Home Directory Plugins Hardware Network Gear Cisco Cisco - Check firewall ASA and PIX

Search Exchange

Search All Sites

Nagios Live Webinars

Let our experts show you how Nagios can help your organization.

Contact Us

Phone: 1-888-NAGIOS-1
Email: sales@nagios.com

Login

Remember Me
Don't miss your chance to attend the 2014 Nagios World conference!

Don't miss your chance to attend the 2014 Nagios World Conference, Oct 13-16th. Informative Sessions, Networking, Food and Cocktails! Visit go.nagios.com/conference/ for more information or to register.


Cisco - Check firewall ASA and PIX

Bookmark and Share

Rating
6 votes
Favoured:
2
Hits
86892
Files:
FileDescription
check_cisco_firewall.shcheck_cisco_firewall.sh -=v2.2=-
Check Cisco firewall ASA and PIX- Version 2.2 (07/03/2009)> Failover status> Sessions used (current and max)
This script check Cisco firewall (tested on Cisco PIX-515E and ASA-5500).
Modules included :
### Mode 1 - Failover ###
- fail over status for ptimary and secondary host
=> warning if primary = stanby and secondary = active
=> critical if primary or secondary = error
=> unknwon if failover is not configured
### Mode 2 - Sessions ###
- number of sessions in use
=> warning or critical exit if superior
- number of max session ever used


check_cisco_firewall.sh -H hostname -V version -M failover|sessions [-w|-c|-C|-l|-u|-a|-d|-h]
### PARAMETERS ###
-H Hostname (IP adresse or DNS name)
-V Version (1|2c|3)
-M Mode (failover|sessions)
### OPTIONNAL ###
-w Warning_Level (number of sessions before warning) *** Use on session mode ***
-c Critical_Level (number of sessions before critical) *** Use on session mode ***
-C Community (name) *** Use on Version 1|2 ***
-l Login (NoAuthNoPriv | AuthNoPriv | AuthPriv) *** Use on Version 3 ***
-u Username *** Use on Version 3 ***
-a Password *** Use on Version 3 ***
-d Debug mode
-h Help (print command usage, and quit)



Sample commands:
#./check_cisco_firewall.sh -H 192.168.0.1 -V 1 -M sessions -C Public -w 1000 -c 2000
OK - 45 sessions (max : 8209) | Current_Used=45

#./check_cisco_firewall.sh -H 192.168.0.1 -V 3 -l AuthNoPriv -u user -a password -M failover
OK - Primary = Active, Secondary = Standby | Actives_Nodes=2

#./check_cisco_firewall.sh -h
Display help

#./check_cisco_firewall.sh xxxxxx -d
Active debug mod
Reviews (4)
Hi there!

Thanks for the wonderful work. Monitoring active/standby unit worked out of the box, but trying to get active sessions yielded "Error - Not numeric value : = Max_Used_Sessions", no matter if I used version 1 or 2c.

So I simply deleted the whole if block around $Max_Used_Sessions and deleted "|sed -n '2p'" as the output of snmpwalk was always a single line.

Function looks now like this:

sessions_max()
{
Max_Used_Sessions=`/usr/bin/snmpwalk $walk_param $mib_sessions_max | cut -d' ' -f4`

check_num $Max_Used_Sessions Max_Used_Sessions

if [ $Used_Sessions -gt $Max_Used_Sessions ]
then
echo "Error - Too many sessions used : $Used_Sessions, but only $Max_Used_Sessions max sessions allowed!"
exit $result_Unknwon
fi
}
Hello I know this is not probably the best place where to ask for this, but I am totally new in nagios. I have brand new installation which is working perfect, already monitoring my ASA's and some cisco switches fo up/down, uptime, link states, etc. This is first script I ever tried to implement. Script is working for me only when I run it manually from the CLI (like: ./check_cisco_firewall.sh -H asax -C xxxxxx -V2c -M failover) . My problem is, that I am not able to make it working in nagios. I've tried several way (what I found around the internet) but I still got respond (null) or error 127. I guess my problem is that I for sure not configure it right in nagios. If you can advice me in this or point me to some simple basic how to how to configure scripts to nagios, I would be highly thankful. I run Nagios 3.2.3 and Plugins 1.5. Thanks in advance for any kind of help.
Only verified mode failover yet but it seem to be working fine.
Only note is that I had to add -x and -a for SNMPv3 to work.
I tested this on our redundant Cisco ASA 5510 pair and it worked fine. I didn't test the error as I didn't fail a full unit. Nor did I test the unknown if there isn't a failover configuration. I did however check that the snmp status returned 9 for the mib and gave an ok when the primary was active and that it returned warning when the primary went to standby. Thanks for this.