Monitor Checkpoint VPN links
Dan Tulovsky
dan.tulovsky at sbiandcompany.com
Fri Jul 11 02:32:53 CEST 2003
Thanks Gavin,
This is what I was thinking of doing as well.
Dan
-----Original Message-----
From: Adams, Gavin [mailto:gadams at promisant.com]
Sent: Thursday, July 10, 2003 2:22 PM
To: nagios-users at lists.sourceforge.net
Subject: RE: [Nagios-users] Monitor Checkpoint VPN links
My $0.02 :
Experience based off of FW-1 4.1 and VPN setups via IPsec. SNMP capabilities
of FW-1 are limited to high level packet counts for enforcement points, etc.
Not really of use for ensuring site A to site B access.
If everything is being sent to a central management server, you could parse
the log files looking for bad SA setups, timeouts etc. Once again, if some
sites on the VPN don't communicate regularly, this may not find it.
The only solution I see would be to actually pass traffic from each site to
all other sites. Maybe through the use of NRPE/NCSA and a plugin on a server
in each site (that can ICMP and is allowed to communicate to the other
sites).
For example, fully meshed network of sites A, B, C, and D with Nagios
running at site A, and accessible servers at B, C, and D. Traffic checks
would be for:
>From To
A B C D
B A C D
C A B D
D A B C
Site A is easy, Nagios can ping devices in B, C, and D. On the server at the
other sites, create a plugin that pings the remote sites and returns OK is
all is good, else WARNING or CRITICAL if there is a problem.
Additional work and resources required to set it up, but in the end, the
only way to know if an VPN tunnel is up and operational is to push some
traffic across it (or wait for the complaints to come in).
HTH,
--- Gavin
> -----Original Message-----
> From: Dan Tulovsky [mailto:Dan.Tulovsky at sbiandcompany.com]
> Sent: Thursday, July 10, 2003 11:14 AM
> To: nagios-users at lists.sourceforge.net
> Subject: RE: [Nagios-users] Monitor Checkpoint VPN links
>
> I think an even better idea is to use machines that are behind the
> firewalls if you are going to do that... Since you just need to test
the
> link, it's often better to test it from behind...
>
> Dan
>
>
> -----Original Message-----
> From: Roy S. Rapoport [mailto:nagios-users at ols.inorganic.org]
> Sent: Wednesday, July 09, 2003 7:03 PM
> To: nagios-users at lists.sourceforge.net
> Subject: Re: [Nagios-users] Monitor Checkpoint VPN links
>
>
> On Wed, Jul 09, 2003 at 06:21:50PM -0400, Rob Nelson wrote:
> > It's always an ugly hack, but one can do just about anything with
> > "expect".
> > I'd suggest using ssh keys tho, rather than putting your ssh
password
> in
> > cleartext in the scriptfile.
>
> As a security person, this makes me shudder.
>
> Remember, this is your firewall.
>
> I won't tell you how to manage your security devices, but the concept
of
> allowing automated, non-passworded (or passphrased) access to a
firewall
> scares the bejesus out of me. I would aruge, with respect to the
> requester's experience and knowledge, that it's a Bad Idea.
>
> If you *are* going to do that, for God's sake, make sure that the SSH
> key is only authorized for the very minimal actions that you need to
> monitor the system -- in other words, you shouldn't just SSH and run
> some commands
> -- you should 'ssh user at fw <command>' and make sure that the SSH key
> ONLY allows you to run <command>.
>
> -roy
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: Parasoft Error proof Web apps,
> automate testing & more.
> Download & eval WebKing and get a free book.
> www.parasoft.com/bulletproofapps
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when
> reporting any issue.
> ::: Messages without supporting info will risk being sent to /dev/null
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: Parasoft Error proof Web apps,
> automate testing & more.
> Download & eval WebKing and get a free book.
> www.parasoft.com/bulletproofapps
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when
> reporting any issue.
> ::: Messages without supporting info will risk being sent to /dev/null
-------------------------------------------------------
This SF.Net email sponsored by: Parasoft Error proof Web apps, automate
testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps1
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting
any issue.
::: Messages without supporting info will risk being sent to /dev/null
-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps1
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list