Zabbix – Monitor a device behind a NAT / firewall

There is two modes for Zabbix checks:
Passive check : a simple data request. Zabbix server or proxy asks for some data (for example, CPU load) and Zabbix agent sends back the result to the server.
Active check : the agent must first retrieve from the server(s) a list of items for independent processing. Then the agent then periodically sends the new values to the server(s).

Monitoring a Zabbix agent behind a firewall or a NAT without any port redirection requires to use the active mode.

It’s not recommended to monitor over internet without using a VPN.

CPU_utilization

1. Zabbix server

Install a Zabbix server on a FreeBSD server is described in this post.

2. Zabbix agent

Hardware : Raspberry Pi 1
OS : Linux OSMC
Once the server is ready, we can start to install our new agent, the one that is behind the NAT or Firewall.

Install :

Edit the configuration :

And change the following :

Replace X.X.X.X by the IP of your Zabbix server.

Start the Zabbix agent service :

And check that everything went fine :

3. Host configuration

3.1 Prepare the template

We will clone the “Template OS Linux” and create a “Template OS Linux Active” that will use the active checks instead of passive modes.

01- Click on “Configuration”
02- Click on “Templates”
03- Click on “Template OS Linux”
04- Click on “Full Clone” (bottom)
05- Name the clone “Template OS Linux Active”
06- Click on “Add” (bottom)
07- Click on the “Template OS Linux Active” we’ve just created
08- Click on “Items”
09- Tick the upper-left to select all items
10- Scrolldown to the dropdown and select “Mass Update” and click “Go”
11- Tick “Type”
12- Change the value from “Zabbix agent” to “Zabbix agent (active)”

3.2 Create a new host

Create a new host :
– The hostname must match the one defined in the agent configuration (here : OSMC)
– As there is no IP to reach the agent, use IP : 0.0.0.0 and port : 0.
– Use the template we’ve just created (Template OS Linux Active).

9 thoughts on “Zabbix – Monitor a device behind a NAT / firewall”

  1. Hello,

    your post was helpful for me and I can use active zabbix-agent ti monitor servers.
    I have a question about agent error message, I received “Zabbix agent on is unreachable for 5 minutes”, and do you have any idea to handle and fix this?

    thank you!

  2. Thanks for your post, I use zabbix only in that way.

    Thomas,

    “Zabbix agent on is unreachable for 5 minutes” means that zabbix didn’t received the data from the host for 5 minutes. Try to see timeout settings at /etc/zabbix/zabbix_agentd.conf. timeout=30 should minimize the problem frequency. Another important thing is to certificate you host has access to the ports of your zabbix server and your link is ok.

    Renan,

    If you have some time, it will be wonderful to know what the real limitations of zabbix active. For example, how to work with MACROS and UserParameter with zabbix agent active ?

    It’ll be a good subject for a future post ! 😉

    Regards.

  3. Hi Ronan,

    you are a life saver!
    I was looking for the solution for my NAT problem and here it is.
    Yea, the problem is mostly sitting in front of the monitor. In this case me.
    The next step is encryption, for I am not able (better: willing for some reasons) to use VPN for Zabbix.

    Regards
    Heiko

  4. Thanks for this, helped me get started with active checks. You should also head over to the “Discovery Rules” section of your cloned template and change those to active so that filesystems get discovered and monitored.

  5. Thanks for the post. It helped me get started on Active Checks. I am having below error message on zabbix log though:

    active check data upload to [zabbixserverip:10051] is working again
    active check configuration update from [zabbixserverip:10051] is working again
    active check data upload to [zabbixserverip:10051] started to fail ([connect]) TCP successful, cannot establish TLS to [zabbixserverip]:10051: SSL_connect() timed out)

    The ZBX icon on Availability of Host Configuration has changed into red from green, PSK on Agent Configuration are green.

    Any idea to solve the problem?

      1. Hi Ronan,

        Thanks for your response. Firewall is open for both 10050 and 10051 ports. There is no proxy.

Leave a Reply

Your email address will not be published. Required fields are marked *