Monitoring firewall/router refused.

An open discussion forum for obtaining help with Nagios Core. Nagios Core users of all experience levels are welcome here. Subforum have been created for the discussion of Nagios Core and Nagios Plugin development.

NOTE: The SourceForge.net mailing lists have been deprecated in favor of this forum in order to expedite support and provide additional features not available on the old mailing list.

Monitoring firewall/router refused.

Postby sophisticated » Fri Nov 22, 2019 3:45 am

Welcome back! I would like to monitor our firewall, I added it to switch.cfg. On the firewall I added port to unblock 12489 but it returns to me among others: CPU LOAD connect to address 192.168.3.6 and port 12489: Connection refused

Is it simply impossible to simply monitor CPU Load on a firewall?

CPU Load Perform Extra Service Actions CRITICAL 11-22-2019 09:42:04 0d 12h 30m 8s 3/3 connect to address 192.168.3.6 and port 12489: Connection refused

PING OK 11-22-2019 09:38:35 0d 12h 32m 48s 1/3 PING OK - Packet loss = 0%, RTA = 0.90 ms
Port 1 Bandwidth Usage
UNKNOWN 11-22-2019 09:35:01 0d 12h 25m 15s 3/3 check_mrtgtraf: Unable to open MRTG log file
Port 1 Link Status
OK 11-22-2019 09:36:17 0d 0h 45m 54s 1/3 SNMP OK - up(1)
Port 2 Link Status
CRITICAL 11-22-2019 09:39:45 0d 0h 42m 26s 3/3 SNMP CRITICAL - *up(1)*
Uptime
CRITICAL 11-22-2019 09:40:58 0d 12h 31m 13s 3/3 connect to address 192.168.3.6 and port 12489: Connection refused

And why it monitorig memory usage or NSClient version?

Code: Select all
###############################################################################
# SWITCH.CFG - SAMPLE CONFIG FILE FOR MONITORING A SWITCH
#
#
# NOTES: This config file assumes that you are using the sample configuration
#    files that get installed with the Nagios quickstart guide.
#
###############################################################################



###############################################################################
#
# HOST DEFINITIONS
#
###############################################################################

# Define the switch that we'll be monitoring

define host {

    use                     generic-switch                      ; Inherit default values from a template
    host_name               netgear-xs712t                     ; The name we're giving to this switch
    alias                   Serwerownia04              ; A longer name associated with the switch
    address                 172.16.15.212                       ; IP address of the switch
    hostgroups              switches                            ; Host groups this switch is associated with
}
define host {
    use                    generic-switch          ; Inherit default values from a template
    host_name              firewall         ; The name we're giving to this switch
    alias                  ZyWALL USG 300   ; A longer name associated with the switch
    address                192.168.3.6           ; IP address of the switch
    hostgroups             switches       ; Host groups this switch is associated with
}


###############################################################################
#
# HOST GROUP DEFINITIONS
#
###############################################################################

# Create a new hostgroup for switches

define hostgroup {

    hostgroup_name          switches                            ; The name of the hostgroup
    alias                   Network Switches                    ; Long name of the group
}



###############################################################################
#
# SERVICE DEFINITIONS
#
###############################################################################

# Create a service to PING to switch

define service {

    use                     generic-service                     ; Inherit values from a template
    host_name               netgear-xs712t,firewall                     ; The name of the host the service is associated with
    service_description     PING                                ; The service description
    check_command           check_ping!200.0,20%!600.0,60%      ; The command used to monitor the service
    check_interval          5                                   ; Check the service every 5 minutes under normal conditions
    retry_interval          1                                   ; Re-check the service every minute until its final/hard state is determined
}



# Monitor uptime via SNMP

define service {

    use                     generic-service                     ; Inherit values from a template
    host_name               netgear-xs712t,firewall
    service_description     Uptime
    check_command           check_snmp!-C public -o sysUpTime.0
}



# Monitor Port 1 status via SNMP

define service {

    use                     generic-service                     ; Inherit values from a template
    host_name               netgear-xs712t,firewall
    service_description     Port 1 Link Status
    check_command           check_snmp!-C public -o ifOperStatus.1 -r 1 -m RFC1213-MIB
}


define service {

    use                     generic-service                     ; Inherit values from a template
    host_name               netgear-xs712t,firewall
    service_description     Port 2 Link Status
    check_command           check_snmp!-C public -o ifOperStatus.1 -r 2 -m RFC1213-MIB
}



# Monitor bandwidth via MRTG logs

define service {

    use                     generic-service                     ; Inherit values from a template
    host_name               netgear-xs712t,firewall
    service_description     Port 1 Bandwidth Usage
    check_command           check_local_mrtgtraf!/var/lib/mrtg/192.168.3.6_1.log!AVG!1000000,1000000!5000000,5000000!10
}
sophisticated
 
Posts: 12
Joined: Wed Nov 20, 2019 3:03 pm

Re: Monitoring firewall/router refused.

Postby scottwilkerson » Fri Nov 22, 2019 4:04 pm

I'm confused, are you trying to run NSclient on your firewall?

You didn't post any configs for the service description "CPU Load" so I'm not sure what is going on.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
User avatar
scottwilkerson
DevOps Engineer
 
Posts: 17024
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises

Re: Monitoring firewall/router refused.

Postby sophisticated » Sat Nov 23, 2019 1:54 pm

When it comes to monitoring NSClient, the point was whether it could be monitored at all. However, it turned out that I defined all hosts. That's why he wanted to monitor him in the firewall. I did not want to monitor him :D

As for CPU Load returns to me connection refused.

Code: Select all
define host {
    use                    generic-switch          ; Inherit default values from a template
    host_name              firewall         ; The name we're giving to this switch
    alias                  ZyWALL USG 300   ; A longer name associated with the switch
    address                192.168.3.6           ; IP address of the switch
    hostgroups             switches       ; Host groups this switch is associated with
}


###############################################################################
#
# HOST GROUP DEFINITIONS
#
###############################################################################

# Create a new hostgroup for switches

define hostgroup {

    hostgroup_name          switches                            ; The name of the hostgroup
    alias                   Network Switches                    ; Long name of the group
}



###############################################################################
#
# SERVICE DEFINITIONS
#
###############################################################################

# Create a service to PING to switch

define service {

    use                     generic-service                     ; Inherit values from a template
    host_name               netgear-xs712t,firewall                     ; The name of the host the service is associated with
    service_description     PING                                ; The service description
    check_command           check_ping!200.0,20%!600.0,60%      ; The command used to monitor the service
    check_interval          5                                   ; Check the service every 5 minutes under normal conditions
    retry_interval          1                                   ; Re-check the service every minute until its final/hard state is determined
}



# Monitor uptime via SNMP

define service {

    use                     generic-service                     ; Inherit values from a template
    host_name               netgear-xs712t,firewall
    service_description     Uptime
    check_command           check_snmp!-C public  -o sysUpTime.0
}



# Monitor Port 1 status via SNMP

define service {

    use                     generic-service                     ; Inherit values from a template
    host_name               netgear-xs712t,firewall
    service_description     Port 1 Link Status
    check_command           check_snmp!-C public  -o ifOperStatus.1 -r 1 -m RFC1213-MIB
}


define service {

    use                     generic-service                     ; Inherit values from a template
    host_name               netgear-xs712t,firewall
    service_description     Port 2 Link Status
    check_command           check_snmp!-C public  -o ifOperStatus.2 -r 1 -m RFC1213-MIB
}


define service {

    use                     generic-service                     ; Inherit values from a template
    host_name               netgear-xs712t,firewall
    service_description     Port 3 Link Status
    check_command           check_snmp!-C public  -o ifOperStatus.3 -r 1 -m RFC1213-MIB
}

define service {

    use                     generic-service                     ; Inherit values from a template
    host_name               netgear-xs712t,firewall
    service_description     Port 4 Link Status

check_command           check_snmp!-C public  -o ifOperStatus.4 -r 1 -m RFC1213-MIB
}


define service {

    use                     generic-service                     ; Inherit values from a template
    host_name               netgear-xs712t,firewall
    service_description     Port 5 Link Status
    check_command           check_snmp!-C public  -o ifOperStatus.5 -r 1 -m RFC1213-MIB
}


define service {

    use                     generic-service                     ; Inherit values from a template
    host_name               netgear-xs712t,firewall
    service_description     Port 6 Link Status
    check_command           check_snmp!-C public  -o ifOperStatus.6 -r 1 -m RFC1213-MIB
}

define service {

    use                     generic-service                     ; Inherit values from a template
    host_name               netgear-xs712t,firewall
    service_description     Port 7 Link Status
    check_command           check_snmp!-C public  -o ifOperStatus.7 -r 1 -m RFC1213-MIB
}

define service {

    use                     generic-service,srv-pnp
    host_name               firewall
    service_description     CPU Load
    check_command           check_nt!CPULOAD!-l 5,80,90
}





# Monitor bandwidth via MRTG logs

define service {

    use                     generic-service                     ; Inherit values from a template
    host_name               netgear-xs712t,firewall
    service_description     Port 1 Bandwidth Usage
    check_command           check_mrtgtraf!/var/www/mrtg/192.168.3.6_40.log!AVG!1000000,1000000!5000000,5000000!10
}



# Monitor ports 1 - 6 on the Cisco core switch.
define service{
use                   generic-service
host_name             firewall
service_description   Ports 1-7 Link Status
check_command         check_snmp!-C public  -o ifOperStatus.1 -r 1 -m RFC1213-MIB, -o ifOperStatus.2 -r 1 -m RFC1213-MIB, -o ifOperStatus.3 -r 1 -m RFC1213-MIB, -o ifOperStatus.4 -r 1 -m RFC1213-MIB, -o ifOperStatus.5 -r 1 -m RFC1213-MIB, -o ifOperStatus.6 -r 1 -m RFC1213-MIB, -o ifOperStatus.7 -r 1 -m RFC1213-MIB
sophisticated
 
Posts: 12
Joined: Wed Nov 20, 2019 3:03 pm

Re: Monitoring firewall/router refused.

Postby scottwilkerson » Mon Nov 25, 2019 7:49 am

Your CPU Load command contains this check_command
Code: Select all
check_command           check_nt!CPULOAD!-l 5,80,90


check_nt is for connecting to NSCLient++ Agents, unless you have the NSCLient++ Agent installed you are going to get a connection refused.

I would alternatively suggest finding a plugin on the Nagios Exchange that can monitor your CPU via snmp on the Nagios Exchange
http://exchange.nagios.org/
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
User avatar
scottwilkerson
DevOps Engineer
 
Posts: 17024
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises

Re: Monitoring firewall/router refused.

Postby sophisticated » Tue Nov 26, 2019 2:26 am

Ok,

thanks! You can close :)
sophisticated
 
Posts: 12
Joined: Wed Nov 20, 2019 3:03 pm

Re: Monitoring firewall/router refused.

Postby scottwilkerson » Tue Nov 26, 2019 7:27 am

sophisticated wrote:Ok,

thanks! You can close :)


Great!

Locking
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
User avatar
scottwilkerson
DevOps Engineer
 
Posts: 17024
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises


Return to Nagios Core

Who is online

Users browsing this forum: Google [Bot] and 20 guests