Monitoring Cisco IOS Firewall Inspection Activity with Multi- Router Traffic Grapher (MRTG)

Transcription

1 Monitoring Cisco IOS Firewall Inspection Activity with Multi- Router Traffic Grapher (MRTG) Introduction Cisco introduced support for the new Cisco Unified Firewall MIB in Cisco IOS Software Release 12.4(6)T. The Cisco Unified Firewall MIB provides a Simple Network Management Protocol (SNMP) interface to monitor various firewall counters by network-management utilities such as Ipswitch s What s Up Gold, Solarwinds Orion, and the popular network monitoring tool, Multi- Router Traffic Grapher (MRTG). About MRTG MRTG is a free performance management application for Unix/Linux and Microsoft Windows. It monitors SNMP statistics from any SNMP-capable device on your network and: Captures, stores, and graphically presents SNMP data on a Web interface. By default, a Webpage with four graphs per MIB object identifier (OID) is created by MRTG. The graphs show the variation of MIB data over time. Runs automatically on a user-defined schedule in *nix cron or Windows Scheduler. Periodically, MRTG queries a user-configured list of SNMP objects on one or more network devices. After each data collection cycle, the MRTG software posts updated graphs to a Webpage. Efficiently compresses and archives data samples to create graphs. Enables you to determine if trending data is useful for monitoring your environment before you invest in network performance software. If trending data is beneficial for your network management, you may need to purchase a commercial network monitoring package, such as HP OpenView or Computer Associates Concord ehealth. However, you may find that MRTG is all you need. Figure 1. All contents are Copyright Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 5

2 Preparing for Firewall Monitoring This document does not provide configuration steps for setting up MRTG or a Web server on your network. This documentation is available from the MRTG site at Configuration assistance is available on the MRTG support alias Once you have a working MRTG configuration, you must select the firewall OIDs that you wish to monitor. Typically, the most relevant firewall activity indicators are the one- or five-minute session setup rates, and active connection volume. Several other firewall activity objects are available, as well as object monitoring other router performance indicators. For descriptions of supported MIBs and how to use MIBs, visit the Cisco MIB Website: To obtain lists of MIBs supported by platform and Cisco IOS Software release and to download MIB modules, also visit the Cisco MIB Website: Cisco IOS Firewall does not support all the objects available in the Cisco Unified Firewall MIB. You may wish to use a utility such as ireasoning MIB Browser with the Cisco Unified Firewall MIB loaded to browse the values your Cisco IOS Firewall router returns, and select the specific OIDs that will be most useful for your network monitoring requirements. Cisco IOS Firewall introduced a new hierarchy of show commands, offering visibility into the same values that the Cisco Unified Firewall MIB queries. These commands are available under the show ip inspect mib command. Examples of useful commands for viewing firewall activity from the router command-line interface include the following: Shows global firewall MIB counter objects: show ip inspect mib connection-statistics global: Shows Layer 4 (TCP, UDP, ICMP) and Layer 7 (PAM-service specific) firewall MIB counter objects: show ip inspect mib connection-statistics [ L4-Protocol [ TCP UDP ICMP all ]] [L7-Protocol [ PAM-service-name ]] Shows Layer 4 (TCP, UDP, ICMP) and Layer 7 (PAM-service specific) firewall MIB counter objects specific to firewall policies and the interfaces they are applied to: show ip inspect mib connection-statistics policy [policy-name] interface [interface-name] [ L4-Protocol [ TCP UDP ICMP all ]] [L7-Protocol [ PAM-service-name ]] Caution: Polling OIDs that retrieve large amounts of data can cause CPU problems on a Cisco IOS device. For example, do not get the ARP table, walk large portions of a MIB tree, poll the wrong OID too frequently, or get statistics that have an entry for every interface. For example, a Cisco 7200 may have 10 interfaces, whereas a Cisco AS5800 may have 3000 interfaces Table 1 lists supported connection statistics global, protocol-specific 1, or firewall-policyspecific 2 that are available via SNMP. Most of the protocol-specific and policy-specific statistics will require additional values in the OID to specify the particular value instantiation. Specific OIDs are generally best determined by an MIB walk or by browsing the contents of the MIB All contents are Copyright Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 2 of 5

3 Table 1. Connection Statistics Statistic Type OID Connection Type Description Global Protocol-specific Attempted sent to the firewall system Global Protocol-specific Setups Aborted Number of session setups that aborted during session setup Global Protocol-specific Global Protocol-specific Global Protocol-specific Global Protocol-specific Policy Declined Resource Declined Half-Open Active that were declined due to application of a firewall security policy that were declined due to firewall resource constraints Number of connections that are currently in the process of being established (half-open) Number of connections that are currently active Global Expired Number of connections that were active but have since been terminated normally Global Protocol-specific Aborted Number of connections that were abnormally terminated after successful establishment Global Embryonic Number of embryonic-applicationlayer connections Global Protocol-specific Global Protocol-specific One-Minute Connection Rate Five-Minute Connection Rate that were established per second, averaged over the last 60 seconds that were established per second, averaged over the last 300 seconds All contents are Copyright Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 5

4 Configuring the Router for SNMP Monitoring You will need to enable the SNMP server in your Cisco IOS router. The SNMP server offers two user communities: the read-only community and the read-write community. You may use either to monitor the Cisco IOS Firewall, but the Cisco Unified Firewall MIB does not presently offer the capability to modify the firewall s configuration, so the read-only community will offer ample functionality to monitor the firewall s activity. You should define a reasonably secure SNMP community-string name, and you may also define a standard access control list (ACL) to limit SNMP queries to a specific group of hosts: snmp-server community [community-string-name] RO [optional standard ACL] Configuring MRTG for Firewall Queries and Graphing Assuming you have a working MRTG setup, you can manually modify the MRTG configuration file, or you can have MRTG automatically discover MIB values by loading the MIB into MRTG and using MRTG s cfgmaker utility to walk the MIB and discover usable OIDs. This document describes the manual addition for the MRTG configuration to monitor a few attributes. The default MRTG installation displays activity for two OIDs on each graph, so you must provide two OIDs for every graph object in the configuration file. The following text tracks global active session count and global five-minute rate on router , with a read-only SNMP community named cisco : Target[ _fwact]: & :cisc o@ : MaxBytes[ _fw-act]: 1000 Ylegend[ _fw-act]: # Sessions LegendI[ _fw-act]:Active Firewall Sessions LegendO[ _fw-act]:Five-Minute Session Rate Title[ _fw-act]: Firewall Activity PageTop[ _fw-act]: <h1>firewall Activity</h1> Options[ _fw-act]: gauge Busier networks may wish to monitor the global one-minute rate for firewall activity trends. Additional configuration sections may be included to monitor additional firewall activity for policy- or protocol-specific trends. MRTG has added more capabilities for increasing MIB query rates and adding multiple OIDs per graph, to offer greater flexibility in graphing displays. References for these additional capabilities are available on the MRTG Webpage. Interpreting MRTG Firewall Graph Output Different types of network traffic display widely varying behavioral patterns. For instance, connections to servers providing DNS, POP, and SMTP mail, along with some HTTP and HTTPS, typically employ short-lived connections to exchange dialogue. Microsoft Networking, peer-to-peer traffic, instant messaging, and other Web services such as Webmail, e-commerce services, and Web/SSL VPN employ longer-lived connections, with a possibility of leaving established connections for long periods of time during transactions or content transfers. Thus, an understanding of your network s typical behavior will provide a useful basis for interpreting your network s activity through the Unified Firewall MIB. As with most security activity monitoring, an All contents are Copyright Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 5

5 understanding of the typical activity of your network will allow you to recognize departures from your network s baseline behavior. Behaviors you should watch for include: Dramatic increases in connection rates or numbers of established connections Broad disparity between number of attempted versus established connections A dramatic reduction in established connections (this may be indicative of the failure of a commonly used service) Appendix Cisco IOS Firewall MIB Reference: MRTG homepage: Printed in USA C /07 All contents are Copyright Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 5