#!/bin/bash

OK=0
WARNING=1
CRITICAL=2
UNKNOWN=3

while getopts "H:k:" opt; do
  case $opt in
    H) HOST="$OPTARG" ;;
    k) APIKEY="$OPTARG" ;;
    *) echo "Usage: $0 -H host -k apikey"; exit $UNKNOWN ;;
  esac
done

if [ -z "$HOST" ] || [ -z "$APIKEY" ]; then
  echo "UNKNOWN - Missing host or API key"
  exit $UNKNOWN
fi

CMD="<show><routing><protocol><bgp><peer></peer></bgp></protocol></routing></show>"
URL="https://${HOST}/api/?type=op&cmd=${CMD}&key=${APIKEY}"

XML=$(curl -sk --connect-timeout 10 "$URL")
if [ $? -ne 0 ] || [ -z "$XML" ]; then
  echo "UNKNOWN - PAN-OS API query failed"
  exit $UNKNOWN
fi

# Count ONLY BGP peer entries
TOTAL=$(echo "$XML" | grep -c '<entry peer=')

if [ "$TOTAL" -eq 0 ]; then
  echo "UNKNOWN - No BGP peers found"
  exit $UNKNOWN
fi

# Count Established peers EXACTLY
ESTABLISHED=$(echo "$XML" | grep -c '<status>Established</status>')

DOWN=$((TOTAL - ESTABLISHED))

if [ "$DOWN" -gt 0 ]; then
  echo "CRITICAL - $DOWN/$TOTAL BGP peers not Established"
  exit $CRITICAL
fi

echo "OK - All $TOTAL BGP peers Established"
exit $OK

## resource.cfg ## update your key
# $USER11$="YOUR_PALO_API_KEY"

## commands.cfg ## update to where your plugin is

# define command {
#	command_name check_panos_bgp
#	command_line $USER1$/check_panos_bgp -H $HOSTADDRESS$ -k "$USER11$"
#	}

## where ever you want your service to be ## update hostname with your nagios entry for firewall.
#
#define service{
#	use 				generic-service
#	host_name			YOUR_NAGIOS_PALO_HOST
#	service_description	BGP Status
#	check_command		check_panos_bgp
#	check_interval		5
#	retry_interval		1
#}