[mrtg] Monitoring SonicWall gateway and VPNs / SAs
Stephan Sachweh
Stephan.Sachweh at pallas.com
Thu Mar 20 23:38:25 MET 2003
I read about tries to monitor SonicWall in the mrtg-mailinglist and did
not find a solution.
I also tried to monitor:
- LAN/WAN/DMZ Interfaces
- VPN Tunnels
Monitoring LAN/WAN/DMZ Interfaces of SonicWall should be possible.
cfgmaker generates a mrtg conffile but no data is available. This is a
confirmed bug in SonicWall Firmware release 6.4.0.1 (SonicWall Knowledge
Base).
But it is possible to monitor created VPNs, named SAs in an SonicWall VPN
Gateway.
But always when the SAs are changed (added, deleted, going up and down)
the snmp index of the SAs are changed. This is not very helpful with mrtg.
I wrote the following perl-skript which creates dynamically a mrtg
conffile and then calls mrtg to monitor my SAs with fixed peer ip
addresses.
It's not very good documented but works for me.
---------------------- Script Begin ------------------------------
#!/usr/bin/perl -w
# mrtg-sonicwall
# Autor: Stephan Sachweh
# Stand: 20.3.2003
# (c) 2003 by Pallas GmbH
#
# Released to public use honoring mrtg
# No warranty for this code
#
# net-snmp: snmpwalk is needed
#
# The index of SonicWall SAs are changed every time an SA is added,
deleted, up or down!
# Solution: dynamic creation of mrtg-configfile for each run.
# The peer ip address of the SA is used to find the SA.
# Then encryptBytes and decryptBytes of the SA are used for inbound and
outbound traffic.
# There's one more problem: If one SA is down, there is no update of the
graph
# Global Parameters
# SonicWall specific parameters
my $COMMUNITY="public"; # Get Community String
my $HOST="put-in-hostname-here"; # Hostname of SonicWall
my $IP="put-in-numerical-ip-of-sonicwall"; # Host IP of SonicWall
my $MAXBYTES="for-scaling"; # Maximum Bandwith of VPN-Tunnel
# Site Monitoring specific parameters
# Configurationfile
# with parameters of the SAs to monitor
# PEERIP is used to finde the SA in SNMPTree of sonicwall
# SANAME is used to create mrtg-names -> filesnames
# SADESCR is used for titles
# PEERIP:SANAME:SADESCR
my $CONFIGFILENAME="/usr/local/mrtg/etc/mrtg-sonicwall.conf";
# Workdir of MRTG
my $WORKDIR="/usr/local/apache/htdocs/admin/mrtg/";
# Place for generated saved Config
my $MRTGCONFIG="/usr/local/mrtg/etc/$HOST.conf";
my $MRTG="/usr/local/mrtg/bin/mrtg";
my $SNMPWALK="/usr/local/bin/snmpwalk";
my $SSLPATH="/usr/local/ssl/lib";
#######################################################################
# OIDs of Interest
#$ snmptranslate -m ALL -IR -On sonicSAStatDecryptByteCount
my $OIDDECRYPT="1.3.6.1.4.1.8741.1.3.2.1.1.1.11";
#$ snmptranslate -m ALL -IR -On sonicSAStatEncryptByteCount
my $OIDENCRYPT="1.3.6.1.4.1.8741.1.3.2.1.1.1.9";
# Command to query SAs
my $SNMPQUERYCMD="LD_LIBRARY_PATH=\${LD_LIBRARY_PATH}:$SSLPATH; export
LD_LIBRARY_PATH; $SNMPWALK -c $COMMUNITY -v 2c -m ALL $IP
sonicSAStatPeerGateway";
# Output is like this
#SONICWALL-FIREWALL-IP-STATISTICS-MIB::sonicSAStatPeerGateway.491 =
IpAddress: 62.206.58.250
#SONICWALL-FIREWALL-IP-STATISTICS-MIB::sonicSAStatPeerGateway.492 =
IpAddress: 195.138.53.15
# First open configfile for later call of mrtg
open(MRTGCONF,"> $MRTGCONFIG") || die "Could not append to '$MRTGCONFIG'";
sub WriteEntry($$$$) {
my ($SAPEER,$SANAME,$SADESCR,$INDEX) = @_;
print MRTGCONF <<EOF;
### SA Entry
### Peer Gateway : $SAPEER
### SA Name : $SANAME
### SA Description: $SADESCR
### SNMP Index : $INDEX
Target[$HOST-sa-$SANAME]:
$OIDDECRYPT.$INDEX&$OIDENCRYPT.$INDEX:$COMMUNITY\@$IP
MaxBytes[$HOST-sa-$SANAME]: $MAXBYTES
Title[$HOST-sa-$SANAME]: Durchsatzanalyse für VPN-Tunnel $SADESCR
PageTop[$HOST-sa-$SANAME]: <H1>Durchsatzanalyse für VPN-Tunnel
$SADESCR</H1>
<TABLE>
<TR><TD>System:</TD> <TD>Your System here</TD></TR>
<TR><TD>Maintainer:</TD> <TD>Put in Maintainer</TD></TR>
<TR><TD>Description:</TD><TD>SA $SANAME </TD></TR>
<TR><TD>Max Speed:</TD> <TD>12.5 MBytes/s</TD></TR>
<TR><TD>Ip:</TD> <TD>IP and Hostname</TD></TR>
</TABLE>
EOF
}
sub WriteHeader() {
$NOW = `date`;
chomp $NOW;
print MRTGCONF <<EOF;
#########
## created by mrtg-sonicwall
## on $NOW
######### Header
WorkDir: $WORKDIR
Background[_]: #FFFFEA
Options[_]: unknaszero,bits
EOF
}
###########################
# Start of Script
# Find out configured peers in SonicWall
my %PEERS = ();
#print $SNMPQUERYCMD."\n";
open (SNMP,"$SNMPQUERYCMD |") || die "Can't exec '$SNMPQUERYCMD'";
while (<SNMP>) {
#print $_;
chomp;
($INDEX,$PEER) = /sonicSAStatPeerGateway\.(\d+) = IpAddress:
([\d\.]+)/;
if ($INDEX && $PEER) {
#print "Index: '$INDEX' Peer: '$PEER'\n";
$PEERS{$PEER} = $INDEX;
}
}
close SNMP;
WriteHeader();
# Now write MRTG-Entry for each configured Peer
# $SAPEER = ip of peer in config
# $SANAME = symbolic short name of peer in config
# $SADESCR = Long Description of SA in config
open (CONFIG,"< $CONFIGFILENAME") || die "Can't open '$CONFIGFILENAME'";
while (<CONFIG>) {
($SAPEER,$SANAME,$SADESCR) = /([^:]+):([^:]+):(.*)/;
if ($SAPEER) {
#print "$SAPEER,$SANAME,$SADESCR\n";
foreach $ip (sort keys %PEERS) {
if ($ip eq $SAPEER) {
$INDEX = $PEERS{$ip};
WriteEntry($SAPEER,$SANAME,$SADESCR,$INDEX);
}
}
}
}
close CONFIG;
close MRTGCONF;
# Now Call mrtg with dynamically created conffile.
system("$MRTG $MRTGCONFIG");
---------------------- Script End ------------------------------
Freundliche Gruesse / Best Regards
Stephan Sachweh
Abteilungsleiter Security Operations
--------------------------------------------------------------------
//// Pallas / A Member of the ExperTeam Group
Pallas GmbH / Emil-Figge-Str. 85 / 44227 Dortmund / Germany
Stephan.Sachweh at pallas.com / www.pallas.com
Tel +49-231-9704-221 / Fax +49-231-9704-609 / Mobile +49-173-5490754
--------------------------------------------------------------------
--
Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Archive http://www.ee.ethz.ch/~slist/mrtg
FAQ http://faq.mrtg.org Homepage http://www.mrtg.org
WebAdmin http://www.ee.ethz.ch/~slist/lsg2.cgi
More information about the mrtg
mailing list