diff --git a/data/common/common.yaml b/data/common/common.yaml
--- a/data/common/common.yaml
+++ b/data/common/common.yaml
@@ -4327,3 +4327,9 @@
 netbox::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}"
 netbox::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}"
 netbox::vhost::hsts_header: "%{hiera('apache::hsts_header')}"
+
+opnsense::hosts:
+  - pushkin.internal.softwareheritage.org
+  - glyptotek.internal.softwareheritage.org
+opnsense::prometheus::port: 9100
+opnsense::prometheus::metrics_path: /metrics
diff --git a/site-modules/profile/manifests/opnsense/monitoring.pp b/site-modules/profile/manifests/opnsense/monitoring.pp
new file mode 100644
--- /dev/null
+++ b/site-modules/profile/manifests/opnsense/monitoring.pp
@@ -0,0 +1,36 @@
+# Configure the icinga checks and prometheus endpoints for the firewalls
+class profile::opnsense::monitoring {
+  $fw_hosts = lookup('opnsense::hosts')
+  $fw_prometheus_port = lookup('opnsense::prometheus::port')
+  $fw_prometheus_metrics_path = lookup('opnsense::prometheus::metrics_path')
+
+  $icinga_checks_file = lookup('icinga2::exported_checks::filename')
+  $fw_hosts.each | $host | {
+
+    $static_labels = lookup('prometheus::static_labels', Hash)
+
+    $target = "${host}:${fw_prometheus_port}"
+
+    profile::prometheus::export_scrape_config { $host :
+      target       => $target,
+      scheme       => 'http',
+      metrics_path => $fw_prometheus_metrics_path,
+    }
+
+    ::icinga2::object::service {"opnsense https on ${host}":
+      service_name  => 'opnsense',
+      import        => ['generic-service'],
+      host_name     => $host,
+      check_command => 'http',
+      vars          => {
+        http_address    => $host,
+        http_vhost      => $host,
+        http_ssl        => true,
+        http_uri        => '/',
+        http_onredirect => sticky
+      },
+      target        => $icinga_checks_file,
+      tag           => 'icinga2::exported',
+    }
+  }
+}
diff --git a/site-modules/role/manifests/swh_sysadmin.pp b/site-modules/role/manifests/swh_sysadmin.pp
--- a/site-modules/role/manifests/swh_sysadmin.pp
+++ b/site-modules/role/manifests/swh_sysadmin.pp
@@ -23,4 +23,6 @@
   include profile::sentry::reverse_proxy
 
   include profile::weekly_report_bot
+
+  include profile::opnsense::monitoring
 }