# PFSense by SNMP ## Overview Template for monitoring pfSense by SNMP ## Requirements Zabbix version: 7.0 and higher. ## Tested versions This template has been tested on: - pfSense 2.5.0, 2.5.1, 2.5.2 ## Configuration > Zabbix should be configured according to the instructions in the [Templates out of the box](https://www.zabbix.com/documentation/7.0/manual/config/templates_out_of_the_box) section. ## Setup 1. Import template into Zabbix 2. Enable SNMP daemon at Services in pfSense web interface https://docs.netgate.com/pfsense/en/latest/services/snmp.html 3. Setup firewall rule to get access from Zabbix proxy or Zabbix server by SNMP https://docs.netgate.com/pfsense/en/latest/firewall/index.html#managing-firewall-rules 4. Link template to the host ### Macros used |Name|Description|Default| |----|-----------|-------| |{$IF.ERRORS.WARN}|

Threshold of error packets rate for warning trigger. Can be used with interface name as context.

|`2`| |{$IF.UTIL.MAX}|

Threshold of interface bandwidth utilization for warning trigger in %. Can be used with interface name as context.

|`90`| |{$IFCONTROL}|

Macro for operational state of the interface for link down trigger. Can be used with interface name as context.

|`1`| |{$NET.IF.IFADMINSTATUS.MATCHES}|

This macro is used in filters of network interfaces discovery rule.

|`^.*`| |{$NET.IF.IFADMINSTATUS.NOT_MATCHES}|

Ignore down(2) administrative status.

|`^2$`| |{$NET.IF.IFALIAS.MATCHES}|

This macro is used in filters of network interfaces discovery rule.

|`.*`| |{$NET.IF.IFALIAS.NOT_MATCHES}|

This macro is used in filters of network interfaces discovery rule.

|`CHANGE_IF_NEEDED`| |{$NET.IF.IFDESCR.MATCHES}|

This macro is used in filters of network interfaces discovery rule.

|`.*`| |{$NET.IF.IFDESCR.NOT_MATCHES}|

This macro is used in filters of network interfaces discovery rule.

|`CHANGE_IF_NEEDED`| |{$NET.IF.IFNAME.NOT_MATCHES}|

This macro is used in filters of network interfaces discovery rule.

|`(^pflog[0-9.]*$\|^pfsync[0-9.]*$)`| |{$NET.IF.IFOPERSTATUS.MATCHES}|

This macro is used in filters of network interfaces discovery rule.

|`^.*$`| |{$NET.IF.IFOPERSTATUS.NOT_MATCHES}|

Ignore notPresent(6).

|`^6$`| |{$NET.IF.IFTYPE.MATCHES}|

This macro is used in filters of network interfaces discovery rule.

|`.*`| |{$NET.IF.IFTYPE.NOT_MATCHES}|

This macro is used in filters of network interfaces discovery rule.

|`CHANGE_IF_NEEDED`| |{$SNMP.TIMEOUT}|

The time interval for SNMP availability trigger.

|`5m`| |{$STATE.TABLE.UTIL.MAX}|

Threshold of state table utilization trigger in %.

|`90`| |{$SOURCE.TRACKING.TABLE.UTIL.MAX}|

Threshold of source tracking table utilization trigger in %.

|`90`| ### Items |Name|Description|Type|Key and additional info| |----|-----------|----|-----------------------| |PFSense: SNMP agent availability|

Availability of SNMP checks on the host. The value of this item corresponds to availability icons in the host list.

Possible value:

0 - not available

1 - available

2 - unknown

|Zabbix internal|zabbix[host,snmp,available]| |PFSense: Packet filter running status|

MIB: BEGEMOT-PF-MIB

True if packet filter is currently enabled.

|SNMP agent|pfsense.pf.status| |PFSense: States table current|

MIB: BEGEMOT-PF-MIB

Number of entries in the state table.

|SNMP agent|pfsense.state.table.count| |PFSense: States table limit|

MIB: BEGEMOT-PF-MIB

Maximum number of 'keep state' rules in the ruleset.

|SNMP agent|pfsense.state.table.limit| |PFSense: States table utilization in %|

Utilization of state table in %.

|Calculated|pfsense.state.table.pused| |PFSense: Source tracking table current|

MIB: BEGEMOT-PF-MIB

Number of entries in the source tracking table.

|SNMP agent|pfsense.source.tracking.table.count| |PFSense: Source tracking table limit|

MIB: BEGEMOT-PF-MIB

Maximum number of 'sticky-address' or 'source-track' rules in the ruleset.

|SNMP agent|pfsense.source.tracking.table.limit| |PFSense: Source tracking table utilization in %|

Utilization of source tracking table in %.

|Calculated|pfsense.source.tracking.table.pused| |PFSense: DHCP server status|

MIB: HOST-RESOURCES-MIB

The status of DHCP server process.

|SNMP agent|pfsense.dhcpd.status

**Preprocessing**

| |PFSense: DNS server status|

MIB: HOST-RESOURCES-MIB

The status of DNS server process.

|SNMP agent|pfsense.dns.status

**Preprocessing**

| |PFSense: State of nginx process|

MIB: HOST-RESOURCES-MIB

The status of nginx process.

|SNMP agent|pfsense.nginx.status

**Preprocessing**

| |PFSense: Packets matched a filter rule|

MIB: BEGEMOT-PF-MIB

True if the packet was logged with the specified packet filter reason code. The known codes are: match, bad-offset, fragment, short, normalize, and memory.

|SNMP agent|pfsense.packets.match

**Preprocessing**

| |PFSense: Packets with bad offset|

MIB: BEGEMOT-PF-MIB

True if the packet was logged with the specified packet filter reason code. The known codes are: match, bad-offset, fragment, short, normalize, and memory.

|SNMP agent|pfsense.packets.bad.offset

**Preprocessing**

| |PFSense: Fragmented packets|

MIB: BEGEMOT-PF-MIB

True if the packet was logged with the specified packet filter reason code. The known codes are: match, bad-offset, fragment, short, normalize, and memory.

|SNMP agent|pfsense.packets.fragment

**Preprocessing**

| |PFSense: Short packets|

MIB: BEGEMOT-PF-MIB

True if the packet was logged with the specified packet filter reason code. The known codes are: match, bad-offset, fragment, short, normalize, and memory.

|SNMP agent|pfsense.packets.short

**Preprocessing**

| |PFSense: Normalized packets|

MIB: BEGEMOT-PF-MIB

True if the packet was logged with the specified packet filter reason code. The known codes are: match, bad-offset, fragment, short, normalize, and memory.

|SNMP agent|pfsense.packets.normalize

**Preprocessing**

| |PFSense: Packets dropped due to memory limitation|

MIB: BEGEMOT-PF-MIB

True if the packet was logged with the specified packet filter reason code. The known codes are: match, bad-offset, fragment, short, normalize, and memory.

|SNMP agent|pfsense.packets.mem.drop

**Preprocessing**

| |PFSense: Firewall rules count|

MIB: BEGEMOT-PF-MIB

The number of labeled filter rules on this system.

|SNMP agent|pfsense.rules.count| ### Triggers |Name|Description|Expression|Severity|Dependencies and additional info| |----|-----------|----------|--------|--------------------------------| |PFSense: No SNMP data collection|

SNMP is not available for polling. Please check device connectivity and SNMP settings.

|`max(/PFSense by SNMP/zabbix[host,snmp,available],{$SNMP.TIMEOUT})=0`|Warning|| |PFSense: Packet filter is not running|

Please check PF status.

|`last(/PFSense by SNMP/pfsense.pf.status)<>1`|High|| |PFSense: State table usage is high|

Please check the number of connections https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#config-advanced-firewall-maxstates

|`min(/PFSense by SNMP/pfsense.state.table.pused,#3)>{$STATE.TABLE.UTIL.MAX}`|Warning|| |PFSense: Source tracking table usage is high|

Please check the number of sticky connections https://docs.netgate.com/pfsense/en/latest/monitoring/status/firewall-states-sources.html

|`min(/PFSense by SNMP/pfsense.source.tracking.table.pused,#3)>{$SOURCE.TRACKING.TABLE.UTIL.MAX}`|Warning|| |PFSense: DHCP server is not running|

Please check DHCP server settings https://docs.netgate.com/pfsense/en/latest/services/dhcp/index.html

|`last(/PFSense by SNMP/pfsense.dhcpd.status)=0`|Average|| |PFSense: DNS server is not running|

Please check DNS server settings https://docs.netgate.com/pfsense/en/latest/services/dns/index.html

|`last(/PFSense by SNMP/pfsense.dns.status)=0`|Average|| |PFSense: Web server is not running|

Please check nginx service status.

|`last(/PFSense by SNMP/pfsense.nginx.status)=0`|Average|| ### LLD rule Network interfaces discovery |Name|Description|Type|Key and additional info| |----|-----------|----|-----------------------| |Network interfaces discovery|

Discovering interfaces from IF-MIB.

|SNMP agent|pfsense.net.if.discovery| ### Item prototypes for Network interfaces discovery |Name|Description|Type|Key and additional info| |----|-----------|----|-----------------------| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: Inbound packets discarded|

MIB: IF-MIB

The number of inbound packets which were chosen to be discarded

even though no errors had been detected to prevent their being deliverable to a higher-layer protocol.

One possible reason for discarding such a packet could be to free up buffer space.

Discontinuities in the value of this counter can occur at re-initialization of the management system,

and at other times as indicated by the value of ifCounterDiscontinuityTime.

|SNMP agent|net.if.in.discards[{#SNMPINDEX}]

**Preprocessing**

| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: Inbound packets with errors|

MIB: IF-MIB

For packet-oriented interfaces, the number of inbound packets that contained errors preventing them from being deliverable to a higher-layer protocol. For character-oriented or fixed-length interfaces, the number of inbound transmission units that contained errors preventing them from being deliverable to a higher-layer protocol. Discontinuities in the value of this counter can occur at re-initialization of the management system, and at other times as indicated by the value of ifCounterDiscontinuityTime.

|SNMP agent|net.if.in.errors[{#SNMPINDEX}]

**Preprocessing**

| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: Bits received|

MIB: IF-MIB

The total number of octets received on the interface, including framing characters. This object is a 64-bit version of ifInOctets. Discontinuities in the value of this counter can occur at re-initialization of the management system, and at other times as indicated by the value of ifCounterDiscontinuityTime.

|SNMP agent|net.if.in[{#SNMPINDEX}]

**Preprocessing**

| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: Outbound packets discarded|

MIB: IF-MIB

The number of outbound packets which were chosen to be discarded

even though no errors had been detected to prevent their being deliverable to a higher-layer protocol.

One possible reason for discarding such a packet could be to free up buffer space.

Discontinuities in the value of this counter can occur at re-initialization of the management system,

and at other times as indicated by the value of ifCounterDiscontinuityTime.

|SNMP agent|net.if.out.discards[{#SNMPINDEX}]

**Preprocessing**

| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: Outbound packets with errors|

MIB: IF-MIB

For packet-oriented interfaces, the number of outbound packets that contained errors preventing them from being deliverable to a higher-layer protocol. For character-oriented or fixed-length interfaces, the number of outbound transmission units that contained errors preventing them from being deliverable to a higher-layer protocol. Discontinuities in the value of this counter can occur at re-initialization of the management system, and at other times as indicated by the value of ifCounterDiscontinuityTime.

|SNMP agent|net.if.out.errors[{#SNMPINDEX}]

**Preprocessing**

| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: Bits sent|

MIB: IF-MIB

The total number of octets transmitted out of the interface, including framing characters. This object is a 64-bit version of ifOutOctets.Discontinuities in the value of this counter can occur at re-initialization of the management system, and at other times as indicated by the value of ifCounterDiscontinuityTime.

|SNMP agent|net.if.out[{#SNMPINDEX}]

**Preprocessing**

| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: Speed|

MIB: IF-MIB

An estimate of the interface's current bandwidth in units of 1,000,000 bits per second. If this object reports a value of `n' then the speed of the interface is somewhere in the range of `n-500,000' to`n+499,999'. For interfaces which do not vary in bandwidth or for those where no accurate estimation can be made, this object should contain the nominal bandwidth. For a sub-layer which has no concept of bandwidth, this object should be zero.

|SNMP agent|net.if.speed[{#SNMPINDEX}]

**Preprocessing**

| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: Operational status|

MIB: IF-MIB

The current operational state of the interface.

- The testing(3) state indicates that no operational packet scan be passed

- If ifAdminStatus is down(2) then ifOperStatus should be down(2)

- If ifAdminStatus is changed to up(1) then ifOperStatus should change to up(1) if the interface is ready to transmit and receive network traffic

- It should change todormant(5) if the interface is waiting for external actions (such as a serial line waiting for an incoming connection)

- It should remain in the down(2) state if and only if there is a fault that prevents it from going to the up(1) state

- It should remain in the notPresent(6) state if the interface has missing(typically, hardware) components.

|SNMP agent|net.if.status[{#SNMPINDEX}]

**Preprocessing**

| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: Interface type|

MIB: IF-MIB

The type of interface.

Additional values for ifType are assigned by the Internet Assigned Numbers Authority (IANA),

through updating the syntax of the IANAifType textual convention.

|SNMP agent|net.if.type[{#SNMPINDEX}]

**Preprocessing**

| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: Rules references count|

MIB: BEGEMOT-PF-MIB

The number of rules referencing this interface.

|SNMP agent|net.if.rules.refs[{#SNMPINDEX}]| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: Inbound IPv4 traffic passed|

MIB: BEGEMOT-PF-MIB

IPv4 bits per second passed coming in on this interface.

|SNMP agent|net.if.in.pass.v4.bps[{#SNMPINDEX}]

**Preprocessing**

| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: Inbound IPv4 traffic blocked|

MIB: BEGEMOT-PF-MIB

IPv4 bits per second blocked coming in on this interface.

|SNMP agent|net.if.in.block.v4.bps[{#SNMPINDEX}]

**Preprocessing**

| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: Outbound IPv4 traffic passed|

MIB: BEGEMOT-PF-MIB

IPv4 bits per second passed going out on this interface.

|SNMP agent|net.if.out.pass.v4.bps[{#SNMPINDEX}]

**Preprocessing**

| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: Outbound IPv4 traffic blocked|

MIB: BEGEMOT-PF-MIB

IPv4 bits per second blocked going out on this interface.

|SNMP agent|net.if.out.block.v4.bps[{#SNMPINDEX}]

**Preprocessing**

| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: Inbound IPv4 packets passed|

MIB: BEGEMOT-PF-MIB

The number of IPv4 packets passed coming in on this interface.

|SNMP agent|net.if.in.pass.v4.pps[{#SNMPINDEX}]

**Preprocessing**

| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: Inbound IPv4 packets blocked|

MIB: BEGEMOT-PF-MIB

The number of IPv4 packets blocked coming in on this interface.

|SNMP agent|net.if.in.block.v4.pps[{#SNMPINDEX}]

**Preprocessing**

| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: Outbound IPv4 packets passed|

MIB: BEGEMOT-PF-MIB

The number of IPv4 packets passed going out on this interface.

|SNMP agent|net.if.out.pass.v4.pps[{#SNMPINDEX}]

**Preprocessing**

| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: Outbound IPv4 packets blocked|

MIB: BEGEMOT-PF-MIB

The number of IPv4 packets blocked going out on this interface.

|SNMP agent|net.if.out.block.v4.pps[{#SNMPINDEX}]

**Preprocessing**

| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: Inbound IPv6 traffic passed|

MIB: BEGEMOT-PF-MIB

IPv6 bits per second passed coming in on this interface.

|SNMP agent|net.if.in.pass.v6.bps[{#SNMPINDEX}]

**Preprocessing**

| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: Inbound IPv6 traffic blocked|

MIB: BEGEMOT-PF-MIB

IPv6 bits per second blocked coming in on this interface.

|SNMP agent|net.if.in.block.v6.bps[{#SNMPINDEX}]

**Preprocessing**

| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: Outbound IPv6 traffic passed|

MIB: BEGEMOT-PF-MIB

IPv6 bits per second passed going out on this interface.

|SNMP agent|net.if.out.pass.v6.bps[{#SNMPINDEX}]

**Preprocessing**

| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: Outbound IPv6 traffic blocked|

MIB: BEGEMOT-PF-MIB

IPv6 bits per second blocked going out on this interface.

|SNMP agent|net.if.out.block.v6.bps[{#SNMPINDEX}]

**Preprocessing**

| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: Inbound IPv6 packets passed|

MIB: BEGEMOT-PF-MIB

The number of IPv6 packets passed coming in on this interface.

|SNMP agent|net.if.in.pass.v6.pps[{#SNMPINDEX}]

**Preprocessing**

| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: Inbound IPv6 packets blocked|

MIB: BEGEMOT-PF-MIB

The number of IPv6 packets blocked coming in on this interface.

|SNMP agent|net.if.in.block.v6.pps[{#SNMPINDEX}]

**Preprocessing**

| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: Outbound IPv6 packets passed|

MIB: BEGEMOT-PF-MIB

The number of IPv6 packets passed going out on this interface.

|SNMP agent|net.if.out.pass.v6.pps[{#SNMPINDEX}]

**Preprocessing**

| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: Outbound IPv6 packets blocked|

MIB: BEGEMOT-PF-MIB

The number of IPv6 packets blocked going out on this interface.

|SNMP agent|net.if.out.block.v6.pps[{#SNMPINDEX}]

**Preprocessing**

| ### Trigger prototypes for Network interfaces discovery |Name|Description|Expression|Severity|Dependencies and additional info| |----|-----------|----------|--------|--------------------------------| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: High input error rate|

It recovers when it is below 80% of the `{$IF.ERRORS.WARN:"{#IFNAME}"}` threshold.

|`min(/PFSense by SNMP/net.if.in.errors[{#SNMPINDEX}],5m)>{$IF.ERRORS.WARN:"{#IFNAME}"}`|Warning|**Depends on**:
| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: High inbound bandwidth usage|

The utilization of the network interface is close to its estimated maximum bandwidth.

|`(avg(/PFSense by SNMP/net.if.in[{#SNMPINDEX}],15m)>({$IF.UTIL.MAX:"{#IFNAME}"}/100)*last(/PFSense by SNMP/net.if.speed[{#SNMPINDEX}])) and last(/PFSense by SNMP/net.if.speed[{#SNMPINDEX}])>0`|Warning|**Depends on**:
| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: High output error rate|

It recovers when it is below 80% of the `{$IF.ERRORS.WARN:"{#IFNAME}"}` threshold.

|`min(/PFSense by SNMP/net.if.out.errors[{#SNMPINDEX}],5m)>{$IF.ERRORS.WARN:"{#IFNAME}"}`|Warning|**Depends on**:
| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: High outbound bandwidth usage|

The utilization of the network interface is close to its estimated maximum bandwidth.

|`(avg(/PFSense by SNMP/net.if.out[{#SNMPINDEX}],15m)>({$IF.UTIL.MAX:"{#IFNAME}"}/100)*last(/PFSense by SNMP/net.if.speed[{#SNMPINDEX}])) and last(/PFSense by SNMP/net.if.speed[{#SNMPINDEX}])>0`|Warning|**Depends on**:
| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: Ethernet has changed to lower speed than it was before|

This Ethernet connection has transitioned down from its known maximum speed. This might be a sign of autonegotiation issues. Acknowledge to close the problem manually.

|`change(/PFSense by SNMP/net.if.speed[{#SNMPINDEX}])<0 and last(/PFSense by SNMP/net.if.speed[{#SNMPINDEX}])>0 and ( last(/PFSense by SNMP/net.if.type[{#SNMPINDEX}])=6 or last(/PFSense by SNMP/net.if.type[{#SNMPINDEX}])=7 or last(/PFSense by SNMP/net.if.type[{#SNMPINDEX}])=11 or last(/PFSense by SNMP/net.if.type[{#SNMPINDEX}])=62 or last(/PFSense by SNMP/net.if.type[{#SNMPINDEX}])=69 or last(/PFSense by SNMP/net.if.type[{#SNMPINDEX}])=117 ) and (last(/PFSense by SNMP/net.if.status[{#SNMPINDEX}])<>2)`|Info|**Depends on**:
| |PFSense: Interface [{#IFNAME}({#IFALIAS})]: Link down|

This trigger expression works as follows:
1. It can be triggered if the operations status is down.
2. `{$IFCONTROL:"{#IFNAME}"}=1` - a user can redefine context macro to value - 0. That marks this interface as not important. No new trigger will be fired if this interface is down.

|`{$IFCONTROL:"{#IFNAME}"}=1 and (last(/PFSense by SNMP/net.if.status[{#SNMPINDEX}])=2)`|Average|| ## Feedback Please report any issues with the template at [`https://support.zabbix.com`](https://support.zabbix.com) You can also provide feedback, discuss the template, or ask for help at [`ZABBIX forums`](https://www.zabbix.com/forum/zabbix-suggestions-and-feedback)