Feature/sandbox information

README.md

@@ -57,6 +57,15 @@ Global:
  * _WebUI/State_
    * `fortigate_last_reboot_seconds`
    * `fortigate_last_snapshot_seconds`
+ * _System/Sandbox_
+   * `fortigate_sandbox_status_signature_count`
+   * `fortigate_sandbox_connection_status`
+   * `fortigate_sandbox_stats_clean`
+   * `fortigate_sandbox_stats_detected`
+   * `fortigate_sandbox_stats_risk_high`
+   * `fortigate_sandbox_stats_risk_medium`
+   * `fortigate_sandbox_stats_risk_low`
+   * `fortigate_sandbox_stats_submitted`
 
 Per-VDOM:
 
@@ -419,6 +428,9 @@ To improve security, limit permissions to required ones only (least privilege pr
 |System/Resource/Usage        | sysgrp.cfg         |api/v2/monitor/system/resource/usage |
 |System/SensorInfo            | sysgrp.cfg         |api/v2/monitor/system/sensor-info |
 |System/Status                | *any*              |api/v2/monitor/system/status |
+|System/Sandbox/Connection    | sysgrp.cfg         |api/v2/monitor/system/sandbox/connection|
+|System/Sandbox/Status        | sysgrp.cfg         |api/v2/monitor/system/sandbox/status|
+|System/Sandbox/Stats         | sysgrp.cfg         |api/v2/monitor/system/sandbox/stats|
 |System/Time/Clock            | sysgrp.cfg         |api/v2/monitor/system/time |
 |System/VDOMResources         | sysgrp.cfg         |api/v2/monitor/system/resource/usage |
 |User/Fsso                    | authgrp            |api/v2/monitor/user/fsso |

pkg/probe/probe.go

@@ -151,6 +151,9 @@ func (p *ProbeCollector) Probe(ctx context.Context, target map[string]string, hc
 		{"System/Status", probeSystemStatus},
 		{"System/VDOMResources", probeSystemVDOMResources},
 		{"System/HAChecksum", probeSystemHAChecksum},
+		{"System/Sandbox/Connection", probeSystemSandboxConnection},
+		{"System/Sandbox/Status", probeSystemSandboxStatus},
+		{"System/Sandbox/Stats", probeSystemSandboxStats},
 		{"User/Fsso", probeUserFsso},
 		{"VPN/IPSec", probeVPNIPSec},
 		{"VPN/Ssl/Connections", probeVPNSsl},

pkg/probe/system_sandbox_connection.go

@@ -0,0 +1,58 @@
+// Copyright 2025 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package probe
+
+import (
+	"log"
+
+	"github.com/prometheus-community/fortigate_exporter/pkg/http"
+	"github.com/prometheus/client_golang/prometheus"
+)
+
+func probeSystemSandboxConnection(c http.FortiHTTP, meta *TargetMetadata) ([]prometheus.Metric, bool) {
+	var (
+		connectionStatus = prometheus.NewDesc(
+			"fortigate_sandbox_connection_status",
+			"Sandbox connection status, (unreachable=0, reachable=1, disabled=-1)",
+			[]string{"type"}, nil,
+		)
+	)
+
+	type SystemSandboxConnection struct {
+		Status string `json:"status"`
+		Type   string `json:"type"`
+	}
+
+	type SystemSandboxConnectionResult struct {
+		Results []SystemSandboxConnection `json:"results"`
+	}
+	var res SystemSandboxConnectionResult
+	if err := c.Get("api/v2/monitor/system/sandbox/connection","", &res); err != nil {
+		log.Printf("Warning: %v", err)
+		return nil, false
+	}
+
+	m := []prometheus.Metric{}
+	for _, r := range res.Results {
+	switch r.Status {
+		case "unreachable":
+			m = append(m, prometheus.MustNewConstMetric(connectionStatus, prometheus.GaugeValue, 0, r.Type))
+		case "reachable":
+			m = append(m, prometheus.MustNewConstMetric(connectionStatus, prometheus.GaugeValue, 1, r.Type))
+		case "disabled":
+			m = append(m, prometheus.MustNewConstMetric(connectionStatus, prometheus.GaugeValue, -1, r.Type))
+		}
+	}
+	return m, true
+}

pkg/probe/system_sandbox_connection_test.go

@@ -0,0 +1,41 @@
+// Copyright 2025 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package probe
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/client_golang/prometheus/testutil"
+)
+
+func TestSystemSandboxConnection(t *testing.T) {
+	c := newFakeClient()
+	c.prepare("api/v2/monitor/system/sandbox/connection", "testdata/system-sandbox-connection.jsonnet")
+	r := prometheus.NewPedanticRegistry()
+	if !testProbe(probeSystemSandboxConnection, c, r) {
+		t.Errorf("probeSystemSandboxConnection() returned non-success")
+	}
+
+	em := `
+	# HELP fortigate_sandbox_connection_status Sandbox connection status, (unreachable=0, reachable=1, disabled=-1)
+	# TYPE fortigate_sandbox_connection_status gauge
+	fortigate_sandbox_connection_status{type="appliance"} 1
+	`
+
+	if err := testutil.GatherAndCompare(r, strings.NewReader(em)); err != nil {
+		t.Fatalf("metric compare: err %v", err)
+	}
+}

pkg/probe/system_sandbox_stats.go

@@ -0,0 +1,86 @@
+// Copyright 2025 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package probe
+
+import (
+	"log"
+
+	"github.com/prometheus-community/fortigate_exporter/pkg/http"
+	"github.com/prometheus/client_golang/prometheus"
+)
+
+func probeSystemSandboxStats (c http.FortiHTTP, meta *TargetMetadata) ([]prometheus.Metric, bool) {
+	var (
+		numberDetected = prometheus.NewDesc(
+			"fortigate_sandbox_stats_detected",
+			"Number of detected files",
+			[]string{}, nil,
+		)
+		numberClean = prometheus.NewDesc(
+			"fortigate_sandbox_stats_clean",
+			"Number of clean files",
+			[]string{}, nil,
+		)
+		numberRiskLow = prometheus.NewDesc(
+			"fortigate_sandbox_stats_risk_low",
+			"Number of low risk files detected",
+			[]string{}, nil,
+		)
+		numberRiskMedium = prometheus.NewDesc(
+			"fortigate_sandbox_stats_risk_medium",
+			"Number of medium risk files detected",
+			[]string{}, nil,
+		)
+		numberRiskHigh = prometheus.NewDesc(
+			"fortigate_sandbox_stats_risk_high",
+			"Number of high risk files detected",
+			[]string{}, nil,
+		)
+		numberSubmitted = prometheus.NewDesc(
+			"fortigate_sandbox_stats_submitted",
+			"Number of submitted files",
+			[]string{}, nil,
+		)
+	)
+
+	type SystemSandboxStats struct {
+		Detected  float64
+		Clean     float64
+		Low       float64 `json:"risk_low"`
+		Medium    float64 `json:"risk_med"`
+		High      float64 `json:"risk_high"`
+		Submitted float64 
+	}
+
+	type SystemSandboxStatsResult struct {
+		Results []SystemSandboxStats `json:"results"`
+	}
+
+	var res SystemSandboxStatsResult
+	if err := c.Get("api/v2/monitor/system/sandbox/stats","", &res); err != nil {
+		log.Printf("Warning: %v", err)
+		return nil, false
+	}
+	var m = []prometheus.Metric{}
+
+	for _, r := range res.Results {
+		m = append(m, prometheus.MustNewConstMetric(numberDetected, prometheus.CounterValue, r.Detected))
+		m = append(m, prometheus.MustNewConstMetric(numberClean, prometheus.CounterValue, r.Clean))
+		m = append(m, prometheus.MustNewConstMetric(numberRiskLow, prometheus.CounterValue, r.Low))
+		m = append(m, prometheus.MustNewConstMetric(numberRiskMedium, prometheus.CounterValue, r.Medium))
+		m = append(m, prometheus.MustNewConstMetric(numberRiskHigh, prometheus.CounterValue, r.High))
+		m = append(m, prometheus.MustNewConstMetric(numberSubmitted, prometheus.CounterValue, r.Submitted))
+	}
+	return m, true
+}

pkg/probe/system_sandbox_stats_test.go

@@ -0,0 +1,56 @@
+// Copyright 2025 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package probe
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/client_golang/prometheus/testutil"
+)
+
+func TestSystemSandboxStats(t *testing.T) {
+	c := newFakeClient()
+	c.prepare("api/v2/monitor/system/sandbox/stats", "testdata/system-sandbox-stats.jsonnet")
+	r := prometheus.NewPedanticRegistry()
+	if !testProbe(probeSystemSandboxStats, c, r) {
+		t.Errorf("probeSystemSandboxStats() returned non-success")
+	}
+
+	em := `
+	# HELP fortigate_sandbox_stats_clean Number of clean files
+	# TYPE fortigate_sandbox_stats_clean counter
+	fortigate_sandbox_stats_clean 45120
+	# HELP fortigate_sandbox_stats_detected Number of detected files
+	# TYPE fortigate_sandbox_stats_detected counter
+	fortigate_sandbox_stats_detected 10
+	# HELP fortigate_sandbox_stats_risk_high Number of high risk files detected
+	# TYPE fortigate_sandbox_stats_risk_high counter
+	fortigate_sandbox_stats_risk_high 5
+	# HELP fortigate_sandbox_stats_risk_low Number of low risk files detected
+	# TYPE fortigate_sandbox_stats_risk_low counter
+	fortigate_sandbox_stats_risk_low 3
+	# HELP fortigate_sandbox_stats_risk_medium Number of medium risk files detected
+	# TYPE fortigate_sandbox_stats_risk_medium counter
+	fortigate_sandbox_stats_risk_medium 2
+	# HELP fortigate_sandbox_stats_submitted Number of submitted files
+	# TYPE fortigate_sandbox_stats_submitted counter
+	fortigate_sandbox_stats_submitted 45130
+	`
+
+	if err := testutil.GatherAndCompare(r, strings.NewReader(em)); err != nil {
+		t.Fatalf("metric compare: err %v", err)
+	}
+}

pkg/probe/system_sandbox_status.go

@@ -0,0 +1,56 @@
+// Copyright 2025 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package probe
+
+import (
+	"log"
+
+	"github.com/prometheus-community/fortigate_exporter/pkg/http"
+	"github.com/prometheus/client_golang/prometheus"
+)
+
+func probeSystemSandboxStatus(c http.FortiHTTP, meta *TargetMetadata) ([]prometheus.Metric, bool) {
+	var (
+		signatureCount = prometheus.NewDesc(
+			"fortigate_sandbox_status_signature_count",
+			"Sandbox signature counts",
+			[]string{"server", "region", "version", "type"}, nil,
+		)
+	)
+
+	type SystemSandboxStatus struct {
+		Server  string  `json:"server"`
+		Type    string  `json:"type"`
+		Region  string  `json:"cloud_region"`
+		Version string  `json:"malware_package_version"`
+		Count   float64 `json:"signatures_count"`
+	}
+
+	type SystemSandboxStatusResult struct {
+		Results []SystemSandboxStatus `json:"results"`
+	}
+
+	var res SystemSandboxStatusResult
+	if err := c.Get("api/v2/monitor/system/sandbox/status","", &res); err != nil {
+		log.Printf("Warning: %v", err)
+		return nil, false
+	}
+
+	m := []prometheus.Metric{}
+	for _, r := range res.Results {
+		m = append(m, prometheus.MustNewConstMetric(signatureCount, prometheus.GaugeValue, r.Count, r.Server, r.Region, r.Version, r.Type))
+	}
+
+	return m, true
+}

pkg/probe/system_sandbox_status_test.go

@@ -0,0 +1,41 @@
+// Copyright 2025 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package probe
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/client_golang/prometheus/testutil"
+)
+
+func TestSystemSandboxStatus(t *testing.T) {
+	c := newFakeClient()
+	c.prepare("api/v2/monitor/system/sandbox/status", "testdata/system-sandbox-status.jsonnet")
+	r := prometheus.NewPedanticRegistry()
+	if !testProbe(probeSystemSandboxStatus, c, r) {
+		t.Errorf("probeSystemSandboxStatus() returned non-success")
+	}
+
+	em := `
+	# HELP fortigate_sandbox_status_signature_count Sandbox signature counts
+	# TYPE fortigate_sandbox_status_signature_count gauge
+	fortigate_sandbox_status_signature_count{region="Sweden",server="127.0.0.1",type="cloud",version="v17.0.3"} 252891
+	`
+
+	if err := testutil.GatherAndCompare(r, strings.NewReader(em)); err != nil {
+		t.Fatalf("metric compare: err %v", err)
+	}
+}