Critical process(es) down-fortinet-FortiOS
Vendor: fortinet
OS: FortiOS
Description:
Many devices have critical processes, usually daemons, that must be up for certain functions to work. Indeni will alert if any of these goes down.
Remediation Steps:
Review the cause for the processes being down.
|1. Login via ssh to the Fortinet firewall and run the FortiOS command "diagnose sys top [refresh_time_sec] [number_of_lines]"
|>>> to get the Proccess-id, State, CPU & Memory utilization per process. Press <shift-P> to sort by CPU usage or <shift-M> to sort by memory usage.
|2. Login via ssh to the Fortinet firewall and run the FortiOS command "diagnose sys top-summary '-h' " to get the command options and receive additional
|>>> info per process. A sample command could be "diagnose sys top-summary '-s mem -i 60 -n 10'
How does this work?
This script logs into the Fortinet firewall through SSH and retrieves the status of running processes by running the FortiOS command fnsysctl ps. The script then compares the list of currently running processes to a known list of critical processes and checks to see that they are all up. If any are down or in an abnormal state, Indeni raises an alert.
Why is this important?
Each device has certain executable processes which are critical to stable operation. For example, on Fortinet devices, the authd process handles user authentication, and the scanunitd process handles AnitVirus protection. There are many others. If a critical process is down, this may indicate a critical failure.
Without Indeni how would you find this?
An administrator could manually login and retrieve/parse the data, or could write a script to poll the firewalls and parse the returned data.
fortios-fnsysctl-ps
name: fortios-fnsysctl-ps
description: get a list of critical processes and check to see if they are operational
type: monitoring
monitoring_interval: 10 minutes
requires:
vendor: fortinet
os.name: FortiOS
product: firewall
comments:
process-state:
why: |
Each device has certain executable processes which are critical to stable operation. For example, on Fortinet devices, the authd process handles user authentication, and the scanunitd process handles AnitVirus protection. There are many others. If a critical process is down, this may indicate a critical failure.
how: |
This script logs into the Fortinet firewall through SSH and retrieves the status of running processes by running the FortiOS command fnsysctl ps. The script then compares the list of currently running processes to a known list of critical processes and checks to see that they are all up. If any are down or in an abnormal state, Indeni raises an alert.
can-with-snmp: false
can-with-syslog: false
steps:
- run:
type: SSH
command: fnsysctl ps
parse:
type: AWK
file: fnsysctl_ps.parser.1.awk
cross_vendor_critical_process_down_novsx
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/crossvendor/cross_vendor_critical_process_down_novsx.scala