Nokia IP Firewall Checkpoint Template

nickman · Post by **nickman** » Thu Feb 16, 2006 11:18 am

I keep getting Error: XML parse error.
when trying to import this template ?
sorry im new to this any ideas?

Post by **gandalf** » Thu Feb 16, 2006 12:54 pm

What exactly were you doing when this error occured? Perhaps a screenshot or an output listing will help
Reinhard

nickman · Post by **nickman** » Fri Feb 17, 2006 5:52 am

cacti version 0.86f

cacti server is running ubuntu 2.6.12-9-686

Mysql 4.024-10

PHP version 5.0.5-2

rrdtool 5.0.5-2

When trying to import the XML file using "import from a file"
this is the error message I get (see attachment)
would really like to get this going as we have quite a few nokia HW fiewalls here
thank you

fmangeant · Post by **fmangeant** » Fri Feb 17, 2006 5:55 am

nickman wrote:cacti version 0.86f

Hi

Code: Select all

Template export from cacti0.8.6g

You need Cacti >= 0.8.6g to import this template.

nickman · Post by **nickman** » Fri Feb 17, 2006 6:11 am

thanks will update now

nickman · Post by **nickman** » Fri Feb 17, 2006 10:48 am

Right upgraded to h now.

Cant seem to geth the information back to the cacti server.
It can read the snmp i think - as it knows all the interaces of the firewalls.
I have enbled a rule on the FW's so it can talk snmp to the server - but the ps - ef command will not work on my version of the ipso on the nokia boxes. And I would like to see that both the ipso snmpd and the checkpoint snmp are running anyone know a ps switch for ipso version:

IPSO myfirewall 3.8-BUILD039 releng 1404 07.23.2004-193500 i386

nickman · Post by **nickman** » Fri Feb 17, 2006 11:04 am

My snmp walks come back like this :

root@cactiserver:~# snmpwalk -v1 -c public firewallipaddress .1.3.6.1.4.1.2620.1.6.7.2.4.0
SNMPv2-SMI::enterprises.2620.1.6.7.2.4.0 = INTEGER: 1
root@cactiserver:~#

is that a success on the IPSO snmp or the Checkpoint snmp.
Do I need to open udp port 260 for traffic back to the cacti server for the checkpoint snmp?

nickman · Post by **nickman** » Mon Feb 20, 2006 5:55 am

Ok, all my graphs work, except the firwewall graphs ! which are drawn, but empty, they have no data. The poller is running, and the snmp service is running on both the ipso and the firewall. any ideas?

Kenny · Post by **Kenny** » Mon Feb 20, 2006 10:02 am

try the following command:

Code: Select all

ps -aux | grep snmpd

You will get a reply like this:

Code: Select all

root       242  0.0  0.3  4172  848  ??  Ss   Fri10AM    1:59.28 /bin/snmpd -f
root       355  0.0  0.6  2392 1468  ??  Ss   Fri10AM    0:52.06 /opt/CPshared-R55/bin/cpsnmpd -p 260

if both snmpd's are running

Kenny · Post by **Kenny** » Mon Feb 20, 2006 10:10 am

What IPSo does, is that it's proxying the requests for the CheckPoint snmpd. So, if you want to get a connection-count of your firewall, you are asking IPSO to ask Checkpoint's snmp to give the connection-count.

All you need in your rulebase, is a general rule for your Cacti-host to be allowed to poll the firewall (e.g.

Code: Select all

src			 dst			service		action
Cacti-host	Firewall	 snmp-read	 allow

philuxe · Post by **philuxe** » Tue Feb 21, 2006 8:15 am

When you graph :

- Nb of Dropped packets
- Nb of Rejected packets
- Nb of Accepted packets

I m wondering what it means exactly !

Nb of Dropped packets : per second ? per minute ? .....

Post by **gandalf** » Tue Feb 21, 2006 8:39 am

These are COUNTER values and no CDEFs are applied to the Graph Templates. So its representing "items" per second
Reinhard

philuxe · Post by **philuxe** » Tue Feb 21, 2006 12:30 pm

lvm wrote:These are COUNTER values and no CDEFs are applied to the Graph Templates. So its representing "items" per second
Reinhard

Many thanks for your fast reply, I am testing that on a IP380 based cluster, why didn't you keep the memory usage as proposed in the first template of this topic ?

Post by **gandalf** » Wed Feb 22, 2006 11:48 am

philuxe wrote:
lvm wrote:These are COUNTER values and no CDEFs are applied to the Graph Templates. So its representing "items" per second
Reinhard
Many thanks for your fast reply, I am testing that on a IP380 based cluster, why didn't you keep the memory usage as proposed in the first template of this topic ?

Oops, must have missed that. I'm just curious with some other bad things around my fw's. But by the way I discovered some other nice OIDs. Perhaps I'll get to this bit some days later ...
Reinhard

riz · Post by **riz** » Wed Feb 22, 2006 12:55 pm

But by the way I discovered some other nice OIDs. Perhaps I'll get to this bit some days later ...

..ooh ooh, I'm interested!

..I for one, would appreciate any other CP/Nokia templates that might get offered up!

BTW, does anyone experience huge spikes (up to 14M) on all three graphs (accepted,dropped and logged) on a policy push?

..I only just started monitoring these three last night and all were looking very pweety until I pushed a policy this morning and now I just have a nasty spike in all three (???), with no meaningful data visable??

What I don't understand is why the spike is exactly the same on all three? (either accept it or drop it!?) O_o

cheers,
riz.

Nokia IP Firewall Checkpoint Template

Who is online