This is a quick guide for monitoring your Cisco PIX firewalls without needing SNMP Traps. After setting this up on your machines Nagios can be used to notify you if the machines change roles in the cluster.
Requirements
Nagios installed and working
Net-SNMP installed and working
- A Cisco PIX running at least version 7.0 of the OS, earlier versions work as well but the SNMP syntax is slightly different
PIX Configuration
You need to setup the SNMP on your PIX as usual, this is a snippet from my config for this:
Replace the hostname, interface name and community with your own.
snmp-server host inside 192.168.1.10 community topsecret snmp-server location MyISP, London
Net-SNMP Setup
You'll need to import some MIBs from the Cisco website into your Net-SNMP configuration, this is a pretty simple task. Download these two MIB files: CISCO-SMI.my and CISCO-FIREWALL-MIB.my.
Please these in your Net-SNMP MIB directory, on my Linux machine that's in /usr/share/snmp/mibs/ and on FreeBSD it's /usr/local/share/snmp/mibs/ and edit your snmp.conf to include the following line:
mibs +CISCO-FIREWALL-MIB
Now test that it worked, using your snmpwalk utility:
% snmpwalk -c topsecret -v1 fw1.mydomain.com .iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.cfwStatus.cfwHardwareStatusTable CISCO-FIREWALL-MIB::cfwHardwareInformation.primaryUnit = STRING: Primary unit (this device) CISCO-FIREWALL-MIB::cfwHardwareInformation.secondaryUnit = STRING: Secondary unit CISCO-FIREWALL-MIB::cfwHardwareStatusValue.primaryUnit = INTEGER: active(9) CISCO-FIREWALL-MIB::cfwHardwareStatusValue.secondaryUnit = INTEGER: standby(10) CISCO-FIREWALL-MIB::cfwHardwareStatusDetail.primaryUnit = STRING: Active unit CISCO-FIREWALL-MIB::cfwHardwareStatusDetail.secondaryUnit = STRING: Standby unit
For reference, here is the output from a PIX cluster with a failed network cable on the primary device:
CISCO-FIREWALL-MIB::cfwHardwareInformation.primaryUnit = STRING: Primary unit (this device) CISCO-FIREWALL-MIB::cfwHardwareInformation.secondaryUnit = STRING: Secondary unit CISCO-FIREWALL-MIB::cfwHardwareStatusValue.primaryUnit = INTEGER: error(4) CISCO-FIREWALL-MIB::cfwHardwareStatusValue.secondaryUnit = INTEGER: active(9) CISCO-FIREWALL-MIB::cfwHardwareStatusDetail.primaryUnit = STRING: Unit has failed CISCO-FIREWALL-MIB::cfwHardwareStatusDetail.secondaryUnit = STRING: Active unit
So you can see monitoring for the words active and standby for primary and secondary unit respectively will pick up any problems with the cluster.
You can see that I ran the query against the primary device and that currently the primary is active with the secondary being standby. I will use these active and standby states to monitor the failover cluster, if the primary ever changes away from active then it will be a critical state.
Nagios Setup
The nagios configuration is a 3 step process, first you need to define the command used to do the checks, I put mine in a separate file for each command but you can also just append this to your miscommands.cfg file:
define command{
command_name check_string_snmp
command_line $USER1$/check_snmp -H $HOSTADDRESS$ -C $USER3$ -o $ARG1$ -R $ARG2$
}
This will use the check_snmp plugin that came with the nagios-plugins package to check a case insensitive regular expression.
Now assuming you already have host definitions for your firewalls, add the following service definition:
define service {
host_name fw1-pri.mydomain.com
service_description Primary Active
check_command check_string_snmp!CISCO-FIREWALL-MIB::cfwHardwareStatusValue.primaryUnit!active
max_check_attempts 1
contact_groups sysadmin-email
use generic-service-template
}
define service {
host_name fw1-pri.mydomain.com
service_description Secondary Standby
check_command check_string_snmp!CISCO-FIREWALL-MIB::cfwHardwareStatusValue.secondaryUnit!standby
max_check_attempts 1
contact_groups sysadmin-email
use generic-service-template
}
It's worth mentioning again that for this to work you should already have a working Nagios setup, including the ability to do SNMP queries etc, general Nagios setup help is out of scope for this document.
Now if you reload your Nagios configuration, your firewalls will be monitored and you should get alerts whenever the failover state changes.
Changelog
10/08/2006 |
Initial Release |