OPNsense by HTTP Template

[colttt]

Summary

Adds a new community template for monitoring OPNsense firewalls via the
built-in REST API using HTTP JSON agent (no Zabbix agent required).
Currently we just monitor firewall-things, no extra services like OpenVPN, Wireguard, DHCP, etc, because we don't use these services

Template details

• Name: OPNsense by HTTP-JSON
• Zabbix version: 7.4
• Authentication: OPNsense API key/secret (HTTP Basic Auth)

Monitored components

• System: CPU load, memory utilization, disk usage, uptime
• Firewall: State table utilization, firewall actions (pass/block/match)
• Gateways: Status, RTT, packet loss with escalating severity triggers
• Interfaces: Traffic (bytes/packets), errors, drops, per-interface
  firewall statistics (IPv4)
• CARP: HA status monitoring with failover detection

Discovery rules

Discovery	Description
Disk Discovery	Discovers mounted filesystems with configurable filters
Gateway Discovery	Discovers all configured gateways
FW Action Discovery	Discovers firewall action types
Interface CARP Discovery	Discovers CARP/VIP interfaces
Interface Stats Discovery	Discovers network interfaces

Triggers included

• API connectivity check (High)
• CPU load threshold (Warning)
• Memory utilization threshold (Average)
• Disk space low/critical (Warning/Average)
• Gateway packet loss escalation (Average → High → Disaster)
• Gateway monitoring disabled (Average)
• State table utilization (Warning)
• CARP failover detection (High)
• System restart detection (Info)
• Business license expiry (Average)

Files

• template_opnsense_by_http_json.yaml – Template file
• README.md – Documentation with setup instructions, macro reference,
  and full item/trigger/discovery listing

Testing

Tested against OPNsense 25.x (Community & Business Edition).

[burghy86]

there are a template similar with api http: https://github.com/sysadminbr/OPNsense-Zabbix-API-templates

[colttt]

@burghy86 : You're right, but it was never pushed to the community templates. The template also uses Zabbix agent items. Maybe you could ask sysadminbr if they can create a pull request to the community template repository.. And they use a lot of javascript which is unnecessary (at first look).

[dkuenne]

@colttt I've added a OPNsense template about a day before yours via #695

Would you mind integrating yours into mine or how would you like to proceed?
I'd rename mine though since HTTP instead of API as name seems to fit better.

[colttt]

I took a look at u Template, the OpenVPN thing looks good to me, but the Cert-thing.. why I need all of this items? most important items are uuid, valid_to (with trigger), commonname, descr and maybe digest.. the rest is more than unnecessary.

[burghy86]

Hi, if possible I would be very interested in the wg, ipsec, openvpn control and also a nut control to have the alarms when the usb ups has some error or the power supply is interrupted.

[dkuenne]

@colttt The idea behind the certificate details was for auditing reasons and alerting, if i. e. an certificate is created / used which doesn't match the minimum requirements.
But yeah, this is probably very niche so I'll remove the other details.
Trigger for "valid to" will be added in the next update.

@burghy86
WireGuard will come in the future when I migrate away from OpenVPN, for IPsec I can only provide a client-2-site template since I'm not using site-2-site with IPsec.
I don't use NUT so I can't provide that.
What to you mean with "openvpn control"?

[colttt]

Hi @dkuenne ,

Would you mind integrating yours into mine or how would you like to proceed?

I thought about it and thanks for the suggestion and for your work on #695!

I took a closer look at both approaches. While you were a day faster, my template already includes a much deeper set of core monitoring items (CPU, Memory, Disk, Interfaces, CARP) and, more importantly, a full set of tested triggers and discovery rules.

From a technical perspective, it would be quite a lot of manual effort to migrate my refined logic and trigger sets into your PR. I believe my current PR actually provides a more 'complete' foundation for the core system monitoring right now.

How about we do it the other way around? Since you’ve already started on specialized areas like OpenVPN and Certificates, we could integrate your additions into this PR (after cleanup). That way, we combine the best of both worlds—my core metrics and your additional service monitoring—without losing the work I’ve already put into the trigger logic.

What do you think?

[colttt]

@burghy86: I guess you mean monitor instead of control?! If so, since I/we don't use it at the moment we need the API endpoint and an (few) output example(s). After that we can add those features

[dkuenne]

@colttt Sure, I've closed my PR and will add it to yours after it's merged.

[exu-g]

I spent some time adding Wireguard over in the other template, ironically I started a week ago but went on holiday.
sysadminbr/OPNsense-Zabbix-API-templates#9

Would you be willing to have a look at that and potentially integrate it here?

[colttt]

@exu-g : why are u using JS instead of build-in JSONPath functionality ?

[burghy86]

@burghy86: I guess you mean monitor instead of control?! If so, since I/we don't use it at the moment we need the API endpoint and an (few) output example(s). After that we can add those features

Sorry, I obviously meant monitoring. I use a lot of site-to-site IPsec. If I can help you with some real Opnsense APO output, please let me know. For the NUT, I also use a lot of NUT here, using many standalone NUCs connected to a UPS via USB. I can provide you with the output APIs for these too. Unfortunately, interpreting them and putting them into a Zabbix template is beyond my capabilities. The other template I've used so far controls the IPsec tunels perfectly. Maybe it can help you.