Check script for opnsense firewall


Icinga check command for OPNsense firewall monitoring


This check command depends on the following python modules:

  • enum
  • requests
  • argparse

Installation on Debian / Ubuntu

apt install python-enum34 python-requests

Installation on Redhat 6 / CentOS 6

yum install python-argparse python-enum34 python34-requests

Installation on Redhat 7 / CentOS 7

yum install python-enum34 python-requests


The icinga2 folder contains the command defintion and service examples for use with Icinga2.

usage: [-h] -H HOSTNAME [-p PORT] --api-key API_KEY --api-secret
                         API_SECRET [-k] -m {updates} [-w TRESHOLD_WARNING]
                         [-c TRESHOLD_CRITICAL]

Check command OPNsense firewall monitoring

optional arguments:
  -h, --help            show this help message and exit

API Options:
  -H HOSTNAME, --hostname HOSTNAME
                        OPNsense hostname or ip address
  -p PORT, --port PORT  OPNsense https-api port
                        OPNsense hostname or ip address
  --api-key API_KEY     API key (See OPNsense user manager)
  --api-secret API_SECRET
                        API key (See OPNsense user manager)
  -k, --insecure        Don't verify HTTPS certificate

Check Options:
  -m {updates}, --mode {updates}
                        Mode to use.
                        Warning treshold for check value
                        Critical treshold for check value

Create API credentials

Go to the user manager and select the user you want to use for API access. Click the + icon in the API keys section to add a new API key, which triggers a download of a tex file containing the key and secret.

This file should look similar to this one:


For further information have a look at the opnsense documentation.


Check for updates

./ -H  --api-key  --api-secret   -m updates
CRITICAL - 42 pending updates. Subsequent reboot required.

./ -H  --api-key  --api-secret   -m updates
WARNING - 14 pending updates.