[revisited] Nokia IP Firewall Checkpoint Template V0.2

Templates, scripts for templates, scripts and requests for templates.

Moderators: Moderators, Developers

Author
Message
User avatar
gandalf
Developer
Posts: 22375
Joined: Thu Dec 02, 2004 2:46 am
Location: Muenster, Germany
Contact:

[revisited] Nokia IP Firewall Checkpoint Template V0.2

#1 Post by gandalf » Fri Mar 03, 2006 9:49 am

As an update to Nokia IP Firewall Checkpoint Template please find attached ressources for the well known Templates.
Added:
Memory Graphs
per Interface Statistics retrieved from CHECKPOINT fwIfTable
corrected issue with [fwDropPcktsOut] being a COUNTER instead of a GAUGE

Please find attached
- XML Host Template to be imported via Import Templates
- XML snmp_query to be copied to ./ressources/snmp_queries

Attention: As always, this import will perhaps overwrite your RRA Settings. If you changed the defaults, this import will reset RRA deinitions to default. So you will have to tweak them again. Unfortunately, I do not know any way to avoid this

Usage
If you have a Nokia Checkpoint Device, please click the Host Template dropdown to select the Checkpoint Firewall Host Template. Then Create Graphs for this Host
You should see some

Code: Select all

Graph Templates
Graph Template Name 	
Create: Checkpoint - Connections 	
Create: Checkpoint - CPU Usage 	
Create: Checkpoint - Memory Usage 	
Create: Checkpoint - Packets accepted 	
Create: Checkpoint - Packets dropped 	
Create: Checkpoint - Packets logged 	
Create: Checkpoint - Packets rejected 
and

Code: Select all

Data Query [Checkpoint Firewall - fwIfTable]  	 Reload Associated Query
Index 	Interface Name 	
1	eth-s1p3c0	
2	eth-s1p1c0	
3	eth-s1p4c0	
4	eth-s1p2c0	
5	eth4c0	
6	eth2c0	
7	eth3c0	
8	eth1c0
(Interface Names may vary) apart from the well-known Interface Traffic Table.
Please select the wanted Graphs.

Call for Help
When querying our Checkpoints, they respond with sth like

Code: Select all

CHECKPOINT-MIB::fwIfEntry.3.1.0 = INTEGER: 0
CHECKPOINT-MIB::fwIfEntry.3.2.0 = INTEGER: 0
CHECKPOINT-MIB::fwIfEntry.3.3.0 = INTEGER: 0
CHECKPOINT-MIB::fwIfEntry.3.4.0 = INTEGER: 459724
CHECKPOINT-MIB::fwIfEntry.3.5.0 = INTEGER: 149286
CHECKPOINT-MIB::fwIfEntry.3.6.0 = INTEGER: 546851
CHECKPOINT-MIB::fwIfEntry.3.7.0 = INTEGER: 217364
CHECKPOINT-MIB::fwIfEntry.4.1.0 = INTEGER: 0
CHECKPOINT-MIB::fwIfEntry.4.2.0 = INTEGER: 0
CHECKPOINT-MIB::fwIfEntry.4.3.0 = INTEGER: 0
CHECKPOINT-MIB::fwIfEntry.4.4.0 = INTEGER: 442288
CHECKPOINT-MIB::fwIfEntry.4.5.0 = INTEGER: 820097
CHECKPOINT-MIB::fwIfEntry.4.6.0 = INTEGER: 942251
CHECKPOINT-MIB::fwIfEntry.4.7.0 = INTEGER: 991164
The fwIfEntry.3/4 are not know by the checkpoint MIB. Does anyone know what this is?

Greetings
Reinhard
Attachments
cacti_host_template_checkpoint_firewall.xml
Host Template to be imported by cacti's "Import Template" Feature
Corrected Issue with [fwDropPcktsOut]
(115.1 KiB) Downloaded 5461 times
checkpoint_fwIfTable.xml
XML definitions to be put into ./ressource/snmp_queries
(4.95 KiB) Downloaded 4918 times
Last edited by gandalf on Mon Oct 30, 2006 8:19 am, edited 1 time in total.

poezie
Posts: 24
Joined: Tue Feb 28, 2006 7:53 am

#2 Post by poezie » Tue Mar 07, 2006 3:59 am

Hi

When I try and import the cacti_host_template_checkpoint_firewall_116.xml I get "Error: XML: Hash version does not exist."

Any ideas ?

User avatar
fmangeant
Cacti Guru User
Posts: 2326
Joined: Fri Sep 19, 2003 8:36 am
Location: Sophia-Antipolis, France
Contact:

#3 Post by fmangeant » Tue Mar 07, 2006 4:06 am

Hi

what version of Cacti are you running ? You need 0.8.6h to import this template.
[size=84]
[color=green]HOWTOs[/color] :
[list][*][url=http://forums.cacti.net/viewtopic.php?t=15353]Install and configure the Net-SNMP agent for Unix[/url]
[*][url=http://forums.cacti.net/viewtopic.php?t=26151]Install and configure the Net-SNMP agent for Windows[/url]
[*][url=http://forums.cacti.net/viewtopic.php?t=28175]Graph multiple servers using an SNMP proxy[/url][/list]
[color=green]Templates[/color] :
[list][*][url=http://forums.cacti.net/viewtopic.php?t=15412]Multiple CPU usage for Linux[/url]
[*][url=http://forums.cacti.net/viewtopic.php?p=125152]Memory & swap usage for Unix[/url][/list][/size]

poezie
Posts: 24
Joined: Tue Feb 28, 2006 7:53 am

#4 Post by poezie » Tue Mar 07, 2006 4:11 am

Ah Okay will need to update my version I am running f

User avatar
Pumpi
Cacti User
Posts: 256
Joined: Wed Jan 14, 2004 3:23 am
Location: Germany

#5 Post by Pumpi » Tue Mar 07, 2006 4:23 am

Hallo lvm,

I still unable poll my Checkpoint Firewall NG R55 through udp port 260.

The server is running SUSE Enterprise Linux 9 with recent version of Cacti/Cactid, Net-SNMP 5.1.3.1, Perl 5.8.3

I'm always getting Timeout:No response from xxx.xxx.xxx:260

The SmartTracker shows that a Fw1_snmp packet has been received from the Cacti Server as Source.

Any idea how to fix this problem ?

kharford
Cacti User
Posts: 50
Joined: Thu Jul 07, 2005 11:53 am
Location: Mass, USA

Re: [revisited] Nokia IP Firewall Checkpoint Template V0.2

#6 Post by kharford » Tue Mar 07, 2006 2:07 pm

Great work Reinhard.

However, I am having a heck of a problem graphing the data. I see the data being collected put nothing is showing up in the graphs.


03/07/2006 02:00:12 PM - CACTID: Poller[0] Host[36] DS[418] SNMP: v1: , dsname: mem_free_real, oid: .1.3.6.1.4.1.2620.1.6.7.4.5.0, value: 12374016
03/07/2006 02:00:12 PM - CACTID: Poller[0] Host[36] DS[416] SNMP: v1: , dsname: mem_act_real, oid: .1.3.6.1.4.1.2620.1.6.7.4.4.0, value: 514150400
03/07/2006 02:00:12 PM - CACTID: Poller[0] Host[36] DS[419] SNMP: v1: , dsname: mem_tot_real, oid: .1.3.6.1.4.1.2620.1.6.7.4.3.0, value: 526524416
03/07/2006 02:00:12 PM - CACTID: Poller[0] Host[36] DS[417] SNMP: v1: , dsname: mem_act_virtual, oid: .1.3.6.1.4.1.2620.1.6.7.4.2.0, value: 0
03/07/2006 02:00:12 PM - CACTID: Poller[0] Host[36] DS[420] SNMP: v1: , dsname: mem_total_virtual, oid: .1.3.6.1.4.1.2620.1.6.7.4.1.0, value: 2146754560
03/07/2006 02:00:12 PM - CACTID: Poller[0] Host[36] DS[414] SNMP: v1: , dsname: proc_system, oid: .1.3.6.1.4.1.2620.1.6.7.2.2.0, value: 44
03/07/2006 02:00:12 PM - CACTID: Poller[0] Host[36] DS[415] SNMP: v1: , dsname: proc_user, oid: .1.3.6.1.4.1.2620.1.6.7.2.1.0, value: 1
03/07/2006 02:00:12 PM - CACTID: Poller[0] Host[36] DS[423] SNMP: v1: , dsname: logged, oid: .1.3.6.1.4.1.2620.1.1.7.0, value: 5724435
03/07/2006 02:00:12 PM - CACTID: Poller[0] Host[36] DS[422] SNMP: v1: , dsname: dropped, oid: .1.3.6.1.4.1.2620.1.1.6.0, value: 5523687
03/07/2006 02:00:12 PM - CACTID: Poller[0] Host[36] DS[424] SNMP: v1: , dsname: rejected, oid: .1.3.6.1.4.1.2620.1.1.5.0, value: 0
03/07/2006 02:00:12 PM - CACTID: Poller[0] Host[36] DS[421] SNMP: v1: , dsname: acc, oid: .1.3.6.1.4.1.2620.1.1.4.0, value: 1633179673
03/07/2006 02:00:12 PM - CACTID: Poller[0] Host[36] DS[425] SNMP: v1: , dsname: fwDropPcktsIn, oid: .1.3.6.1.4.1.2620.1.1.25.5.1.9.6.0, value: 105100
03/07/2006 02:00:12 PM - CACTID: Poller[0] Host[36] DS[425] SNMP: v1: , dsname: fwAcceptBytesOut, oid: .1.3.6.1.4.1.2620.1.1.25.5.1.8.6.0, value: 0


Any ideas?? :roll:

Thanks

KMH

kharford
Cacti User
Posts: 50
Joined: Thu Jul 07, 2005 11:53 am
Location: Mass, USA

#7 Post by kharford » Tue Mar 07, 2006 5:35 pm

03/07/2006 05:25:12 PM - POLLER: Poller[0] CACTI2RRD: /usr/local/rrdtool-1.2.12/bin/rrdtool update /var/www/html/cacti-0.8.6h/rra/fwdell1mailers_rejected_424.rrd --template rejected 1141770308:U
03/07/2006 05:25:12 PM - POLLER: Poller[0] CACTI2RRD: /usr/local/rrdtool-1.2.12/bin/rrdtool update /var/www/html/cacti-0.8.6h/rra/fwdell1mailers_acc_421.rrd --template acc 1141770308:U
03/07/2006 05:25:12 PM - POLLER: Poller[0] CACTI2RRD: /usr/local/rrdtool-1.2.12/bin/rrdtool update /var/www/html/cacti-0.8.6h/rra/fwdell1mailers_dropped_422.rrd --template dropped 1141770308:U
03/07/2006 05:25:12 PM - POLLER: Poller[0] CACTI2RRD: /usr/local/rrdtool-1.2.12/bin/rrdtool update /var/www/html/cacti-0.8.6h/rra/fwdell1mailers_proc_user_415.rrd --template proc_user 1141770308:U
03/07/2006 05:25:12 PM - POLLER: Poller[0] CACTI2RRD: /usr/local/rrdtool-1.2.12/bin/rrdtool update /var/www/html/cacti-0.8.6h/rra/fwdell1mailers_logged_423.rrd --template logged 1141770308:U
03/07/2006 05:25:12 PM - POLLER: Poller[0] CACTI2RRD: /usr/local/rrdtool-1.2.12/bin/rrdtool update /var/www/html/cacti-0.8.6h/rra/fwdell1mailers_proc_system_414.rrd --template proc_system 1141770308:U
03/07/2006 05:25:12 PM - POLLER: Poller[0] CACTI2RRD: /usr/local/rrdtool-1.2.12/bin/rrdtool update /var/www/html/cacti-0.8.6h/rra/fwdell1mailers_mem_total_virtual_420.rrd --template mem_total_virtual 1141770308:U
03/07/2006 05:25:12 PM - POLLER: Poller[0] CACTI2RRD: /usr/local/rrdtool-1.2.12/bin/rrdtool update /var/www/html/cacti-0.8.6h/rra/fwdell1mailers_mem_act_virtual_417.rrd --template mem_act_virtual 1141770308:U
03/07/2006 05:25:12 PM - POLLER: Poller[0] CACTI2RRD: /usr/local/rrdtool-1.2.12/bin/rrdtool update /var/www/html/cacti-0.8.6h/rra/fwdell1mailers_mem_tot_real_419.rrd --template mem_tot_real 1141770308:U
03/07/2006 05:25:12 PM - POLLER: Poller[0] CACTI2RRD: /usr/local/rrdtool-1.2.12/bin/rrdtool update /var/www/html/cacti-0.8.6h/rra/fwdell1mailers_mem_act_real_416.rrd --template mem_act_real 1141770308:U
03/07/2006 05:25:12 PM - POLLER: Poller[0] CACTI2RRD: /usr/local/rrdtool-1.2.12/bin/rrdtool update /var/www/html/cacti-0.8.6h/rra/fwdell1mailers_mem_free_real_418.rrd --template mem_free_real 1141770308:U

User avatar
gandalf
Developer
Posts: 22375
Joined: Thu Dec 02, 2004 2:46 am
Location: Muenster, Germany
Contact:

#8 Post by gandalf » Wed Mar 08, 2006 3:05 pm

Pumpi wrote:Hallo lvm,

I still unable poll my Checkpoint Firewall NG R55 through udp port 260.

The server is running SUSE Enterprise Linux 9 with recent version of Cacti/Cactid, Net-SNMP 5.1.3.1, Perl 5.8.3

I'm always getting Timeout:No response from xxx.xxx.xxx:260

The SmartTracker shows that a Fw1_snmp packet has been received from the Cacti Server as Source.

Any idea how to fix this problem ?
Please check http://forums.cacti.net/viewtopic.php?p=59166#59166
Reinhard

User avatar
gandalf
Developer
Posts: 22375
Joined: Thu Dec 02, 2004 2:46 am
Location: Muenster, Germany
Contact:

#9 Post by gandalf » Wed Mar 08, 2006 3:08 pm

hi kharford
what versions of cacti/cactid are you running?
Reinhard

kharford
Cacti User
Posts: 50
Joined: Thu Jul 07, 2005 11:53 am
Location: Mass, USA

#10 Post by kharford » Wed Mar 08, 2006 3:11 pm

cacti-0.8.6h

CACTID 0.8.6f

Thanks for responding Reinhard

User avatar
gandalf
Developer
Posts: 22375
Joined: Thu Dec 02, 2004 2:46 am
Location: Muenster, Germany
Contact:

#11 Post by gandalf » Wed Mar 08, 2006 4:19 pm

cactid-0.8.6f is know to be buggy. Please upgrade to latest but pay attention to upgrading hints (am just discussing a cactid bug I ran into with these templates with The Witness)
Reinhard

egironda
Posts: 45
Joined: Mon Dec 19, 2005 6:44 pm

#12 Post by egironda » Wed Mar 08, 2006 6:16 pm

Speaking of cactid 0.8.6g...

I downloaded and installed it some time ago, but the binary tells its version as 0.8.6f. How do I know I actually have the right package?

User avatar
gandalf
Developer
Posts: 22375
Joined: Thu Dec 02, 2004 2:46 am
Location: Muenster, Germany
Contact:

#13 Post by gandalf » Thu Mar 09, 2006 3:15 pm

egironda wrote:Speaking of cactid 0.8.6g...

I downloaded and installed it some time ago, but the binary tells its version as 0.8.6f. How do I know I actually have the right package?
Yes, this is already known. So you're already using latest release.
I'm very surprised, that cactid reports "resonable" values (the OID part of the logs you posted) but rrdtool update commands are generated with "U" (means: unknown) data. I already saw lots of "strange" behaviour, but never this way. I suppose this to be part of cactid code (so I asked for the version). But I'm using this very version (no rpm, build from source) without problems. Perhaps TheWitness (=author of cactid) should have a look
Reinhard

kharford
Cacti User
Posts: 50
Joined: Thu Jul 07, 2005 11:53 am
Location: Mass, USA

#14 Post by kharford » Sat Mar 11, 2006 6:05 am

Okay, I have got my graphs somewhat in working condition.

I did have snmp and csnmpd running at the same time. I needed to set up a proxy in Net-SNMP on the firewall to query the Checkpoint mib.

Once I did that data started to be graphed.

Thanks for all your help

KMH

ymartin59
Posts: 40
Joined: Fri Feb 17, 2006 7:42 am

#15 Post by ymartin59 » Tue Mar 14, 2006 3:07 am

kharford wrote: I did have snmp and csnmpd running at the same time. I needed to set up a proxy in Net-SNMP on the firewall to query the Checkpoint mib.
KMH
Hello,
May you describe how you configured that proxy ? Thank you in advance.

Post Reply