Nagios plugin that checks the vpn tunnel state of Barracuda firewalls



This Python Nagios/Icinga plugin checks the vpn tunnel state of Barracuda firewalls. If the vpn tunnel has the state down or disabled you'll be informed.

You can check all vpn tunnel by default or include/exclude specific ones.


Ricardo Klement (


Just copy the file into your Nagios plugin directory. For example this path: /usr/local/nagios/libexec/

Set execution rights on for the nagios user. This plugin needs Python 2 to be installed and uses the libraries sys, os and optparse.

Why not Python 3 you may ask? Most Nagios / Icinga installations are already using other plugins which are written in Python 2. So for compatibility reasons I've decided to use Python 2 as well.

Make sure you've enabled the SNMP service on your Barracuda firewall. If you have a cluster it's good to configure the SNMP service on the virtual server layer on your Barracuda. Details to find here.

I've tested the plugin on Barracuda appliances F100b, F200b, F200c, F600c and F800b.


Test on command line

If you are in the Nagios plugin directory execute this command:

./ -H ip_address_of_barracuda -c snmp_community

The output could be something like this:

OK - All tunnels are ok
FW2FW-TEST-VPN1 (active)
FW2FW-TEST-VPN2 (active)
FW2FW-TEST-VPN3 (active)

Here are all arguments that can be used within this plugin:

Required: IP or hostname of the Barracuda firewall node with a running snmp service

[-c ]
Required: SNMP Community String

[-v ]
Optional: SNMP version 1 or 2c are supported, if argument not given version 2 is used by default

[-V ]
Optional: Tunnel name to check. If not given, all tunnels will be checked

[-E ]
Optional: Comma separated tunnel names to exclude from check

[-T ]
Optional: SNMP timeout in seconds. Default is 30 seconds.

Install in Nagios

Edit your commands.cfg and add the following.

Example for checking all vpn tunnel states:

define command {
    command_name    check_usolved_barracuda_vpn
    command_line    $USER1$/ -H $HOSTADDRESS$ -c public

Example for checking a vpn tunnel containing the name "Test-VPN" and exclude tunnels with "Spain" and "Italy":

define command {
    command_name    check_usolved_barracuda_vpn
    command_line    $USER1$/ -H $HOSTADDRESS$ -c $ARG1$ -V Test-VPN -E Spain,Italy

Edit your services.cfg and add the following.

Example for checking all vpn tunnel states:

define service{
    host_name               Test-Server
    service_description     Barracuda-VPN
    use                     generic-service
    check_command           check_usolved_barracuda_vpn!public

You could also use host macros for the snmp community.

What's new

v1.2 2023-11-22 Upgrade to python3 Feature: Added filtering for IPSEC-v2 tunnels. A tunnel will be reported down if child tunnels are not exitent or down.

v1.1 2016-02-17 Added parameter -A to show tunnel names in the extended output. Default is just number of active/down tunnel.

v1.0 2016-02-09 Initial release