This side gives a rough description on how to monitor Checkpoint Firewall-1 using MRTG. We are using MRTG running locally on each filter module, so that SNMP is not required. Basically MRTG is used for drawing the graphs only. Maybe in the near future we will use Cricket.
The advantage are:
- every (system) value can be monitored even when not accessible by snmp
- no need to allow snmp to the filter itself
- process gathering data even when ethernet or systembus is clogged
- ease of use (well, you will see)
The shortcomings are:
- Perl needs to run on the filter module
- pictures are generated in fixed periods of time and thereby CPU is "wasted"
I think the shortcomings are acceptable. Well, you can say that one fine day an intruder might be able to run Perl- scripts on your filter. O.K. ... Right. But, be honest, if a Blackhat is able to penetrate your filter so that he can run scripts on it, it doesen't really matter any more, does it ?
This stuff is heavily tailored for Fireall-1 running on Solaris 6/7 (32 bit). This is before NG has come into beeing. On these machines Checkpoint doesen't scale over multiple CPUs, but Solaris and its drivers do. On multi CPU machines you do not have much loss since MRTG or the rateup binary is always running on an other CPU than the Checkpoint Software.
We are montoring two values only, using scripts feeding them into MRTG:
- systemload (output of the command w)
#!/usr/local/bin/bash
uptime | sed 's/,/ /g' | awk '{printf "%d\n0\n",$(NF-2)*100}'
- number of connections in the state table: fw tab -t connections -u | wc -l
#!/usr/local/bin/bash
/opt/CPfw1-41/bin/fw tab -t connections -u | wc -l | sed 's/ //g'
echo 0
- currently we are working on a script which is processing the delta of fw stat -ls per interface and time
MRTG by itself is made of Perl (the MRTG- Programm) and a tiny binary (rateup) which needs to be compiled. Well, the binaries are sometimes hard to get and difficult to compile if you haven't got a suitable platform handy. I have made a tarball for download (http://www.joerg.cc/downloads/mrtg-271-exec.tar) which should contain everything you need, which is the MRTG- stuff, the rateup binary, mrtg.config and two shell scripts cmd.sh,cmd1.sh feeding MRTG with the above mentioned values.
Additionally you will need to have installed the following packages on Solaris 6/7 . Please note that these are configurations we tried and consider as working. Other package- versions might also be suitable. You can get the packages from www.ibiblio.org/pub/packages/solaris/sparc.
- gd.1.8.1.SPARC.32bit.Solaris.7.pkg.tgz
- gdbm-1.7.3-sol7-sparc-local.gz
- libpng.1.0.6.p3.SPARC.32bit.Solaris.7.pkg.tgz
- perl-5.005_02-sol7-sparc-local.gz
- zlib.1.1.3.SPARC.32bit.Solaris.7.pkg.tgz
Because of numerous requests I have placed some more recent rateup binaries (MRTG 2.9.27, Solaris 8 and MRTG 2.10.5, Solaris 9) on my server.
MRTG 2.9.27, Solaris 8
MRTG 2.10.5, Solaris 9
If you have any questions and comments I would like to hear from you:
<fritsch@joerg.cc>,
![[Home]](/wikibilder/jss.gif)
MyMRTG Page
