Zabbix – Monitor a device behind a NAT / firewall

There is two modes for Zabbix checks:
Passive check : a simple data request. Zabbix server or proxy asks for some data (for example, CPU load) and Zabbix agent sends back the result to the server.
Active check : the agent must first retrieve from the server(s) a list of items for independent processing. Then the agent then periodically sends the new values to the server(s).

Monitoring a Zabbix agent behind a firewall or a NAT without any port redirection requires to use the active mode.

It’s not recommended to monitor over internet without using a VPN.


1. Zabbix server

Install a Zabbix server on a FreeBSD server is described in this post.

2. Zabbix agent

Hardware : Raspberry Pi 1
OS : Linux OSMC
Once the server is ready, we can start to install our new agent, the one that is behind the NAT or Firewall.

Install :

vi /etc/zabbix/zabbix_agentd.conf

And change the following :

sudo service zabbix-agent restart

And check that everything went fine :

9 thoughts on “Zabbix – Monitor a device behind a NAT / firewall”

  1. Hello,

    your post was helpful for me and I can use active zabbix-agent ti monitor servers.
    I have a question about agent error message, I received “Zabbix agent on is unreachable for 5 minutes”, and do you have any idea to handle and fix this?

    thank you!

  2. Thanks for your post, I use zabbix only in that way.


    “Zabbix agent on is unreachable for 5 minutes” means that zabbix didn’t received the data from the host for 5 minutes. Try to see timeout settings at /etc/zabbix/zabbix_agentd.conf. timeout=30 should minimize the problem frequency. Another important thing is to certificate you host has access to the ports of your zabbix server and your link is ok.


    If you have some time, it will be wonderful to know what the real limitations of zabbix active. For example, how to work with MACROS and UserParameter with zabbix agent active ?

    It’ll be a good subject for a future post ! 😉


  3. Hi Ronan,

    you are a life saver!
    I was looking for the solution for my NAT problem and here it is.
    Yea, the problem is mostly sitting in front of the monitor. In this case me.
    The next step is encryption, for I am not able (better: willing for some reasons) to use VPN for Zabbix.


  4. Thanks for this, helped me get started with active checks. You should also head over to the “Discovery Rules” section of your cloned template and change those to active so that filesystems get discovered and monitored.

  5. Thanks for the post. It helped me get started on Active Checks. I am having below error message on zabbix log though:

    active check data upload to [zabbixserverip:10051] is working again
    active check configuration update from [zabbixserverip:10051] is working again
    active check data upload to [zabbixserverip:10051] started to fail ([connect]) TCP successful, cannot establish TLS to [zabbixserverip]:10051: SSL_connect() timed out)

    The ZBX icon on Availability of Host Configuration has changed into red from green, PSK on Agent Configuration are green.

    Any idea to solve the problem?

    1. Any firewall or proxy ? Looks like the TCP connection is fine, but the TLS no…

      1. Hi Ronan,

        Thanks for your response. Firewall is open for both 10050 and 10051 ports. There is no proxy.

Leave a Reply

Your email address will not be published. Required fields are marked *