Inhaltsverzeichnis
Checkpoint Firewall Monitoring
Dies ist eine Anleitung für eine Überwachung von Checkpoint Firewall Status mittels Nagios.
Die Aufgabe
Ziel ist es, den Gesamtstatus eines einzelnen Firewall Nodes oder eines Firewall-Clusters von 2 Checkpoint Firewalls zu überwachen. Dies inkludiert den Firewall Status (High Availability State, FW State, Anzahl der Connections), den VRRP Status, den Host Status (Environment) sowie den status der VPN tunnels.
Dabei gilt es zu beachten, dass Host spezifische checks (hardware, storage) nur auf den individuellen Nodes ausgeführt werden sollten, gesamt Verfügbarkeits checks (Tunnel Status) nur auf den Cluster Objekten.
Die Werkzeuge: Plugins
Alle plugins basieren auf SNMP polling des Checkpoint SNMP agents (Notiz 1):
- check_snmp_cpfw.pl: Firewall Status, HA Status, Connections
- check_snmp_vrrp.pl: VRRP status (Notiz 2)
- check_fw_vrrp: VRRP status des Clusters
- check_snmp_env.pl: Hardware status der Stromversorgung, Ventilatoren und Temperatur
- check_snmp_storage.pl: Firewall Plattenspeicher, RAM und Swap
- check_tunnel.pl: VPN Tunnel Status
Notiz 1: Es laufen auf einer z.b. Nokia IPSO Firewall zumeist 2 SNMP agents: der Nokia SNMP agent auf port 161 und der Checkpoint SNMP agent, normalerweise auf port 260. In diesem Artikel geht es immer um den Checkpoint SNMP agent sofern nicht anderweitig angegeben.
Notiz 2: Das für Firwall monitoring verwendete check_snmp_vrrp.pl ist eine modifizierte Version, zu finden auf StaGue' s Nagios stuff
Das Ergebnis
Beispielhafter Status aus Nagios:
Die passende Nagios Config
Hier ist eine beispielhafte Service Definition für die Überwachung eines Checkpoint Clustes bestehend aus zwei Nodes.
Eine entsprechende Host definition und Definition der checkcommands (siehe auch in den Abschitten der jeweiligen plugins) wird vorrausgestzt. (Je nach Vorlieben können auch Templates eingestzt werden)
# #####################################################################
# cluster: xx-oms-cluster
# FW-1 : xx-oms-fw03
# FW-2 : xx-oms-fw04
define service{
host_name xx-oms-cluster
service_description Firewall_status
is_volatile 0
check_period 24x7
max_check_attempts 3
normal_check_interval 5
retry_check_interval 2
contact_groups FW-admin
notification_interval 180
notification_period 24x7
notification_options c,r,w
check_command check_firewall_status!260!c0mmun1ty!swa!80000,90000
}
define service{
host_name xx-oms-cluster
service_description Tunnel_status
is_volatile 0
check_period 24x7
max_check_attempts 2
normal_check_interval 5
retry_check_interval 2
contact_groups FW-admin
notification_interval 180
notification_period 24x7
notification_options c,r,w
check_command check_tunnel!260!c0mmun1ty
}
define service{
host_name xx-oms-cluster
service_description High_Availability_state
is_volatile 0
register 0
check_period 24x7
max_check_attempts 2
normal_check_interval 7
retry_check_interval 2
contact_groups FW-admin
notification_interval 180
notification_period 24x7
notification_options c,r,w
check_command check_firewall_HA!c0mmun1ty!260
}
define service{
host_name xx-oms-cluster
service_description VRRP_overall_state
is_volatile 0
check_period 24x7
max_check_attempts 2
normal_check_interval 7
retry_check_interval 2
contact_groups FW-admin
notification_interval 180
notification_period 24x7
notification_options c,r,w
check_command check_fw_vrrp!1.3.1.2!1.3.1.3!c0mmun1ty!260
}
define service{
host_name xx-oms-cluster
service_description NTP
is_volatile 0
check_period 24x7
max_check_attempts 2
normal_check_interval 9
retry_check_interval 2
contact_groups FW-admin
notification_interval 180
notification_period 24x7
notification_options c,r,w
check_command check_ntp_peer!1!1!-1:150!-1:800!2!1:4!
}
# --------------------------------------------------------------
define service{
host_name xx-oms-fw03
service_description Firewall_status
is_volatile 0
check_period 24x7
max_check_attempts 3
normal_check_interval 5
retry_check_interval 2
contact_groups FW-admin
notification_interval 180
notification_period 24x7
notification_options c,r,w
check_command check_firewall_status!260!c0mmun1ty!swa!80000,90000
}
define service{
host_name xx-oms-fw03
service_description hardware_status
is_volatile 0
check_period 24x7
max_check_attempts 2
normal_check_interval 9
retry_check_interval 2
contact_groups FW-admin
notification_interval 180
notification_period 24x7
notification_options c,r,w
check_command check_env!260!c0mmun1ty!nokia
}
define service{
host_name xx-oms-fw03
service_description High_Availability_state
is_volatile 0
check_period 24x7
max_check_attempts 2
normal_check_interval 7
retry_check_interval 2
contact_groups FW-admin
notification_interval 180
notification_period 24x7
notification_options c,r,w
check_command check_firewall_HA!c0mmun1ty!260
}
define service{
host_name xx-oms-fw03
service_description VRRP_status
is_volatile 0
check_period 24x7
max_check_attempts 2
normal_check_interval 9
retry_check_interval 2
contact_groups FW-admin
notification_interval 180
notification_period 24x7
notification_options c,r,w
check_command check_vrrp_status!260!c0mmun1ty!nokia!equal
}
define service{
host_name xx-oms-fw03
service_description storage
is_volatile 0
check_period 24x7
max_check_attempts 2
normal_check_interval 9
retry_check_interval 2
contact_groups FW-admin
notification_interval 180
notification_period 24x7
notification_options c,r,w
check_command check_HRmib_drives!c0mmun1ty!260!/proc!90!100
}
# --------------------------------------------------------------
define service{
host_name xx-oms-fw04
service_description Firewall_status
is_volatile 0
check_period 24x7
max_check_attempts 3
normal_check_interval 5
retry_check_interval 2
contact_groups FW-admin
notification_interval 180
notification_period 24x7
notification_options c,r,w
check_command check_firewall_status!260!c0mmun1ty!swa!80000,90000
}
define service{
host_name xx-oms-fw04
service_description hardware_status
is_volatile 0
check_period 24x7
max_check_attempts 2
normal_check_interval 9
retry_check_interval 2
contact_groups FW-admin
notification_interval 180
notification_period 24x7
notification_options c,r,w
check_command check_env!260!c0mmun1ty!nokia
}
define service{
host_name xx-oms-fw04
service_description VRRP_status
is_volatile 0
check_period 24x7
max_check_attempts 2
normal_check_interval 9
retry_check_interval 2
contact_groups FW-admin
notification_interval 180
notification_period 24x7
notification_options c,r,w
check_command check_vrrp_status!260!c0mmun1ty!nokia!equal
}
define service{
host_name xx-oms-fw04
service_description High_Availability_state
is_volatile 0
check_period 24x7
max_check_attempts 2
normal_check_interval 7
retry_check_interval 2
contact_groups FW-admin
notification_interval 180
notification_period 24x7
notification_options c,r,w
check_command check_firewall_HA!c0mmun1ty!260
}
define service{
host_name xx-oms-fw04
service_description storage
is_volatile 0
check_period 24x7
max_check_attempts 2
normal_check_interval 9
retry_check_interval 2
contact_groups FW-admin
notification_interval 180
notification_period 24x7
notification_options c,r,w
check_command check_HRmib_drives!c0mmun1ty!260!/proc!90!100
}
# ########################################################################
— by StaGue 19. 07. 2009
