Nagios Support Forum

Hi all,

Bare with me as this may sound as a dumb question, but I need to get my facts straight in order to convince some people.
I'm faced with:
- 1 (Virtual) Nagios server on my end.
- 30+ (and growing) customers, each running a maximum of 3 hosts for me to monitor.
- Most (i.e. all) of the hosts are only accessible through VPN.
- Firewall/VPN is managed by the customer IT dept.

What does the customer IT dept. have to do in order to have these hosts properly monitored.
(So far I only worked with larger customers, which hadlocal nagios servers within their Network.)
I just need basic monitoring. (host alive/cpu/mem/disk usage/services/databases)

They should:
- Allow Inbound traffic over port 80 (ICMP/Ping) from the Nagios server
- Allow outbound traffic over port 5666/12489 to the Nagios server
- ... ?

I have no problems configuring Nagios and hosts etc. but the whole networking/vpn/firewall bit is out of my league.
At my former job I had Networking staff working this out for us. LOL

Typically nailed up VPNs are treated like local network segments. Not always - but typically. If tha'ts the case in your environment there is nothing for you to do.

If it is not the case you are on the right track.

Allow access inbound to the customer network on 5666 and 12489 (specifically for NRPE and nsclient). If you need to use other monitoring agents such as WMI and/or SNMP that may need to be expanded.

If your clients need access to the Nagios web interface, then yes you'll also need access inbound to your network on port 80.

I'll get in touch with the networking guys.
thanks for the feedback.

Let us know.

Thanks!

jdalrymple wrote:Typically nailed up VPNs are treated like local network segments. Not always - but typically. If tha'ts the case in your environment there is nothing for you to do.

If it is not the case you are on the right track.

Allow access inbound to the customer network on 5666 and 12489 (specifically for NRPE and nsclient). If you need to use other monitoring agents such as WMI and/or SNMP that may need to be expanded.

If your clients need access to the Nagios web interface, then yes you'll also need access inbound to your network on port 80.

What about Outbound traffic?

jdalrymple wrote:Typically nailed up VPNs are treated like local network segments. Not always - but typically. If tha'ts the case in your environment there is nothing for you to do.

If it is not the case you are on the right track.

Allow access inbound to the customer network on 5666 and 12489 (specifically for NRPE and nsclient). If you need to use other monitoring agents such as WMI and/or SNMP that may need to be expanded.

If your clients need access to the Nagios web interface, then yes you'll also need access inbound to your network on port 80.

I need port 80 for Pings (host alive) don't I?

ICMP doesn't use TCP or UDP ports like IP traffic does, it is a totally different protocol operating at layer 3. You will need to allow ICMP echoreq in order to use check_ping for your check-host-alive command. That command could be altered though, check-host-alive could be a simple NRPE check with no arguments. The only thing to be wary of is that if the NRPE daemon failed it would appear as though your host were down when in fact it may not be.

Regarding outbound traffic - it should be noted that outbound traffic is unpredictable. Typically you would write your rule to read something like this:

Allow traffic to go out of my network from the Nagios host on any (high) port as long as it's headed towards my monitored host on port 5666.

You can't really get any more specific than that because, as I mentioned, outbound connections are unpredictable in that regard. Your networking guys should understand this. Typically on egress traffic you don't scrutinize where traffic is from, but rather where it's headed to. Does that make sense?

To be quite honest: No. Your TO's and FROM's puzzle me. It depends on from which side you're looking, right?

My situation is that my Nagios server is on my side. (my point of view so to say)
My customers hosts are behind their own firewall/VPN.
I need my Nagios server to monitor through customer's firewall/VPN.

So imho: customers networking dept. needs to allow not outbound but inbound traffic. Right?

You should find out if they are blocking ICMP. It all depends on the environment. If you find out they are blocking ICMP, you'll have to set up another type of check. From what I understand, blocking ICMP is pretty common in secure type environments.

Perhaps a read of this document will better familiarize you with alternative checks?