Exclude probes with name starting with: Wifi + probe: Firewall/LoadBalance
      # All other probes are included by default because include list is empty
  token: api-key-goes-here
      - System
      - Firewall
      - System/LinkMonitor
      # Inlcude probes with name starting with: System and Firewall
      # Then exclude probe: System/LinkMonitor

Special cases:

  • If probes isn't set or is empty, all probes will be run against the target.
  • If include list is empty, by default, all probes will be selected to be run against the target.
  • If include contains an entry - '', then all probes are included (equivalent to not defining include)
  • If exclude contains an entry - '', then all probes are excluded (equivalent to not defining the target)

To probe a FortiGate, do something like curl 'localhost:9710/probe?target=https://my-fortigate'

Available CLI parameters

flag default value description
-auth-file fortigate-key.yaml path to the location of the key file
-listen :9710 address to listen for incoming requests
-scrape-timeout 30 timeout in seconds
-https-timeout 10 timeout in seconds for establishment of HTTPS connections
-insecure not set allows to turn off security validation of TLS certificates
-extra-ca-certs (none) comma-separated files containing extra PEMs to trust for TLS connections in addition to the system trust store
-max-bgp-paths 10000 Sets maximum amount of BGP paths to fetch, value is per IP stack version (IPv4 & IPv6)
-max-vpn-users 0 Sets maximum amount of VPN users to fetch (0 eq. none by default)

FortiGate Configuration

Read permission is enough for Fortigate exporter purpose. To improve security, limit permissions to required ones only (least privilege principle).

probe name permission API URL
Default Global any api/v2/monitor/system/status
BGP/NeighborPaths/IPv4 netgrp.route-cfg api/v2/monitor/router/bgp/paths
BGP/NeighborPaths/IPv6 netgrp.route-cfg api/v2/monitor/router/bgp/paths6
BGP/Neighbors/IPv4 netgrp.route-cfg api/v2/monitor/router/bgp/neighbors
BGP/Neighbors/IPv6 netgrp.route-cfg api/v2/monitor/router/bgp/neighbors6
Firewall/LoadBalance fwgrp.others api/v2/monitor/firewall/load-balance
Firewall/Policies fwgrp.policy api/v2/monitor/firewall/policy/select
License/Status any api/v2/monitor/license/status/select
Log/Fortianalyzer/Status loggrp.config api/v2/monitor/log/fortianalyzer
Log/Fortianalyzer/Queue loggrp.config api/v2/monitor/log/fortianalyzer-queue
Log/DiskUsage loggrp.config api/v2/monitor/log/current-disk-usage
System/AvailableCertificates any api/v2/monitor/system/available-certificates
System/Fortimanager/Status sysgrp.cfg api/v2/monitor/system/fortimanager/status
System/HAStatistics sysgrp.cfg api/v2/monitor/system/ha-statistics
System/Interface netgrp.cfg api/v2/monitor/system/interface/select
System/LinkMonitor sysgrp.cfg api/v2/monitor/system/link-monitor
System/Resource/Usage sysgrp.cfg api/v2/monitor/system/resource/usage
System/SensorInfo sysgrp.cfg api/v2/monitor/system/sensor-info
System/Status any api/v2/monitor/system/status
System/Time/Clock sysgrp.cfg api/v2/monitor/system/time
System/VDOMResources sysgrp.cfg api/v2/monitor/system/resource/usage
User/Fsso authgrp api/v2/monitor/user/fsso
VPN/IPSec vpngrp api/v2/monitor/vpn/ipsec
VPN/Ssl/Connections vpngrp api/v2/monitor/vpn/ssl
VPN/Ssl/Stats vpngrp api/v2/monitor/vpn/ssl/stats
VirtualWAN/HealthCheck netgrp.cfg api/v2/monitor/virtual-wan/health-check
Wifi/APStatus wifi api/v2/monitor/wifi/ap_status
Wifi/Clients wifi api/v2/monitor/wifi/client
Wifi/ManagedAP wifi api/v2/monitor/wifi/managed_ap

If you omit to grant some of these permissions you will receive log messages warning about 403 errors and relevant metrics will be unavailable, but other metrics will still work. If you do not need some probes to be run, do not grant permission for them and use include/exclude feature (see Usage section).

The following example Admin Profile describes the permissions that needs to be granted to the monitor user in order for all metrics to be available.

config system accprofile
    edit "monitor"
        # global scope will fail on non multi-VDOM firewall
        set scope global
        set authgrp read
        # As of FortiOS 6.2.1 it seems `fwgrp-permissions.other` is removed,
        # use 'fwgrp read' to get load balance servers metrics
        set fwgrp custom
        set loggrp custom
        set netgrp custom
        set sysgrp custom
        set vpngrp read
        set wifi read
        # will fail for most recent FortiOS
        set system-diagnostics disable
        config fwgrp-permission
            set policy read
            set others read
        config netgrp-permission
            set cfg read
            set route-cfg read
        config loggrp-permission
            set config read
        config sysgrp-permission
            set cfg read

Prometheus Configuration

An example configuration for Prometheus looks something like this:

  - job_name: 'fortigate_exporter'
    metrics_path: /probe
      - targets:
        - https://my-fortigate
        - https://my-other-fortigate:8443
      - source_labels: [__address__]
        target_label: __param_target
      - source_labels: [__param_target]
        target_label: instance
        # Drop the https:// and port (if specified) for the 'instance=' label
        regex: '(?:.+)(?::\/\/)([^:]*).*'
      - target_label: __address__
        replacement: '[::1]:9710'


You can either use the automatic builds on or build yourself like this:

docker build -t fortigate_exporter .
docker run -d -p 9710:9710 -v /path/to/fortigate-key.yaml:/config/fortigate-key.yaml fortigate_exporter


  build: ./
    - 9710:9710
    - /path/to/fortigate-key.yaml:/config/fortigate-key.yaml
  # Applying multiple parameters
  command: ["-auth-file", "/config/fortigate-key.yaml", "-insecure"]
  restart: unless-stopped

Known Issues

This is a collection of known issues that for some reason cannot be fixed, but might be possible to work around.

Missing Metrics?

Please file an issue describing what metrics you'd like to see. Include as much details as possible please, e.g. how the perfect Prometheus metric would look for your use-case.

An alternative to using this exporter is to use generic SNMP polling, e.g. using a Prometheus SNMP exporter (official, alternative). Note that there are limitations (e.g. 1) in what FortiGate supports querying via SNMP.


Fortinet®, and FortiGate® are registered trademarks of Fortinet, Inc.

This is not an official Fortinet product.