Search Exchange
Search All Sites
Nagios Live Webinars
Let our experts show you how Nagios can help your organization.Login
New ListingsDirectory Tree
Cisco - Check firewall ASA and PIX
This script check Cisco firewall (tested on Cisco PIX-515E and ASA-5500).
Modules included :
### Mode 1 - Failover ###
- fail over status for ptimary and secondary host
=> warning if primary = stanby and secondary = active
=> critical if primary or secondary = error
=> unknwon if failover is not configured
### Mode 2 - Sessions ###
- number of sessions in use
=> warning or critical exit if superior
- number of max session ever used
check_cisco_firewall.sh -H hostname -V version -M failover|sessions [-w|-c|-C|-l|-u|-a|-d|-h]
### PARAMETERS ###
-H Hostname (IP adresse or DNS name)
-V Version (1|2c|3)
-M Mode (failover|sessions)
### OPTIONNAL ###
-w Warning_Level (number of sessions before warning) *** Use on session mode ***
-c Critical_Level (number of sessions before critical) *** Use on session mode ***
-C Community (name) *** Use on Version 1|2 ***
-l Login (NoAuthNoPriv | AuthNoPriv | AuthPriv) *** Use on Version 3 ***
-u Username *** Use on Version 3 ***
-a Password *** Use on Version 3 ***
-d Debug mode
-h Help (print command usage, and quit)
Sample commands:
#./check_cisco_firewall.sh -H 192.168.0.1 -V 1 -M sessions -C Public -w 1000 -c 2000
OK - 45 sessions (max : 8209) | Current_Used=45
#./check_cisco_firewall.sh -H 192.168.0.1 -V 3 -l AuthNoPriv -u user -a password -M failover
OK - Primary = Active, Secondary = Standby | Actives_Nodes=2
#./check_cisco_firewall.sh -h
Display help
#./check_cisco_firewall.sh xxxxxx -d
Active debug mod
Modules included :
### Mode 1 - Failover ###
- fail over status for ptimary and secondary host
=> warning if primary = stanby and secondary = active
=> critical if primary or secondary = error
=> unknwon if failover is not configured
### Mode 2 - Sessions ###
- number of sessions in use
=> warning or critical exit if superior
- number of max session ever used
check_cisco_firewall.sh -H hostname -V version -M failover|sessions [-w|-c|-C|-l|-u|-a|-d|-h]
### PARAMETERS ###
-H Hostname (IP adresse or DNS name)
-V Version (1|2c|3)
-M Mode (failover|sessions)
### OPTIONNAL ###
-w Warning_Level (number of sessions before warning) *** Use on session mode ***
-c Critical_Level (number of sessions before critical) *** Use on session mode ***
-C Community (name) *** Use on Version 1|2 ***
-l Login (NoAuthNoPriv | AuthNoPriv | AuthPriv) *** Use on Version 3 ***
-u Username *** Use on Version 3 ***
-a Password *** Use on Version 3 ***
-d Debug mode
-h Help (print command usage, and quit)
Sample commands:
#./check_cisco_firewall.sh -H 192.168.0.1 -V 1 -M sessions -C Public -w 1000 -c 2000
OK - 45 sessions (max : 8209) | Current_Used=45
#./check_cisco_firewall.sh -H 192.168.0.1 -V 3 -l AuthNoPriv -u user -a password -M failover
OK - Primary = Active, Secondary = Standby | Actives_Nodes=2
#./check_cisco_firewall.sh -h
Display help
#./check_cisco_firewall.sh xxxxxx -d
Active debug mod
Reviews (7)
Usefull script, Thank you.
You can add -On -Oe parameters to snmpwalk.
Scripts will be ok if cisco mibs is present.
You can add -On -Oe parameters to snmpwalk.
Scripts will be ok if cisco mibs is present.
byonlinewebchecks, April 16, 2015
Perfect, works out of the box -V 3 on ASA 5510, with NoAuthNoPriv. Thanks
byphyo, December 2, 2014
Hi,
Which IP Address should use? VIP Address or Primary IP Address?
When I use VIP address, the output as follow.
[root@nagios01 libexec]# ./check_cisco_firewall.sh -V 2c -C public -H 192.168.50.17 -M failover
Unknown - Primary = Down, Secondary = Down | Actives_Nodes=0
[root@nagios01 libexec]#
Thanks.
Which IP Address should use? VIP Address or Primary IP Address?
When I use VIP address, the output as follow.
[root@nagios01 libexec]# ./check_cisco_firewall.sh -V 2c -C public -H 192.168.50.17 -M failover
Unknown - Primary = Down, Secondary = Down | Actives_Nodes=0
[root@nagios01 libexec]#
Thanks.
byvex, May 8, 2014
Hi there!
Thanks for the wonderful work. Monitoring active/standby unit worked out of the box, but trying to get active sessions yielded "Error - Not numeric value : = Max_Used_Sessions", no matter if I used version 1 or 2c.
So I simply deleted the whole if block around $Max_Used_Sessions and deleted "|sed -n '2p'" as the output of snmpwalk was always a single line.
Function looks now like this:
sessions_max()
{
Max_Used_Sessions=`/usr/bin/snmpwalk $walk_param $mib_sessions_max | cut -d' ' -f4`
check_num $Max_Used_Sessions Max_Used_Sessions
if [ $Used_Sessions -gt $Max_Used_Sessions ]
then
echo "Error - Too many sessions used : $Used_Sessions, but only $Max_Used_Sessions max sessions allowed!"
exit $result_Unknwon
fi
}
Thanks for the wonderful work. Monitoring active/standby unit worked out of the box, but trying to get active sessions yielded "Error - Not numeric value : = Max_Used_Sessions", no matter if I used version 1 or 2c.
So I simply deleted the whole if block around $Max_Used_Sessions and deleted "|sed -n '2p'" as the output of snmpwalk was always a single line.
Function looks now like this:
sessions_max()
{
Max_Used_Sessions=`/usr/bin/snmpwalk $walk_param $mib_sessions_max | cut -d' ' -f4`
check_num $Max_Used_Sessions Max_Used_Sessions
if [ $Used_Sessions -gt $Max_Used_Sessions ]
then
echo "Error - Too many sessions used : $Used_Sessions, but only $Max_Used_Sessions max sessions allowed!"
exit $result_Unknwon
fi
}
byzerrich@gmail.com, November 20, 2013
Hello I know this is not probably the best place where to ask for this, but I am totally new in nagios. I have brand new installation which is working perfect, already monitoring my ASA's and some cisco switches fo up/down, uptime, link states, etc. This is first script I ever tried to implement. Script is working for me only when I run it manually from the CLI (like: ./check_cisco_firewall.sh -H asax -C xxxxxx -V2c -M failover) . My problem is, that I am not able to make it working in nagios. I've tried several way (what I found around the internet) but I still got respond (null) or error 127. I guess my problem is that I for sure not configure it right in nagios. If you can advice me in this or point me to some simple basic how to how to configure scripts to nagios, I would be highly thankful. I run Nagios 3.2.3 and Plugins 1.5. Thanks in advance for any kind of help.
byhannes.adollarsson, May 30, 2013
Only verified mode failover yet but it seem to be working fine.
Only note is that I had to add -x and -a for SNMPv3 to work.
Only note is that I had to add -x and -a for SNMPv3 to work.
bychayden, November 1, 2012
I tested this on our redundant Cisco ASA 5510 pair and it worked fine. I didn't test the error as I didn't fail a full unit. Nor did I test the unknown if there isn't a failover configuration. I did however check that the snmp status returned 9 for the mib and gave an ok when the primary was active and that it returned warning when the primary went to standby. Thanks for this.
