Device restarted (uptime low)-fortinet-FortiOS
Vendor: fortinet
OS: FortiOS
Description:
Indeni will alert when a device has restarted.
Remediation Steps:
Determine why the device was restarted.
|1. Watch the system reboot time.
|2. Review the log messages and focus on error messages that were generated at least 5 minutes prior to system reboot, especially before unexpected system reboot.
|3. Verify the status of the scheduled restart command to making sure it's an irregular restart
| - config sys global
| - get | grep restart
| - end
|4. Login via ssh to the Fortinet firewall and review the crash log in a readable format by using the FortiOS command “diag debug crashlog read”.
|5. Contact Fortinet Technical support at https://support.fortinet.com/ for further assistance.
How does this work?
Indeni uses the built-in Fortinet “get system performance status” command to retrieve the current device up-time.
Why is this important?
Capture the uptime of the device. If the uptime is lower than the previous sample, the device must have reloaded.
Without Indeni how would you find this?
An administrator could login and manually run the command via CLI, check the system resources widget via the GUI, enable SNMP, or use Fortinet FortiAnalyzer.
fortios-get-system-performance-status
name: fortios-get-system-performance-status
description: Performance metrics based on "get system performance status" command
on Fortinet firewall
type: monitoring
monitoring_interval: 1 minute
includes_resource_data: true
requires:
vendor: fortinet
os.name: FortiOS
product: firewall
comments:
memory-usage:
why: |
If the firewall memory becomes fully utilized, performance may be impacted and traffic may be dropped, and in extreme cases the firewall could crash. It is critical to monitor the memory usage and handle the issue prior to resource exhaustion.
how: |
Indeni uses the built-in Fortinet "get system performance status" command to retrieve the device memory utilization.
can-with-snmp: true
can-with-syslog: true
cpu-usage:
why: |
If the firewall CPU becomes fully utilized, performance may be impacted and traffic may be dropped, and in extreme cases the firewall could crash. It is critical to monitor the memory usage and handle the issue prior to resource exhaustion.
how: |
Indeni uses the built-in Fortinet "get system performance status" command to retrieve the device CPU utilization.
can-with-snmp: true
can-with-syslog: true
uptime-milliseconds:
why: |
Capture the uptime of the device. If the uptime is lower than the previous sample, the device must have reloaded.
how: |
Indeni uses the built-in Fortinet "get system performance status" command to retrieve the current device up-time.
can-with-snmp: true
can-with-syslog: false
memory-free-kbytes:
why: |
Tracking free memory on the system is critical to evaluate memory utilization and identify possible memory leaks.
how: |
Indeni uses the built-in Fortinet "get system performance status" command to retrieve the free memory.
can-with-snmp: true
can-with-syslog: false
memory-total-kbytes:
why: |
Tracking total memory on the system is critical to evaluate and assess current memory utilizatiion.
how: |
Indeni uses the built-in Fortinet "get system performance status" command to retrieve the total device memory.
can-with-snmp: true
can-with-syslog: false
memory-used-kbytes:
why: |
Tracking used memory on the system is critical to evaluate memory utilization and identify possible memory leaks.
how: |
Indeni uses the built-in Fortinet "get system performance status" command to retrieve the used memory.
can-with-snmp: true
can-with-syslog: false
steps:
- run:
type: SSH
command: get system performance status
parse:
type: AWK
file: get_system_performance_status.parser.1.awk
cross_vendor_uptime_low
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/crossvendor/cross_vendor_uptime_low.scala