Monitoring a Netscreen Firewall

Templates, scripts for templates, scripts and requests for templates.

Moderators: Moderators, Developers

Post Reply
Author
Message
User avatar
Burke
Posts: 42
Joined: Tue Nov 05, 2002 7:22 am
Location: Virginia, USA
Contact:

Monitoring a Netscreen Firewall

#1 Post by Burke » Tue Dec 02, 2003 1:30 pm

The following was obtained while working with a NS208

When you login to the web interface of a netscreen, you're presented with a nice summary screen. We have found the "Sessions" bar graph to be an excellent indicator of virus activity. One of the networks we have Cacti monitoring has roughly 500 workstations and 25 servers (Linux, Netware, Windws NT/2K/2K3). Typically, the Sessions should hover right around 800-1100 or so. When a Virus is actively trying to spread, the sessions on the firewall jump to somewhere between 4,000-20,000. This activitiy is also visible on our Cisco routers by looking at the Memory usage - it becomes VERY unstable.

Here are the OIDs to monitor for CPU load, Memory, and Sessions:

.1.3.6.1.4.1.3224.16.1.2.0 = Cpu Last 1 Minute
.1.3.6.1.4.1.3224.16.1.3.0 = Cpu Last 5 Minutes
.1.3.6.1.4.1.3224.16.1.4.0 = Cpu Last 15 Minutes
.1.3.6.1.4.1.3224.16.2.1.0 = Memory Allocated
.1.3.6.1.4.1.3224.16.2.2.0 = Memory Available
.1.3.6.1.4.1.3224.16.2.3.0 = Memory Fragmented
.1.3.6.1.4.1.3224.16.3.2.0 = Sessions Allocated
.1.3.6.1.4.1.3224.16.3.3.0 = Sessions Maximum
.1.3.6.1.4.1.3224.16.3.4.0 = Sessions Failed

Perhaps this could be included in some templates like the Novell & Windows systems.
Burke - MCP+I, MCSE, MCSD, CNE, CCA, CCNA, LPIC-1
[url=http://www.technicalvalues.com]My Website[/url] ::[url=http://www.technicalvalues.net]Domain Registrations, SSL Certs, and Hosting[/url]

Guest

#2 Post by Guest » Sat Dec 27, 2003 11:38 am

Which OS version do you use?

User avatar
Burke
Posts: 42
Joined: Tue Nov 05, 2002 7:22 am
Location: Virginia, USA
Contact:

#3 Post by Burke » Sat Dec 27, 2003 10:21 pm

Anonymous wrote:Which OS version do you use?
If you're referring to the NS208:

Hardware Version: 0110(0)
Software Version: 4.0.0r10.0 (Firewall+VPN)

However, if you're asking about the monitoring server (running Cacti), then it's Linux Mandrake 9.0
.
Burke - MCP+I, MCSE, MCSD, CNE, CCA, CCNA, LPIC-1
[url=http://www.technicalvalues.com]My Website[/url] ::[url=http://www.technicalvalues.net]Domain Registrations, SSL Certs, and Hosting[/url]

fletch
Cacti User
Posts: 132
Joined: Mon Oct 06, 2003 5:40 pm
Location: Stanford, CA

XML?

#4 Post by fletch » Fri Jan 09, 2004 8:34 pm

Excellent!
Can someone supply the XML Template for this?
Or I might have to learn to write my own :roll:

Thanks,
Fletch.

fletch
Cacti User
Posts: 132
Joined: Mon Oct 06, 2003 5:40 pm
Location: Stanford, CA

closer to netscreen montoring

#5 Post by fletch » Mon Jan 12, 2004 1:49 pm

Ok, I am close using RaX's instructions over here:
http://www.raxnet.net/board/viewtopic.p ... 74e4#10354

Debugging why I'm getting NaN in cacti - but the script outputs fine on command line...

fletch
Cacti User
Posts: 132
Joined: Mon Oct 06, 2003 5:40 pm
Location: Stanford, CA

CPU graphs going

#6 Post by fletch » Mon Jan 12, 2004 5:53 pm

Ok, I removed the rrd file and the CPU graphs are now going, but the sessionsAllocated, memoryAllocated are still NaN - here is the cactid log which looks pretty clean:

Code: Select all

[44] MUTLI command: /usr/local/cacti/scripts/getNSData, output: cpu1:1 cpu5:1 cpu15:1 memoryAllocated:131975312 memoryAvailable:1175
85776 memoryFragmented:8665 sessionsAllocated:850 sessionsMaximum:250000 sessionsFailed:0
MULTI expansion: found fieldname: cpu1, found rrdname: cpu1, local_data_id: 830
MULTI expansion: found fieldname: cpu5, found rrdname: cpu5, local_data_id: 830
MULTI expansion: found fieldname: cpu15, found rrdname: cpu15, local_data_id: 830
MULTI expansion: found fieldname: memoryAllocated, found rrdname: memoryAllocated, local_data_id: 830
MULTI expansion: found fieldname: memoryAvailable, found rrdname: memoryAvailable, local_data_id: 830
MULTI expansion: found fieldname: memoryFragmented, found rrdname: memoryFragmented, local_data_id: 830
MULTI expansion: found fieldname: sessionsAllocated, found rrdname: sessionsAllocated, local_data_id: 830
MULTI expansion: found fieldname: sessionsMaximum, found rrdname: sessionsMaximum, local_data_id: 830
MULTI expansion: found fieldname: sessionsFailed, found rrdname: sessionsFailed, local_data_id: 830
RRDCMD: update '/export/web/crawlspace/htdocs/cacti-0.8.4/rra/irtscreen1_cpu1_830.rrd' --template cpu1:cpu5:cpu15:memoryAllocated:me
moryAvailable:memoryFragmented:sessionsAllocated:sessionsMaximum:sessionsFailed N:1:1:1:131975312:117585776:8665:850:250000:0

fletch
Cacti User
Posts: 132
Joined: Mon Oct 06, 2003 5:40 pm
Location: Stanford, CA

upper limits raised for memory and session in data templates

#7 Post by fletch » Tue Jan 13, 2004 5:22 pm

Ok, finally figured out the memory and session #s where not being collected because they exceeded the upper limits set in the Data Template - fixed those and now have CPU, Session and Memory graphs going for the netscreen.
Will clean up and post the exported XML soon...

fletch
Cacti User
Posts: 132
Joined: Mon Oct 06, 2003 5:40 pm
Location: Stanford, CA

[XML] Netscreen CPU Memory and Session stats

#8 Post by fletch » Thu Jan 15, 2004 2:37 pm

Posted in the Scripts/AddOns section:
http://www.raxnet.net/board/viewtopic.php?t=3078

Do we have a central repository for these XML templates yet?
That'd be cool :)

Post Reply