Page 1 of 1

Monitoring firewall/router refused.

Posted: Fri Nov 22, 2019 3:45 am
by sophisticated
Welcome back! I would like to monitor our firewall, I added it to switch.cfg. On the firewall I added port to unblock 12489 but it returns to me among others: CPU LOAD connect to address 192.168.3.6 and port 12489: Connection refused

Is it simply impossible to simply monitor CPU Load on a firewall?

CPU Load Perform Extra Service Actions CRITICAL 11-22-2019 09:42:04 0d 12h 30m 8s 3/3 connect to address 192.168.3.6 and port 12489: Connection refused

PING OK 11-22-2019 09:38:35 0d 12h 32m 48s 1/3 PING OK - Packet loss = 0%, RTA = 0.90 ms
Port 1 Bandwidth Usage
UNKNOWN 11-22-2019 09:35:01 0d 12h 25m 15s 3/3 check_mrtgtraf: Unable to open MRTG log file
Port 1 Link Status
OK 11-22-2019 09:36:17 0d 0h 45m 54s 1/3 SNMP OK - up(1)
Port 2 Link Status
CRITICAL 11-22-2019 09:39:45 0d 0h 42m 26s 3/3 SNMP CRITICAL - *up(1)*
Uptime
CRITICAL 11-22-2019 09:40:58 0d 12h 31m 13s 3/3 connect to address 192.168.3.6 and port 12489: Connection refused

And why it monitorig memory usage or NSClient version?

Code: Select all

###############################################################################
# SWITCH.CFG - SAMPLE CONFIG FILE FOR MONITORING A SWITCH
#
#
# NOTES: This config file assumes that you are using the sample configuration
#    files that get installed with the Nagios quickstart guide.
#
###############################################################################



###############################################################################
#
# HOST DEFINITIONS
#
###############################################################################

# Define the switch that we'll be monitoring

define host {

    use                     generic-switch                      ; Inherit default values from a template
    host_name               netgear-xs712t                     ; The name we're giving to this switch
    alias                   Serwerownia04              ; A longer name associated with the switch
    address                 172.16.15.212                       ; IP address of the switch
    hostgroups              switches                            ; Host groups this switch is associated with
}
define host {
    use                    generic-switch          ; Inherit default values from a template
    host_name              firewall         ; The name we're giving to this switch
    alias                  ZyWALL USG 300   ; A longer name associated with the switch
    address                192.168.3.6           ; IP address of the switch
    hostgroups             switches       ; Host groups this switch is associated with
}


###############################################################################
#
# HOST GROUP DEFINITIONS
#
###############################################################################

# Create a new hostgroup for switches

define hostgroup {

    hostgroup_name          switches                            ; The name of the hostgroup
    alias                   Network Switches                    ; Long name of the group
}



###############################################################################
#
# SERVICE DEFINITIONS
#
###############################################################################

# Create a service to PING to switch

define service {

    use                     generic-service                     ; Inherit values from a template
    host_name               netgear-xs712t,firewall                     ; The name of the host the service is associated with
    service_description     PING                                ; The service description
    check_command           check_ping!200.0,20%!600.0,60%      ; The command used to monitor the service
    check_interval          5                                   ; Check the service every 5 minutes under normal conditions
    retry_interval          1                                   ; Re-check the service every minute until its final/hard state is determined
}



# Monitor uptime via SNMP

define service {

    use                     generic-service                     ; Inherit values from a template
    host_name               netgear-xs712t,firewall
    service_description     Uptime
    check_command           check_snmp!-C public -o sysUpTime.0
}



# Monitor Port 1 status via SNMP

define service {

    use                     generic-service                     ; Inherit values from a template
    host_name               netgear-xs712t,firewall
    service_description     Port 1 Link Status
    check_command           check_snmp!-C public -o ifOperStatus.1 -r 1 -m RFC1213-MIB
}


define service {

    use                     generic-service                     ; Inherit values from a template
    host_name               netgear-xs712t,firewall
    service_description     Port 2 Link Status
    check_command           check_snmp!-C public -o ifOperStatus.1 -r 2 -m RFC1213-MIB
}



# Monitor bandwidth via MRTG logs

define service {

    use                     generic-service                     ; Inherit values from a template
    host_name               netgear-xs712t,firewall
    service_description     Port 1 Bandwidth Usage
    check_command           check_local_mrtgtraf!/var/lib/mrtg/192.168.3.6_1.log!AVG!1000000,1000000!5000000,5000000!10
}

Re: Monitoring firewall/router refused.

Posted: Fri Nov 22, 2019 4:04 pm
by scottwilkerson
I'm confused, are you trying to run NSclient on your firewall?

You didn't post any configs for the service description "CPU Load" so I'm not sure what is going on.

Re: Monitoring firewall/router refused.

Posted: Sat Nov 23, 2019 1:54 pm
by sophisticated
When it comes to monitoring NSClient, the point was whether it could be monitored at all. However, it turned out that I defined all hosts. That's why he wanted to monitor him in the firewall. I did not want to monitor him :D

As for CPU Load returns to me connection refused.

Code: Select all

define host {
    use                    generic-switch          ; Inherit default values from a template
    host_name              firewall         ; The name we're giving to this switch
    alias                  ZyWALL USG 300   ; A longer name associated with the switch
    address                192.168.3.6           ; IP address of the switch
    hostgroups             switches       ; Host groups this switch is associated with
}


###############################################################################
#
# HOST GROUP DEFINITIONS
#
###############################################################################

# Create a new hostgroup for switches

define hostgroup {

    hostgroup_name          switches                            ; The name of the hostgroup
    alias                   Network Switches                    ; Long name of the group
}



###############################################################################
#
# SERVICE DEFINITIONS
#
###############################################################################

# Create a service to PING to switch

define service {

    use                     generic-service                     ; Inherit values from a template
    host_name               netgear-xs712t,firewall                     ; The name of the host the service is associated with
    service_description     PING                                ; The service description
    check_command           check_ping!200.0,20%!600.0,60%      ; The command used to monitor the service
    check_interval          5                                   ; Check the service every 5 minutes under normal conditions
    retry_interval          1                                   ; Re-check the service every minute until its final/hard state is determined
}



# Monitor uptime via SNMP

define service {

    use                     generic-service                     ; Inherit values from a template
    host_name               netgear-xs712t,firewall
    service_description     Uptime
    check_command           check_snmp!-C public  -o sysUpTime.0
}



# Monitor Port 1 status via SNMP

define service {

    use                     generic-service                     ; Inherit values from a template
    host_name               netgear-xs712t,firewall
    service_description     Port 1 Link Status
    check_command           check_snmp!-C public  -o ifOperStatus.1 -r 1 -m RFC1213-MIB
}


define service {

    use                     generic-service                     ; Inherit values from a template
    host_name               netgear-xs712t,firewall
    service_description     Port 2 Link Status
    check_command           check_snmp!-C public  -o ifOperStatus.2 -r 1 -m RFC1213-MIB
}


define service {

    use                     generic-service                     ; Inherit values from a template
    host_name               netgear-xs712t,firewall
    service_description     Port 3 Link Status
    check_command           check_snmp!-C public  -o ifOperStatus.3 -r 1 -m RFC1213-MIB
}

define service {

    use                     generic-service                     ; Inherit values from a template
    host_name               netgear-xs712t,firewall
    service_description     Port 4 Link Status

check_command           check_snmp!-C public  -o ifOperStatus.4 -r 1 -m RFC1213-MIB
}


define service {

    use                     generic-service                     ; Inherit values from a template
    host_name               netgear-xs712t,firewall
    service_description     Port 5 Link Status
    check_command           check_snmp!-C public  -o ifOperStatus.5 -r 1 -m RFC1213-MIB
}


define service {

    use                     generic-service                     ; Inherit values from a template
    host_name               netgear-xs712t,firewall
    service_description     Port 6 Link Status
    check_command           check_snmp!-C public  -o ifOperStatus.6 -r 1 -m RFC1213-MIB
}

define service {

    use                     generic-service                     ; Inherit values from a template
    host_name               netgear-xs712t,firewall
    service_description     Port 7 Link Status
    check_command           check_snmp!-C public  -o ifOperStatus.7 -r 1 -m RFC1213-MIB
}

define service {

    use                     generic-service,srv-pnp
    host_name               firewall
    service_description     CPU Load
    check_command           check_nt!CPULOAD!-l 5,80,90
}





# Monitor bandwidth via MRTG logs

define service {

    use                     generic-service                     ; Inherit values from a template
    host_name               netgear-xs712t,firewall
    service_description     Port 1 Bandwidth Usage
    check_command           check_mrtgtraf!/var/www/mrtg/192.168.3.6_40.log!AVG!1000000,1000000!5000000,5000000!10
}



# Monitor ports 1 - 6 on the Cisco core switch.
define service{
use                   generic-service
host_name             firewall
service_description   Ports 1-7 Link Status
check_command         check_snmp!-C public  -o ifOperStatus.1 -r 1 -m RFC1213-MIB, -o ifOperStatus.2 -r 1 -m RFC1213-MIB, -o ifOperStatus.3 -r 1 -m RFC1213-MIB, -o ifOperStatus.4 -r 1 -m RFC1213-MIB, -o ifOperStatus.5 -r 1 -m RFC1213-MIB, -o ifOperStatus.6 -r 1 -m RFC1213-MIB, -o ifOperStatus.7 -r 1 -m RFC1213-MIB

Re: Monitoring firewall/router refused.

Posted: Mon Nov 25, 2019 7:49 am
by scottwilkerson
Your CPU Load command contains this check_command

Code: Select all

check_command           check_nt!CPULOAD!-l 5,80,90
check_nt is for connecting to NSCLient++ Agents, unless you have the NSCLient++ Agent installed you are going to get a connection refused.

I would alternatively suggest finding a plugin on the Nagios Exchange that can monitor your CPU via snmp on the Nagios Exchange
http://exchange.nagios.org/

Re: Monitoring firewall/router refused.

Posted: Tue Nov 26, 2019 2:26 am
by sophisticated
Ok,

thanks! You can close :)

Re: Monitoring firewall/router refused.

Posted: Tue Nov 26, 2019 7:27 am
by scottwilkerson
sophisticated wrote:Ok,

thanks! You can close :)
Great!

Locking