Use MRTG to monitor Netscreen firewall's performance?



  • Does anyone have the experience of using MRTG to monitor Netscreen firewall’s performance? Is it doable? I would like to try. Appreciate if you can share your experience with me.



  • Here is the file I use to graph sessions on firewalls, you can change MaxBytes[sessions]: 128000 to any value you need.

    .netscreen.netscreenResource.nsResSession. …nsResSessActive & .nsResSessAllocate

    Target[sessions]: .1.3.6.1.4.1.3224.16.3.2.0&.1.3.6.1.4.1.3224.16.3.2.0:community@x.x.x.x:
    Options[sessions]: nopercent,growright,gauge,noinfo
    Title[sessions]: Session Utilization
    PageTop[sessions]:

    Firewall Sessions

    MaxBytes[sessions]: 128000
    YLegend[sessions]: sessions
    ShortLegend[sessions]: sessions
    LegendI[sessions]:   Active  :
    LegendO[sessions]:   Allocated:
    Legend1[sessions]: Active sessions
    Legend2[sessions]: Allocated sessions

    Greg



  • Is there any method to graph number of sessions with MRTG? When I ran snmpwalk with all output the only thing I saw near that number was tcpOpenSessions or smth. like that, but still I saw that that was not correct number of sessions (perhaps because udp was not involved, but I didn’t find any corresponding line for udp).



  • Hi,
    I use only RRD-Tool to Monitor a NS25 box.
    It´s a simple setup, you need win2k, perl, rrd-tool, the scheduler service and notepad…

    I needed a 60sec interval, so i started using RRD-Tool
    I graph cpu, mem, sessions, throughput, throughput total, and vpn tunnel activity.

    scripts, examples available on request.
    (im planning to put the stuff on a website, and share it)

    cheers
    Reini



  • @steven_williams:

    Can some one email me their MRTG config file as I cant get to website previously mentioned?

    Policy based monitoring works well so far….

    Thanks

    Steve
    steven.williams@computershare.com.au

    here is my mrtg.cfg:

    –---------------

    WorkDir: /var/www/html/mrtg/

    Target[trust]: 1:public@10.0.0.1:
    Options[trust]: nopercent,growright,noinfo
    SetEnv[trust]: MRTG_INT_IP=“10.0.0.1” MRTG_INT_DESCR="NetScreen : trust"
    MaxBytes[trust]: 12500000
    Title[trust]: ns5xt Traffic Analysis In/Out Bytes [Trust]
    PageTop[trust]:

    ns5xt Traffic Analysis In/Out Bytes [Trust]

    | System: | ns5xt in cologne, zuendorf |
    | Maintainer: | fw@doehni.dyndns.org |
    | Description: | NetScreen : trust |
    | ifType: | ethernetCsmacd (6) |
    | ifName: | trust |
    | Max Speed: | 12,5 MBytes/s |
    | Ip: | 10.0.0.1 () |

    Target[untrust]: 2:public@10.0.0.1:
    Options[untrust]: nopercent,growright,noinfo
    SetEnv[untrust]: MRTG_INT_IP=“80.133.16.243” MRTG_INT_DESCR="NetScreen : untrust"
    MaxBytes[untrust]: 1250000
    Title[untrust]: ns5xt Traffic Analysis In/Out Bytes [Untrust]
    PageTop[untrust]:

    ns5xt Traffic Analysis In/Out Bytes [Untrust]

    | System: | ns5xt in cologne, zuendorf |
    | Maintainer: | fw@doehni.dyndns.org |
    | Description: | NetScreen : untrust |
    | ifType: | ethernetCsmacd (6) |
    | ifName: | untrust |
    | Max Speed: | 768 kBit/s |

    .netscreen.netscreenInterface.nsIfFlowTable …nsIfFlowInByte.trust & nsIfFlowOutByte.trust

    Target[nsIfFlowTable]: .1.3.6.1.4.1.3224.9.3.1.3.2&.1.3.6.1.4.1.3224.9.3.1.5.2:public@10.0.0.1:
    Options[nsIfFlowTable]: nopercent,growright,noinfo
    Title[nsIfFlowTable]: ns5xt Flow In/Out Bytes [Trust]
    PageTop[nsIfFlowTable]:

    ns5xt Flow In/Out Bytes [Trust]

    MaxBytes[nsIfFlowTable]: 100000
    YLegend[nsIfFlowTable]: B/s
    ShortLegend[nsIfFlowTable]: bytes/sec
    LegendI[nsIfFlowTable]: & Bytes/sec In :
    LegendO[nsIfFlowTable]: & Bytes/sec Out:
    Legend1[nsIfFlowTable]: Bytes/sec In
    Legend2[nsIfFlowTable]: Bytes/sec Out

    .netscreen.netscreenInterface.nsIfFlowTable …nsIfFlowInByte.untrust & nsIfFlowOutByte.untrust

    Target[nsIfFlowTable2]: .1.3.6.1.4.1.3224.9.3.1.3.1&.1.3.6.1.4.1.3224.9.3.1.5.1:public@10.0.0.1:
    Options[nsIfFlowTable2]: nopercent,growright,noinfo
    Title[nsIfFlowTable2]: ns5xt Flow In/Out Bytes [UnTrust]
    PageTop[nsIfFlowTable2]:

    ns5xt Flow In/Out Bytes [UnTrust]

    MaxBytes[nsIfFlowTable2]: 100000
    YLegend[nsIfFlowTable2]: B/s
    ShortLegend[nsIfFlowTable2]: bytes/sec
    LegendI[nsIfFlowTable2]: & Bytes/sec In :
    LegendO[nsIfFlowTable2]: & Bytes/sec Out:
    Legend1[nsIfFlowTable2]: Bytes/sec In
    Legend2[nsIfFlowTable2]: Bytes/sec Out

    .netscreen.netscreenResource.nsResSession.nsResSessAllocate …

    Target[nsResSessAllocate]: .1.3.6.1.4.1.3224.16.3.2.0&.1.3.6.1.4.1.3224.16.3.2.0:public@10.0.0.1:
    Options[nsResSessAllocate]: nopercent,growright,gauge,noinfo,noi
    Title[nsResSessAllocate]: ns5xt Session Utilization
    PageTop[nsResSessAllocate]:

    ns5xt Session Utilization

    MaxBytes[nsResSessAllocate]: 2048
    YLegend[nsResSessAllocate]: sessions
    ShortLegend[nsResSessAllocate]: sessions
    LegendI[nsResSessAllocate]: & Active :
    LegendO[nsResSessAllocate]: & Allocated:
    Legend1[nsResSessAllocate]: Allocated sessions
    Legend2[nsResSessAllocate]: Active sessions

    –---------------

    i suggest to use mrtg/rrd from http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/ with routers2.cgi
    from http://www.cheshire.demon.co.uk/pub/

    you only have to change the mrtg log format to rrd format like in the upper mrtg.cfg

    for UNIX

    WorkDir: /var/rrd/

    for rrd

    LogFormat: rrdtool
    PathAdd: /usr/local/rrdtool/bin/
    LibAdd: /usr/local/rrdtool/lib/perl/

    bye
    ad



  • Can some one email me their MRTG config file as I cant get to website previously mentioned?

    Policy based monitoring works well so far….

    Thanks

    Steve
    steven.williams@computershare.com.au



  • I have set up MRTG to monitor our NS500 firewall. It is working but the bandwidth data it grabs from the NS500 is quite doubtful. It reported that the average outgoing traffic on the trusted interface is about 35MB/s but the incoming is only 300KB/s. We also use MRTG to monitor our switches. While on the corresponding port on the switch, MRTG reported an average incoming and outgoing traffic of about 300MB/s. And if we look at the diagrams from both the firewall and the switch, they don’t match. I don’t know what I did wrong. I tried manually calculating the traffic and found that the outgoing bandwidth data for the firewall was obviously wrong. What may cause this problem?

    Any help is appreciated.



  • I had enabled SNMP on the VLAN where the mangement IP was but not the untrusted port! Doh! Now its working like a champ, thanx! 😉



  • @steven_williams:

    My idea is that 1 mip is one website, so get traffic stats for each web site.
    Steve

    take a look at mr. kouris cfg file -
    create a policy for permitting traffic to each webserver, enable counting for that and poll the appropriate netscreen.netsceenPolicy.nsPlyMonTable

    bye
    ad



  • How about assinging a counter and polling that?

    – steve



  • I use many MIPS to NAT internet addressing onto our web load balancer virtual farm IPs. Has any one got MRTG to work with graphing traffic usage per policy?

    My idea is that 1 mip is one website, so get traffic stats for each web site.

    Cheers

    Steve



  • @Gpaladin:

    That last OID did not work

    which OID you mean? the example file of mr kouri doesnt work with 4.0x if you poll the “active” sessions - the OID .1.3.6.1.4.1.3224.16.3.2.0 is for Session Allocate and works for me (iam using 4.0.1r1)

    whats the output if you snmpwalk the OID?

    bye
    ad



  • That last OID did not work



  • I am testing the OID and MRTG example now but I am guessing it will not work as the first component is the one I have been trying… I am using a Netscreen 100 running 4.0.0r8



  • I am testing the OID and MRTG example now but I am guessing it will not work as the first component is the one I have been trying… I am using a Netscreen 100 running 4.0.0r8



  • @Gpaladin:

    That is the same OID as posted above and it does not work at all ;(

    this works for me with 4.0.1r1:

    .netscreen.netscreenResource.nsResSession.nsResSessAllocate …

    Target[nsResSessAllocate]: .1.3.6.1.4.1.3224.16.3.2.0&.1.3.6.1.4.1.3224.16.3.2.0:private@1.1.1.1:
    Options[nsResSessAllocate]: nopercent,growright,gauge,noinfo,noi
    Title[nsResSessAllocate]: ns5xt Session Utilization
    PageTop[nsResSessAllocate]:

    ns5xt Session Utilization

    MaxBytes[nsResSessAllocate]: 2048
    YLegend[nsResSessAllocate]: sessions
    ShortLegend[nsResSessAllocate]: sessions
    LegendI[nsResSessAllocate]:   Active :
    LegendO[nsResSessAllocate]:   Allocated:
    Legend1[nsResSessAllocate]: Allocated sessions
    Legend2[nsResSessAllocate]: Active sessions

    ad



  • @Gpaladin:

    That is the same OID as posted above and it does not work at all ;(

    which os do you have installed on your ns?

    ad



  • That is the same OID as posted above and it does not work at all ;(



  • @Gpaladin:

    The MRTG session OID above did not work. Anyone else have a working OID that measures active sessions on ScreenOS 4.0?

    the OID for ActiveSessions doesnt exists in 4.0.1r1 anymore - use but .netscreen.netscreenResource.nsResSession.nsResSessAllocate (.1.3.6.1.4.1.3224.16.3.2.0) instead of nsResSessActive

    bye
    ad



  • The MRTG session OID above did not work. Anyone else have a working OID that measures active sessions on ScreenOS 4.0?


 

36
Online

38.4k
Users

12.7k
Topics

44.5k
Posts