pfsense-zabbix/README.md

# pfSense Zabbix Template

This is a pfSense active template for Zabbix, based on Standard Agent and a php script using pfSense functions library for monitoring specific data.
This is forked from https://github.com/rbicelli/pfsense-zabbix-template for FWS needs


Tested with pfSense 2.5.x, Zabbix 4.0, Zabbix 5.0, Zabbix 6.0

## What it does

**Template pfSense Active**
 
 - Network interface Discovery and Monitoring with User Assigned Names
 - Gateway Discovery and Monitoring (Gateway Status/RTT) 
 - OpenVPN Server Discovery and Monitoring (Server Status/Tunnel Status)
 - OpenVPN Clients Discovery and Monitoring (Client Status/Tunnel Status)
 - CARP Monitoring (Global CARP State)
 - Basic Service Discovery and Monitoring (Service Status)
 - pfSense Version/Update Available
 - Packages Update Available
 
**Template pfSense Active: OpenVPN Server User Auth**

 - Discovery of OpenVPN Clients connected to OpenVPN Servers in user auth mode
 - Monitoring of Client Parameters (Bytes sent/received, Connection Time...) 

**Template pfSense Active: IPsec**

 - Discovery of IPsec Site-to-Site tunnels
 - Monitoring tunnel status (Phase 1 and Phase 2)
 
**Template pfSense Active: Speedtest**

 - Discovery of WAN Interfaces
 - Perform speed tests and collect metrics


## Configuration

First copy the file pfsense_zbx.php to your pfsense box (e.g. to /root/scripts).

From **Diagnostics/Command Prompt** input this one-liner:

```bash
mkdir /root/zabbix
curl --create-dirs -o /root/scripts/pfsense_zbx.php https://raw.githubusercontent.com/rbicelli/pfsense-zabbix-template/master/pfsense_zbx.php
```

Then, setup the system version cronjob with: 

```bash 
/usr/local/bin/php /root/scripts/pfsense_zbx.php sysversion_cron
```

Then install package "Zabbix Agent 5" (or "Zabbix Agent 6") on your pfSense Box

In Advanced Features-> User Parameters

```bash
UserParameter=pfsense.states.max,grep "limit states" /tmp/rules.limits | cut -f4 -d ' '
UserParameter=pfsense.states.current,grep "current entries" /tmp/pfctl_si_out | tr -s ' ' | cut -f4 -d ' '
UserParameter=pfsense.mbuf.current,netstat -m | grep "mbuf clusters" | cut -f1 -d ' ' | cut -d '/' -f1
UserParameter=pfsense.mbuf.cache,netstat -m | grep "mbuf clusters" | cut -f1 -d ' ' | cut -d '/' -f2
UserParameter=pfsense.mbuf.max,netstat -m | grep "mbuf clusters" | cut -f1 -d ' ' | cut -d '/' -f4
UserParameter=pfsense.discovery[*],/usr/local/bin/sudo /usr/local/bin/php /root/zabbix/pfsense_zbx.php discovery $1
UserParameter=pfsense.value[*],/usr/local/bin/sudo /usr/local/bin/php /root/zabbix/pfsense_zbx.php $1 $2 $3
```

_You need to allow zabbix user to exec /usr/local/bin/sudo /usr/local/bin/php /root/zabbix* without password with sudo_

Also increase the **Timeout** value at least to **5**, otherwise some checks will fail.

Then import xml templates in Zabbix and add your pfSense hosts.

If you are running a redundant CARP setup you should adjust the macro {$EXPECTED_CARP_STATUS} to a value representing what is CARP expected status on monitored box.

Possible values are:

 - 0: Disabled
 - 1: Master
 - 2: Backup

This is useful when monitoring services which could stay stopped on CARP Backup Member.


## Setup Speedtest

For running speedtests on WAN interfaces you have to install the speedtest package.

From **Diagnostics/Command Prompt** input this commands:

```bash
pkg update && pkg install -y py38-speedtest-cli
```

Speedtest python package could be broken at the moment, so you could need an extra step, *only if manually executing speedtest results in an error*: download the latest version from package author's github repo.

```bash
curl -Lo /usr/local/lib/python3.8/site-packages/speedtest.py https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py
```

For testing if speedtest is installed properly you can try it:

```bash
/usr/local/bin/speedtest
```

Then, setup the cronjob with: 

```bash 
/url/local/bin/php /root/scripts/pfsense_zbx.php speedtest_cron
```

Remember that you will need to install the package on *every* pfSense upgrade.

Speedtest template creates a cron job and check for entry everytime Zabbix requests its items. If you  want to uninstall the cron jobs simply run, from **Diagnostics/Command Prompt**:

```bash
/url/local/bin/php /root/scripts/pfsense_zbx.php cron_cleanup
```

**NOTE**: When used in multiple gateways scenario, speedtest results are OK only with default gateway. This is a known behavior that must be fixed upstream.


## Credits

[Keenton Zabbix Template](https://github.com/keentonsas/zabbix-template-pfsense) for Zabbix Agent freeBSD part.
Corrected Syntax Errors 2020-04-26 18:24:37 +02:00			`# pfSense Zabbix Template`
First Release 2019-12-12 16:51:13 +01:00
Getting rid of Value mappings in Zabbix 2020-04-26 17:34:40 +02:00			`This is a pfSense active template for Zabbix, based on Standard Agent and a php script using pfSense functions library for monitoring specific data.`
Update README 2021-01-18 16:15:22 +01:00			`This is forked from https://github.com/rbicelli/pfsense-zabbix-template for FWS needs`
First Release 2019-12-12 16:51:13 +01:00
Added OpenVPN Client Monitoring 2020-04-28 00:12:32 +02:00
Added legacy script 2023-02-26 13:21:25 +01:00			`Tested with pfSense 2.5.x, Zabbix 4.0, Zabbix 5.0, Zabbix 6.0`
First Release 2019-12-12 16:51:13 +01:00
			`## What it does`
Added OpenVPN Client Monitoring 2020-04-28 00:12:32 +02:00
			`Template pfSense Active`
First Release 2019-12-12 16:51:13 +01:00
Getting rid of Value mappings in Zabbix 2020-04-26 17:34:40 +02:00			`- Network interface Discovery and Monitoring with User Assigned Names`
Fixed IPsec con_id 2021-07-07 23:04:45 +02:00			`- Gateway Discovery and Monitoring (Gateway Status/RTT)`
Getting rid of Value mappings in Zabbix 2020-04-26 17:34:40 +02:00			`- OpenVPN Server Discovery and Monitoring (Server Status/Tunnel Status)`
			`- OpenVPN Clients Discovery and Monitoring (Client Status/Tunnel Status)`
			`- CARP Monitoring (Global CARP State)`
			`- Basic Service Discovery and Monitoring (Service Status)`
			`- pfSense Version/Update Available`
Added IPsec Template, Detecting Package Update 2021-01-18 16:04:27 +01:00			`- Packages Update Available`
Added OpenVPN Client Monitoring 2020-04-28 00:12:32 +02:00
			`Template pfSense Active: OpenVPN Server User Auth`

			`- Discovery of OpenVPN Clients connected to OpenVPN Servers in user auth mode`
Setting up correct trend for OpenVPN clients 2020-07-11 18:26:35 +02:00			`- Monitoring of Client Parameters (Bytes sent/received, Connection Time...)`
First Release 2019-12-12 16:51:13 +01:00
Added IPsec Template, Detecting Package Update 2021-01-18 16:04:27 +01:00			`Template pfSense Active: IPsec`

			`- Discovery of IPsec Site-to-Site tunnels`
			`- Monitoring tunnel status (Phase 1 and Phase 2)`
Typos 2021-07-05 19:31:48 +02:00
			`Template pfSense Active: Speedtest`

			`- Discovery of WAN Interfaces`
			`- Perform speed tests and collect metrics`
Added IPsec Template, Detecting Package Update 2021-01-18 16:04:27 +01:00

First Release 2019-12-12 16:51:13 +01:00			`## Configuration`

			`First copy the file pfsense_zbx.php to your pfsense box (e.g. to /root/scripts).`
Getting rid of Value mappings in Zabbix 2020-04-26 17:34:40 +02:00
Fixed IPsec con_id 2021-07-07 23:04:45 +02:00			`From Diagnostics/Command Prompt input this one-liner:`
Getting rid of Value mappings in Zabbix 2020-04-26 17:34:40 +02:00
			```bash
Update README 2021-01-18 16:15:22 +01:00			`mkdir /root/zabbix`
Added legacy script 2023-02-26 13:21:25 +01:00			`curl --create-dirs -o /root/scripts/pfsense_zbx.php https://raw.githubusercontent.com/rbicelli/pfsense-zabbix-template/master/pfsense_zbx.php`
Getting rid of Value mappings in Zabbix 2020-04-26 17:34:40 +02:00			```

Changes how the system version is tracked from direct to via a cronjob. Add instruction for how to enable this to .md file. Add both cronjobs to disable function. Add a timeout to stop a stuck function from causing problems. 2023-10-16 12:14:24 +02:00			`Then, setup the system version cronjob with:`

			```bash
			`/usr/local/bin/php /root/scripts/pfsense_zbx.php sysversion_cron`
			```
First Release 2019-12-12 16:51:13 +01:00
Start working on pfSense Plus releases 2023-02-26 13:11:06 +01:00			`Then install package "Zabbix Agent 5" (or "Zabbix Agent 6") on your pfSense Box`
First Release 2019-12-12 16:51:13 +01:00
			`In Advanced Features-> User Parameters`

			```bash
			`UserParameter=pfsense.states.max,grep "limit states" /tmp/rules.limits \| cut -f4 -d ' '`
			`UserParameter=pfsense.states.current,grep "current entries" /tmp/pfctl_si_out \| tr -s ' ' \| cut -f4 -d ' '`
			`UserParameter=pfsense.mbuf.current,netstat -m \| grep "mbuf clusters" \| cut -f1 -d ' ' \| cut -d '/' -f1`
			`UserParameter=pfsense.mbuf.cache,netstat -m \| grep "mbuf clusters" \| cut -f1 -d ' ' \| cut -d '/' -f2`
			`UserParameter=pfsense.mbuf.max,netstat -m \| grep "mbuf clusters" \| cut -f1 -d ' ' \| cut -d '/' -f4`
Update README 2021-01-18 16:15:22 +01:00			`UserParameter=pfsense.discovery[*],/usr/local/bin/sudo /usr/local/bin/php /root/zabbix/pfsense_zbx.php discovery $1`
			`UserParameter=pfsense.value[*],/usr/local/bin/sudo /usr/local/bin/php /root/zabbix/pfsense_zbx.php $1 $2 $3`
First Release 2019-12-12 16:51:13 +01:00			```

Update README 2021-01-18 16:15:22 +01:00			`_You need to allow zabbix user to exec /usr/local/bin/sudo /usr/local/bin/php /root/zabbix* without password with sudo_`
First Release 2019-12-12 16:51:13 +01:00
Fixed issues on openvpn service detection 2020-05-13 10:39:21 +02:00			`Also increase the Timeout value at least to 5, otherwise some checks will fail.`

Added OpenVPN Client Monitoring 2020-04-28 00:12:32 +02:00			`Then import xml templates in Zabbix and add your pfSense hosts.`
First Release 2019-12-12 16:51:13 +01:00
Update README.md {$EXPECTED_CARP_STATUS} should be a user macro and not a LLD macro 2020-12-03 15:10:41 +01:00			`If you are running a redundant CARP setup you should adjust the macro {$EXPECTED_CARP_STATUS} to a value representing what is CARP expected status on monitored box.`
First Release 2019-12-12 16:51:13 +01:00
			`Possible values are:`

			`- 0: Disabled`
			`- 1: Master`
			`- 2: Backup`

Getting rid of Value mappings in Zabbix 2020-04-26 17:34:40 +02:00			`This is useful when monitoring services which could stay stopped on CARP Backup Member.`

Preliminary tests of Speedtest 2021-07-05 17:56:27 +02:00
			`## Setup Speedtest`

Fixed IPsec con_id 2021-07-07 23:04:45 +02:00			`For running speedtests on WAN interfaces you have to install the speedtest package.`
Preliminary tests of Speedtest 2021-07-05 17:56:27 +02:00
			`From Diagnostics/Command Prompt input this commands:`

Typos 2021-07-05 17:58:34 +02:00			```bash
Issues #70, #81, #87 2021-11-09 22:58:18 +01:00			`pkg update && pkg install -y py38-speedtest-cli`
Preliminary tests of Speedtest 2021-07-05 17:56:27 +02:00			```

Issues #70, #81, #87 2021-11-09 22:58:18 +01:00			`Speedtest python package could be broken at the moment, so you could need an extra step, only if manually executing speedtest results in an error: download the latest version from package author's github repo.`
Preliminary tests of Speedtest 2021-07-05 17:56:27 +02:00
Typos 2021-07-05 17:58:34 +02:00			```bash
Issues #70, #81, #87 2021-11-09 22:58:18 +01:00			`curl -Lo /usr/local/lib/python3.8/site-packages/speedtest.py https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py`
Preliminary tests of Speedtest 2021-07-05 17:56:27 +02:00			```

			`For testing if speedtest is installed properly you can try it:`

Typos 2021-07-05 17:58:34 +02:00			```bash
Fixed IPsec con_id 2021-07-07 23:04:45 +02:00			`/usr/local/bin/speedtest`
Preliminary tests of Speedtest 2021-07-05 17:56:27 +02:00			```

Changes how the system version is tracked from direct to via a cronjob. Add instruction for how to enable this to .md file. Add both cronjobs to disable function. Add a timeout to stop a stuck function from causing problems. 2023-10-16 12:14:24 +02:00			`Then, setup the cronjob with:`

			```bash
			`/url/local/bin/php /root/scripts/pfsense_zbx.php speedtest_cron`
			```

Preliminary tests of Speedtest 2021-07-05 17:56:27 +02:00			`Remember that you will need to install the package on every pfSense upgrade.`

merge 2023-02-26 12:16:21 +01:00			`Speedtest template creates a cron job and check for entry everytime Zabbix requests its items. If you want to uninstall the cron jobs simply run, from Diagnostics/Command Prompt:`
Preliminary tests of Speedtest 2021-07-05 17:56:27 +02:00
Fixed IPsec con_id 2021-07-07 23:04:45 +02:00			```bash
			`/url/local/bin/php /root/scripts/pfsense_zbx.php cron_cleanup`
			```
Preliminary tests of Speedtest 2021-07-05 17:56:27 +02:00
Fixed Readme 2023-02-26 14:29:43 +01:00			`NOTE: When used in multiple gateways scenario, speedtest results are OK only with default gateway. This is a known behavior that must be fixed upstream.`
Start working on pfSense Plus releases 2023-02-26 13:11:06 +01:00
Reverted to original php script 2023-02-26 16:11:38 +01:00
Getting rid of Value mappings in Zabbix 2020-04-26 17:34:40 +02:00			`## Credits`

			`[Keenton Zabbix Template](https://github.com/keentonsas/zabbix-template-pfsense) for Zabbix Agent freeBSD part.`