[mrtg] Monitoring SonicWall gateway and VPNs / SAs

Stephan Sachweh Stephan.Sachweh at pallas.com
Thu Mar 20 23:38:25 MET 2003


I read about tries to monitor SonicWall in the mrtg-mailinglist and did 
not find a solution.

I also tried to monitor:
- LAN/WAN/DMZ Interfaces
- VPN Tunnels

Monitoring LAN/WAN/DMZ Interfaces of SonicWall should be possible. 
cfgmaker generates a mrtg conffile but no data is available. This is a 
confirmed bug in SonicWall Firmware release 6.4.0.1 (SonicWall Knowledge 
Base).

But it is possible to monitor created VPNs, named SAs in an SonicWall VPN 
Gateway.

But always when the SAs are changed (added, deleted, going up and down) 
the snmp index of the SAs are changed. This is not very helpful with mrtg.

I wrote the following perl-skript which creates dynamically a mrtg 
conffile and then calls mrtg to monitor my SAs with fixed peer ip 
addresses.

It's not very good documented but works for me.

---------------------- Script Begin ------------------------------
#!/usr/bin/perl -w

# mrtg-sonicwall
# Autor: Stephan Sachweh
# Stand: 20.3.2003
# (c) 2003 by Pallas GmbH
#
# Released to public use honoring mrtg
# No warranty for this code
#
# net-snmp: snmpwalk is needed
#
# The index of SonicWall SAs are changed every time an SA is added, 
deleted, up or down!
# Solution: dynamic creation of mrtg-configfile for each run.
# The peer ip address of the SA is used to find the SA.
# Then encryptBytes and decryptBytes of the SA are used for inbound and 
outbound traffic.
# There's one more problem: If one SA is down, there is no update of the 
graph 

# Global Parameters

# SonicWall specific parameters
my $COMMUNITY="public";         # Get Community String
my $HOST="put-in-hostname-here";                # Hostname of SonicWall
my $IP="put-in-numerical-ip-of-sonicwall";      # Host IP of SonicWall
my $MAXBYTES="for-scaling";             # Maximum Bandwith of VPN-Tunnel

# Site Monitoring specific parameters
# Configurationfile
# with parameters of the SAs to monitor
# PEERIP is used to finde the SA in SNMPTree of sonicwall
# SANAME is used to create mrtg-names -> filesnames
# SADESCR is used for titles 
# PEERIP:SANAME:SADESCR
my $CONFIGFILENAME="/usr/local/mrtg/etc/mrtg-sonicwall.conf";

# Workdir of MRTG
my $WORKDIR="/usr/local/apache/htdocs/admin/mrtg/";

# Place for generated saved Config
my $MRTGCONFIG="/usr/local/mrtg/etc/$HOST.conf";
my $MRTG="/usr/local/mrtg/bin/mrtg";

my $SNMPWALK="/usr/local/bin/snmpwalk";
my $SSLPATH="/usr/local/ssl/lib";

#######################################################################

# OIDs of Interest
#$ snmptranslate -m ALL -IR -On sonicSAStatDecryptByteCount 
my $OIDDECRYPT="1.3.6.1.4.1.8741.1.3.2.1.1.1.11";
#$ snmptranslate -m ALL -IR -On sonicSAStatEncryptByteCount 
my $OIDENCRYPT="1.3.6.1.4.1.8741.1.3.2.1.1.1.9";

# Command to query SAs
my $SNMPQUERYCMD="LD_LIBRARY_PATH=\${LD_LIBRARY_PATH}:$SSLPATH; export 
LD_LIBRARY_PATH; $SNMPWALK -c $COMMUNITY -v 2c -m ALL $IP 
sonicSAStatPeerGateway";
# Output is like this
#SONICWALL-FIREWALL-IP-STATISTICS-MIB::sonicSAStatPeerGateway.491 = 
IpAddress: 62.206.58.250
#SONICWALL-FIREWALL-IP-STATISTICS-MIB::sonicSAStatPeerGateway.492 = 
IpAddress: 195.138.53.15

# First open configfile for later call of mrtg
open(MRTGCONF,"> $MRTGCONFIG") || die "Could not append to '$MRTGCONFIG'"; 


sub WriteEntry($$$$) {
        my ($SAPEER,$SANAME,$SADESCR,$INDEX) = @_;

print MRTGCONF <<EOF;
 
### SA Entry
### Peer Gateway  : $SAPEER
### SA Name       : $SANAME
### SA Description: $SADESCR
### SNMP Index    : $INDEX
 
Target[$HOST-sa-$SANAME]: 
$OIDDECRYPT.$INDEX&$OIDENCRYPT.$INDEX:$COMMUNITY\@$IP
MaxBytes[$HOST-sa-$SANAME]: $MAXBYTES
Title[$HOST-sa-$SANAME]: Durchsatzanalyse f&uuml;r VPN-Tunnel $SADESCR
PageTop[$HOST-sa-$SANAME]: <H1>Durchsatzanalyse f&uuml;r VPN-Tunnel 
$SADESCR</H1>
 <TABLE>
   <TR><TD>System:</TD>     <TD>Your System here</TD></TR>
   <TR><TD>Maintainer:</TD> <TD>Put in Maintainer</TD></TR>
   <TR><TD>Description:</TD><TD>SA $SANAME  </TD></TR>
   <TR><TD>Max Speed:</TD>  <TD>12.5 MBytes/s</TD></TR>
   <TR><TD>Ip:</TD>         <TD>IP and Hostname</TD></TR>
 </TABLE>
 
EOF
}

sub WriteHeader() {

        $NOW = `date`;
        chomp $NOW;
        print MRTGCONF <<EOF;
#########
## created by mrtg-sonicwall 
## on $NOW
######### Header
WorkDir: $WORKDIR
Background[_]: #FFFFEA
Options[_]: unknaszero,bits
EOF
}

###########################
# Start of Script

# Find out configured peers in SonicWall

my %PEERS = ();

#print $SNMPQUERYCMD."\n";
open (SNMP,"$SNMPQUERYCMD |") || die "Can't exec '$SNMPQUERYCMD'";
while (<SNMP>) {
        #print $_;
        chomp;
        ($INDEX,$PEER) = /sonicSAStatPeerGateway\.(\d+) = IpAddress: 
([\d\.]+)/;
        if ($INDEX && $PEER) {
                #print "Index: '$INDEX' Peer: '$PEER'\n";
                $PEERS{$PEER} = $INDEX;
        }
}
close SNMP;

WriteHeader();

# Now write MRTG-Entry for each configured Peer 
# $SAPEER = ip of peer in config
# $SANAME = symbolic short name of peer in config
# $SADESCR = Long Description of SA in config

open (CONFIG,"< $CONFIGFILENAME") || die "Can't open '$CONFIGFILENAME'";
while (<CONFIG>) {
        ($SAPEER,$SANAME,$SADESCR) = /([^:]+):([^:]+):(.*)/;
        if ($SAPEER) {
                #print "$SAPEER,$SANAME,$SADESCR\n";
                foreach $ip (sort keys %PEERS) {
                        if ($ip eq $SAPEER) {
                                $INDEX = $PEERS{$ip};
 WriteEntry($SAPEER,$SANAME,$SADESCR,$INDEX);
                        }
                }
        }
}
close CONFIG;

close MRTGCONF;

# Now Call mrtg with dynamically created conffile.

system("$MRTG $MRTGCONFIG");

---------------------- Script End ------------------------------

Freundliche Gruesse / Best Regards

Stephan Sachweh
Abteilungsleiter Security Operations
--------------------------------------------------------------------
//// Pallas / A Member of the ExperTeam Group
Pallas GmbH / Emil-Figge-Str. 85 / 44227 Dortmund / Germany
Stephan.Sachweh at pallas.com / www.pallas.com
Tel +49-231-9704-221 / Fax +49-231-9704-609 / Mobile +49-173-5490754
--------------------------------------------------------------------

--
Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Archive     http://www.ee.ethz.ch/~slist/mrtg
FAQ         http://faq.mrtg.org    Homepage     http://www.mrtg.org
WebAdmin    http://www.ee.ethz.ch/~slist/lsg2.cgi



More information about the mrtg mailing list