SNMP (monitoring Check Point firewalls)
RICHARDS Rebecca
rrichards at fairtrading.nsw.gov.au
Wed Mar 19 23:41:34 CET 2003
Yew,
As far as I know, there are no nagios plugins capable of monitoring Check Point firewalls "out of the box". It technically is possible to do it through the SNMP plugin, but I would not recommend that you enable SNMP on the firewall, due to SNMP's well-known weaknesses and insecurities. Even read-only access is harmful - heaps of information about the firewall and protected networks could be gathered by doing an SNMP-walk.
Telnet should also be avoided at all costs.
All is not lost, however, as Check Point provide a command "cpstat", which is run from the firewall management server, and can query the remote firewalls for all sorts of useful information:
# cpstat
Usage: cpstat [-h host][-p port][-f flavour][-d] application_flag
-h A resolvable hostname, or a dot-notation address.
Default is localhost.
-p Port number of the AMON server.
Default is the standard AMON port (18192).
-f The flavour of the output (as appears in the configuration file).
Default is to use the first flavour found in the configuration file.
-d Debug mode
Available application_flags:
--------------------------------------------------------------
|Flag |Flavours |
--------------------------------------------------------------
|os |default, routing, memory, cpu, disk, perf, all |
--------------------------------------------------------------
|ha |default, all |
--------------------------------------------------------------
|fw |default, policy, perf, hmem, kmem, inspect, |
| |cookies, chains, fragments, totals, ufp, http, ftp, |
| |telnet, rlogin, smtp, all |
--------------------------------------------------------------
|vpn |product, general, IKE, ipsec, fwz, accelerator, |
| |nic, all |
--------------------------------------------------------------
|polsrv |default, all |
--------------------------------------------------------------
|mg |default |
--------------------------------------------------------------
You will need to write a script to parse the output, but that's pretty easy to do. The beauty of this method is that you shouldn't have to punch new holes through the firewall to allow monitoring - the firewalls should already accept these connections (fw1-amon) from the management server, they're SSL encrypted, and they're authenticated. Bonus!
Other idea is to utilise passive service checks, running plugins on the firewalls, send the results back to the firewall management server through NSCA (appropriately configured for encryption), and on-forward them from the management server to the Nagios server through NSCA (also appropriately configured for encryption).
Cheers,
--
Rebecca A. Richards ph: +61 2 9895 0742
Infrastructure Support Officer mob: +61 412 823 206
Dept of Fair Trading mail: rrichards at fairtrading.nsw.gov.au
http: www.fairtrading.nsw.gov.au
************************************************************************
This message is intended for the addressee named and may
contain confidential information. If you are not the intended
recipient, please delete it and notify the sender.
Views expressed in this message are those of the individual
sender, and are not necessarily the views of the Department
of Fair Trading.
************************************************************************
-------------------------------------------------------
This SF.net email is sponsored by: Does your code think in ink?
You could win a Tablet PC. Get a free Tablet PC hat just for playing.
What are you waiting for?
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list