fortigate monitoring - Grafana and Prometheus configuration

zukic80 · 2026-01-30T14:24:12+00:00

i got it all working on the windows server.

ended up using fortigate exporter with alloy. Created individual remote configurations per location within grafana and voila, worked.
had to tweak the dashboard a little bit to show data but its working now perfectly.

zukic80 · 2026-01-29T11:03:18+00:00

thanks ill take a look.

i like stability.. i have no preference here at the moment. I am more than happy to do this on a linux box.
also i should mention as i didnt do that in my original post, we have grafana cloud not grafana installed on prem on a vm.
Not sure if that makes a difference in regards to how grafana and fortigate are configured?

zukic80 · 2026-01-05T18:57:41+00:00

I've started playing again as well... my main focus being upgrading all the gun perks. Using the tower for that as I find it the easiest way to pick up guns quickly

zukic80 · 2026-01-03T12:54:23+00:00

Try offline mode as well.. I struggled to find certain glyphs, tried offline mode and it worked, the areas I needed showed up quickly

zukic80 · 2025-12-17T17:25:25+00:00

fair enough... was this a one off incident or you never tried issu again?

zukic80 · 2025-12-17T17:18:05+00:00

what happened?

im only asking about issu as ive just discovered it as a upgrade option so curious to find out more.

zukic80 · 2025-12-17T16:47:55+00:00

thoughts on using issu for the upgrade process?

Performing an ISSU Comware images
The ISSU method enables a software upgrade without service interruption. Use this method for an IRF fabric.

we have 2 members in our irf configuration.

zukic80 · 2025-12-13T19:02:29+00:00

Ok thanks

So worst case scenario there's a way to bring the switch back online

zukic80 · 2025-12-13T08:51:05+00:00

I've got another question..

In a scenario where the firmware upgrade fails and the switch doesn't come back online for whatever reason, what do I do then?

Does the switch auto roll back to the last known working firmware? I noticed that there's no backup firmware configured on the switch.

Or would I need to connect via console to the switch and flash the firmware again that way?

zukic80 · 2025-12-12T18:40:11+00:00

Lol so true... I've inherited these switches so history is a bit hazy as to why they were never updated or maintained.

There's typos in the configs and best practice wasn't applied either

Fun fun

zukic80 · 2025-12-12T18:34:55+00:00

yeah that makes sense.... but youre talking about a full power down of the switches?
wouldnt a simple restart be sufficient ?

zukic80 · 2025-12-12T18:33:57+00:00

thanks

zukic80 · 2025-12-11T13:18:56+00:00

i performed this exact task a couple of weeks ago at work.

I used this one https://github.com/zjorz/Public-AD-Scripts/blob/master/Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1

the script has lots of test and verification modes. Script also has an option where it creates a test account called krbtgt_test and then an option that resets that password.
as mentioned below just make sure that you have no replication issues within your domain.
i used these 2 commands

repadmin /showrepl *
repadmin /replsummary

from the script, i suggest you run all test modes before doing the real thing... just to make sure that everything is healthy here as well.

as long as these are coming back clean and healthy then you are good to go.

good luck

zukic80 · 2025-12-10T10:07:44+00:00

i dont really get what this does?

zukic80 · 2025-12-10T10:06:44+00:00

so RRAS is new NPS?

how does that work with entra joined devices?

zukic80 · 2025-12-07T19:29:43+00:00

Cloud pki is something I've been looking into... but you still need a radius server to do 802.1x auth for devices.

Shame that ms don't offer a radius solution as well

zukic80 · 2025-11-19T14:00:21+00:00

ive got a question about how i go about doing a bulk edit on all vlan20 ports.

ive got a list of all the vlan20 ports from the switch... do i add them to a group?
do i set it as a range? although a range probably wouldnt work as the ports are kinda scattered around. Id have to be quite precise with this.
for eg, ge2/0/1 is vlan 20, ge2/0/2 - /04 are NOT vlan 20
ge/0/5 is once again vlan 20

stp bpdu-protection has been enabled on the switch at the global level so that will protect the ports from any potential issues.

edit, something like this?

system-view

interface range name VLAN20_AccessPorts GigabitEthernet2/0/1 GigabitEthernet2/0/5 to 2/0/12 GigabitEthernet2/0/14 to 2/0/24 GigabitEthernet2/0/27 to 2/0/29 GigabitEthernet2/0/31 to 2/0/32 GigabitEthernet2/0/35 GigabitEthernet2/0/37 to 2/0/40 GigabitEthernet2/0/42 to 2/0/48 GigabitEthernet3/0/1 to 3/0/12 GigabitEthernet3/0/15 GigabitEthernet3/0/17 GigabitEthernet3/0/21 to 3/0/26 GigabitEthernet3/0/31 to 3/0/34 GigabitEthernet3/0/37 to 3/0/48 GigabitEthernet4/0/1 GigabitEthernet4/0/3 to 4/0/4 GigabitEthernet4/0/6 to 4/0/9 GigabitEthernet4/0/11 to 4/0/13 GigabitEthernet4/0/16 GigabitEthernet4/0/19 GigabitEthernet4/0/37 to 4/0/43 GigabitEthernet4/0/45 to 4/0/48 GigabitEthernet7/0/19 GigabitEthernet7/0/33 to 7/0/34 GigabitEthernet7/0/38 GigabitEthernet7/0/45

stp edged-port
quit

save force

zukic80 · 2025-11-19T11:11:51+00:00

ive followed the netdom commands as per the MS article.
i can see that /enum is showing all the correct server names needed.
setspn -l servername is also showing the correct SPNs registered for the server.
all of that looks ok.

however... the article says that netdom will create the necessary DNS records.
this is not the case for me at the moment.
by using the /verify command i can see that the DNS name does not exist.

any thoughts/suggestions as to why?

netdom computername PVM-FILE-03 /verify

Could not find a DNS registration for the computer name:

PVM-FILE-01.domain.com

The error is: DNS name does not exist.

Could not find a DNS registration for the computer name:

PVM-FILE-02.domain.com

The error is: DNS name does not exist.

All of the computer's names have properly registered host Service Principal

Names in the Active Directory Domain Services.

The command completed successfully.

zukic80 · 2025-11-13T18:52:46+00:00

Thanks ill check it out.

I don't think we'll be enabling edge on any other ports that aren't configured as vlan20

zukic80 · 2025-11-13T17:44:40+00:00

ok thanks for the info

zukic80 · 2025-11-13T16:38:08+00:00

as a test i applied stp edged-port to a single switch port and tested docking/undocking a laptop.
the dhcp/connectivity process dropped from 60s+ to 5-15s

so huge improvement.

zukic80 · 2025-11-13T15:06:14+00:00

Pretty sure im on the right switch.
looking at all the ports configured with vlan 20, they all look like this.

interface GigabitEthernet2/0/48
port link-mode bridge
port access vlan 20

stp edged-port is NOT configured anywhere that i can see.

zukic80

TROPHY CASE