Running MRTG on Nokia Enforcement module

[gladiatorkev]

Hi,

Is there a way / detailed document indicating a method of implementation for using MRTG with Nokia enforcement module boxes.?!

Appreciate the inputs.
Thanks

[Carsten]

Unfortunately I can not help you with MRTG.

We use Cacti for our Nokia firewalls, it is similar to MRTG but more modern in my opinion. Maybe it is an option for you as well.

[gladiatorkev]

Hi,

Can you send me the deployment document for ''cacti'' ..!?

Many Thanks.

[Carsten]

A colleague did implement the cacti monitoring, not me.
Maybe you should ask in the cacti forum for help, too, try this as a start:
[revisited] Nokia IP Firewall Checkpoint Template V0.2

[gladiatorkev]

Hi,

Thanks for the inputs.

BTW what all do you monitor using cacti ?
How do you find the performance and stability of this application ?

[gregharewood]

Many years ago, MRTG was semi-officially packaged by someone inside Nokia. It should still work fine, though it'll be an old version now. You could ask your Nokia SE to search the employee view of the support database.

[lodown]

I use Cacti and Nagios for monitoring Nokia Checkpoint firewalls and it works quite well. Configuring Cacti is pretty easy once you understand how the application works. It took me a few days of work to find everything I needed to get the graphs and layout I wanted. It's great for reporting on both Nokia and Checkpoint values, but make sure SNMP is enabled in both Checkpoint and Nokia and I would suggest using SNMP v3 for security reasons. Some of the values I monitor:

Checkpoint -
Connections
Accepts
Drops
Rejects
Logged
Memory
CPU
Interface Statistics

Nokia -
Interface Statistics
Hard Drive Partitions

To send alerts, I use Nagios. It's free and does everything I need in terms of alerting. I have configured the perl scripts from Nagios plugins to alert on the following:

Any time hard drive space gets to 80%/90% full
Any time the CPU load goes over 90% for more than 5 minutes
Any time the SVN status returns a value other than OK
Any time one of the Nokia Cluster Members (Active Active Loadsharing) has a load of more than 80%
Any time the firewall is unreachable via ICMP from the monitoring server.

I find that between the two systems(on the same server) I have a good idea of the status of my firewalls as well as a historical record of the most common statistics. In a distributed environment I would have to log in to 20-30 SmartCenters to get this information. In terms of statistical analysis, it is a great tool to trend traffic, especially when dealing with capacity planning. I have included a few crappy screenshots of a few lab systems. I think right now I am monitoring 10 firewalls with plans to roll out to another 50 in the coming months. While there is a risk of enabling SNMP on a firewall, I believe that with the proper policies and processes in place you can mitigate much of the risk involved.

Use SNMP v3 for encryption and integrity of the credentials and don't use Read/Write
Keep your monitoring software updated
Restrict access to the firewall to the monitoring server, over only necessary ports
Authenticate users on the monitoring server with Read-Only access for most, if not all data consumers

A few resources:

Nagios plugins
Securing Nagios
SANS Institute - Building a Secure Nagios Server
Cacti: The Complete RRDTool-based Graphing Solution
GroundWork Open Source IT Monitoring and Network Monitoring Software

lodown