Monitoring Cisco IOS Firewall Inspection Activity with Multi- Router Traffic Grapher (MRTG)



Similar documents
Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

Network Configuration Settings

Virtual Server and DDNS. Virtual Server and DDNS. For BIPAC 741/743GE

School of Information Technology and Engineering (SITE) CEG 4395: Computer Network Management

Configure a Microsoft Windows Workstation Internal IP Stateful Firewall

HP LeftHand SAN Solutions

HP LeftHand SAN Solutions

Network Monitoring with SNMP

Network Monitoring. By: Delbert Thompson Network & Network Security Supervisor Basin Electric Power Cooperative

Written by CiscoNET Thursday, 07 May :57 - Last Updated Wednesday, 02 December :50

SNMP Protocol for Easy Network Management

Configuring SNMP Cisco and/or its affiliates. All rights reserved. 1

SolarWinds Certified Professional. Exam Preparation Guide

MCN Health Monitor. The finger on the pulse of your critical systems. David Tayler Service Engineer, OSISoft

Cisco ASA, PIX, and FWSM Firewall Handbook

A Guide to Understanding SNMP

OM2012 Network Monitoring. Phil Bracher Sr. Premier Field Engineer Microsoft Corporation

PrintFleet Enterprise Security Overview

MRTG used for Basic Server Monitoring

Features Overview Guide About new features in WhatsUp Gold v12

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Assignment One. ITN534 Network Management. Title: Report on an Integrated Network Management Product (Solar winds 2001 Engineer s Edition)

Using MRTG to Monitor I/O

Simple Network Management Protocol

Features Overview Guide About new features in WhatsUp Gold v14

網 路 品 質 管 理 工 具 The Dude 簡 介

Application Performance Monitoring for WhatsUp Gold v16.1 User Guide

Securing Networks with PIX and ASA

How To Monitor A Network With Snmp (Network Monitoring)

Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment

AXIGEN Mail Server Reporting Service

PANDORA FMS NETWORK DEVICE MONITORING

Application Performance Monitoring for WhatsUp Gold v16.2 User Guide

May PZ-0502A-WWEN Prepared by: Internet & E-Commerce Solutions

Lab Configure Cisco IOS Firewall CBAC on a Cisco Router

Figure 41-1 IP Filter Rules

PrintFleet Enterprise 2.2 Security Overview

Network Monitoring with SNMP

SNMP OIDs. Content Inspection Director (CID) Recommended counters And thresholds to monitor. Version January, 2011

PANDORA FMS NETWORK DEVICES MONITORING

HP OpenView Operations 7.x for Windows. Firewall Configuration white paper. Version 2.2. Publication Date: 08/2003

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

WhatsUp Gold v11 Features Overview

Smart Business Architecture for Midsize Networks Network Management Deployment Guide

Configuration Guide BES12. Version 12.1

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

Securizarea Calculatoarelor și a Rețelelor 13. Implementarea tehnologiei firewall CBAC pentru protejarea rețelei

Firewall VPN Router. Quick Installation Guide M73-APO09-380

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

Configuration Guide BES12. Version 12.2

EXPLORER. TFT Filter CONFIGURATION

TDP43ME NetPS. Network Printer Server. Control Center. for Ethernet Module

How To Get Started With Whatsup Gold

Cisco Firewall Technology

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

A Design and Implementation of Network Traffic Monitoring System for PC-room Management

What's New in Cisco ACE Application Control Engine Module for the Cisco Catalyst 6500 and Cisco 7600 Series Software Release 2.1.0

PagePack Assistant 3.10 Security and Evaluation Guide

Cisco Application Networking Manager Version 2.0

Version 4.1 June Xerox Device Agent (XDA) Lite Security and Evaluation Guide

MANAGING NETWORK COMPONENTS USING SNMP

Multi-Router Traffic Grapher (MRTG)

Network Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC)

SNMP SECURITY A CLOSER LOOK JEFFERY E. HAMMONDS EAST CAROLINA UNIVERSITY ICTN 6865

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Lab - Observing DNS Resolution

COMPUTER NETWORK TECHNOLOGY (300)

WhatsUp Gold v16.0 Getting Started Guide

Application Monitoring using SNMPc 7.0

Technical Notes P/N Rev 01

This watermark does not appear in the registered version - SNMP and OpenNMS. Part 1 SNMP.

WHITE PAPER September CA Nimsoft For Network Monitoring

Cisco Configuring Commonly Used IP ACLs

Network Management and Monitoring

BlackBerry Enterprise Service 10. Version: Configuration Guide

SolarWinds Toolset Quick Start Guide

Cisco Monitor Manager 1.1.2: Agent for Cisco Monitor Director

Vital Security Web Appliances NG-1100/NG-5100/NG How to Use Simple Network Management Protocol (SNMP) Monitoring

WLAN TRAFFIC GRAPHING APPLICATION USING SIMPLE NETWORK MANAGEMENT PROTOCOL *

Using The Paessler PRTG Traffic Grapher In a Cisco Wide Area Application Services Proof of Concept

Quick Note 026. Using the firewall of a Digi TransPort to redirect HTTP Traffic to a proxy server. Digi International Technical Support December 2011

HP JETADVANTAGE SECURITY MANAGER

SIMPLE NETWORK MANAGEMENT PROTOCOL (SNMP)

Using IPM to Measure Network Performance

Simple Network Management Protocol

SolarWinds. Understanding SolarWinds Charts and Graphs Technical Reference

Simple Network Management Protocol

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

Deploying the BIG-IP LTM with the Cacti Open Source Network Monitoring System

1. The Web: HTTP; file transfer: FTP; remote login: Telnet; Network News: NNTP; SMTP.

Network Management Deployment Guide

Discovering Devices CHAPTER

Firewall Stateful Inspection of ICMP

SolarWinds Technical Reference

Computer Networks CCNA Module 1

Preparing for GO!Enterprise MDM On-Demand Service

Configuring the Firewall Management Interface

Transcription:

Monitoring Cisco IOS Firewall Inspection Activity with Multi- Router Traffic Grapher (MRTG) Introduction Cisco introduced support for the new Cisco Unified Firewall MIB in Cisco IOS Software Release 12.4(6)T. The Cisco Unified Firewall MIB provides a Simple Network Management Protocol (SNMP) interface to monitor various firewall counters by network-management utilities such as Ipswitch s What s Up Gold, Solarwinds Orion, and the popular network monitoring tool, Multi- Router Traffic Grapher (MRTG). About MRTG MRTG is a free performance management application for Unix/Linux and Microsoft Windows. It monitors SNMP statistics from any SNMP-capable device on your network and: Captures, stores, and graphically presents SNMP data on a Web interface. By default, a Webpage with four graphs per MIB object identifier (OID) is created by MRTG. The graphs show the variation of MIB data over time. Runs automatically on a user-defined schedule in *nix cron or Windows Scheduler. Periodically, MRTG queries a user-configured list of SNMP objects on one or more network devices. After each data collection cycle, the MRTG software posts updated graphs to a Webpage. Efficiently compresses and archives data samples to create graphs. Enables you to determine if trending data is useful for monitoring your environment before you invest in network performance software. If trending data is beneficial for your network management, you may need to purchase a commercial network monitoring package, such as HP OpenView or Computer Associates Concord ehealth. However, you may find that MRTG is all you need. Figure 1. All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 5

Preparing for Firewall Monitoring This document does not provide configuration steps for setting up MRTG or a Web server on your network. This documentation is available from the MRTG site at http://oss.oetiker.ch/mrtg/. Configuration assistance is available on the MRTG support alias http://oss.oetiker.ch/mrtg/support/index.en.html. Once you have a working MRTG configuration, you must select the firewall OIDs that you wish to monitor. Typically, the most relevant firewall activity indicators are the one- or five-minute session setup rates, and active connection volume. Several other firewall activity objects are available, as well as object monitoring other router performance indicators. For descriptions of supported MIBs and how to use MIBs, visit the Cisco MIB Website: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml To obtain lists of MIBs supported by platform and Cisco IOS Software release and to download MIB modules, also visit the Cisco MIB Website: http://www.cisco.com/public/swcenter/netmgmt/cmtk/mibs.shtml Cisco IOS Firewall does not support all the objects available in the Cisco Unified Firewall MIB. You may wish to use a utility such as ireasoning MIB Browser with the Cisco Unified Firewall MIB loaded to browse the values your Cisco IOS Firewall router returns, and select the specific OIDs that will be most useful for your network monitoring requirements. Cisco IOS Firewall introduced a new hierarchy of show commands, offering visibility into the same values that the Cisco Unified Firewall MIB queries. These commands are available under the show ip inspect mib command. Examples of useful commands for viewing firewall activity from the router command-line interface include the following: Shows global firewall MIB counter objects: show ip inspect mib connection-statistics global: Shows Layer 4 (TCP, UDP, ICMP) and Layer 7 (PAM-service specific) firewall MIB counter objects: show ip inspect mib connection-statistics [ L4-Protocol [ TCP UDP ICMP all ]] [L7-Protocol [ PAM-service-name ]] Shows Layer 4 (TCP, UDP, ICMP) and Layer 7 (PAM-service specific) firewall MIB counter objects specific to firewall policies and the interfaces they are applied to: show ip inspect mib connection-statistics policy [policy-name] interface [interface-name] [ L4-Protocol [ TCP UDP ICMP all ]] [L7-Protocol [ PAM-service-name ]] Caution: Polling OIDs that retrieve large amounts of data can cause CPU problems on a Cisco IOS device. For example, do not get the ARP table, walk large portions of a MIB tree, poll the wrong OID too frequently, or get statistics that have an entry for every interface. For example, a Cisco 7200 may have 10 interfaces, whereas a Cisco AS5800 may have 3000 interfaces Table 1 lists supported connection statistics global, protocol-specific 1, or firewall-policyspecific 2 that are available via SNMP. Most of the protocol-specific and policy-specific statistics will require additional values in the OID to specify the particular value instantiation. Specific OIDs are generally best determined by an MIB walk or by browsing the contents of the MIB. 1 http://www.cisco.com/en/us/products/ps6441/products_feature_guide09186a00805ee103.html#wp1063019 2 http://www.cisco.com/en/us/products/ps6441/products_feature_guide09186a00805ee103.html#wp1063055 All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 2 of 5

Table 1. Connection Statistics Statistic Type OID Connection Type Description Global.1.3.6.1.4.1.9.9.491.1.1.1.1 Protocol-specific.1.3.6.1.4.1.9.9.491.1.1.4.1.1.2 Attempted sent to the firewall system.1.3.6.1.4.1.9.9.491. 1.1.4.3.1.5 Global.1.3.6.1.4.1.9.9.491.1.1.1.2 Protocol-specific.1.3.6.1.4.1.9.9.491.1.1.4.1.1.3 Setups Aborted Number of session setups that aborted during session setup..1.3.6.1.4.1.9.9.491. 1.1.4.3.1.6 Global.1.3.6.1.4.1.9.9.491.1.1.1.3 Protocol-specific.1.3.6.1.4.1.9.9.491.1.1.4.1.1.4.1.3.6.1.4.1.9.9.491. 1.1.4.3.1.7 Global.1.3.6.1.4.1.9.9.491.1.1.1.4 Protocol-specific.1.3.6.1.4.1.9.9.491.1.1.4.1.1.5.1.3.6.1.4.1.9.9.491. 1.1.4.3.1.8 Global.1.3.6.1.4.1.9.9.491.1.1.1.5 Protocol-specific.1.3.6.1.4.1.9.9.491.1.1.4.1.1.6.1.3.6.1.4.1.9.9.491. 1.1.4.3.1.9 Global.1.3.6.1.4.1.9.9.491.1.1.1.6 Protocol-specific.1.3.6.1.4.1.9.9.491.1.1.4.1.1.7 Policy Declined Resource Declined Half-Open Active that were declined due to application of a firewall security policy that were declined due to firewall resource constraints Number of connections that are currently in the process of being established (half-open) Number of connections that are currently active.1.3.6.1.4.1.9.9.491. 1.1.4.3.1.10 Global.1.3.6.1.4.1.9.9.491.1.1.1.7 Expired Number of connections that were active but have since been terminated normally Global.1.3.6.1.4.1.9.9.491.1.1.1.8 Protocol-specific.1.3.6.1.4.1.9.9.491.1.1.4.1.1.8.1.3.6.1.4.1.9.9.491. 1.1.4.3.1.11 Aborted Number of connections that were abnormally terminated after successful establishment Global.1.3.6.1.4.1.9.9.491.1.1.1.9 Embryonic Number of embryonic-applicationlayer connections Global.1.3.6.1.4.1.9.9.491.1.1.1.10 Protocol-specific.1.3.6.1.4.1.9.9.491.1.1.4.1.1.9 Global.1.3.6.1.4.1.9.9.491.1.1.1.11 Protocol-specific.1.3.6.1.4.1.9.9.491.1.1.4.1.1. One-Minute Connection Rate Five-Minute Connection Rate that were established per second, averaged over the last 60 seconds that were established per second, averaged over the last 300 seconds All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 5

Configuring the Router for SNMP Monitoring You will need to enable the SNMP server in your Cisco IOS router. The SNMP server offers two user communities: the read-only community and the read-write community. You may use either to monitor the Cisco IOS Firewall, but the Cisco Unified Firewall MIB does not presently offer the capability to modify the firewall s configuration, so the read-only community will offer ample functionality to monitor the firewall s activity. You should define a reasonably secure SNMP community-string name, and you may also define a standard access control list (ACL) to limit SNMP queries to a specific group of hosts: snmp-server community [community-string-name] RO [optional standard ACL] Configuring MRTG for Firewall Queries and Graphing Assuming you have a working MRTG setup, you can manually modify the MRTG configuration file, or you can have MRTG automatically discover MIB values by loading the MIB into MRTG and using MRTG s cfgmaker utility to walk the MIB and discover usable OIDs. This document describes the manual addition for the MRTG configuration to monitor a few attributes. The default MRTG installation displays activity for two OIDs on each graph, so you must provide two OIDs for every graph object in the configuration file. The following text tracks global active session count and global five-minute rate on router 10.1.1.1, with a read-only SNMP community named cisco : Target[10.1.1.1_fwact]:1.3.6.1.4.1.9.9.491.1.1.1.6.0&1.3.6.1.4.1.9.9.491.1.1.1.11.0:cisc o@10.1.1.1: MaxBytes[10.1.1.1_fw-act]: 1000 Ylegend[10.1.1.1_fw-act]: # Sessions LegendI[10.1.1.1_fw-act]:Active Firewall Sessions LegendO[10.1.1.1_fw-act]:Five-Minute Session Rate Title[10.1.1.1_fw-act]: Firewall Activity PageTop[10.1.1.1_fw-act]: <h1>firewall Activity</h1> Options[10.1.1.1_fw-act]: gauge Busier networks may wish to monitor the global one-minute rate for firewall activity trends. Additional configuration sections may be included to monitor additional firewall activity for policy- or protocol-specific trends. MRTG has added more capabilities for increasing MIB query rates and adding multiple OIDs per graph, to offer greater flexibility in graphing displays. References for these additional capabilities are available on the MRTG Webpage. Interpreting MRTG Firewall Graph Output Different types of network traffic display widely varying behavioral patterns. For instance, connections to servers providing DNS, POP, and SMTP mail, along with some HTTP and HTTPS, typically employ short-lived connections to exchange dialogue. Microsoft Networking, peer-to-peer traffic, instant messaging, and other Web services such as Webmail, e-commerce services, and Web/SSL VPN employ longer-lived connections, with a possibility of leaving established connections for long periods of time during transactions or content transfers. Thus, an understanding of your network s typical behavior will provide a useful basis for interpreting your network s activity through the Unified Firewall MIB. As with most security activity monitoring, an All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 5

understanding of the typical activity of your network will allow you to recognize departures from your network s baseline behavior. Behaviors you should watch for include: Dramatic increases in connection rates or numbers of established connections Broad disparity between number of attempted versus established connections A dramatic reduction in established connections (this may be indicative of the failure of a commonly used service) Appendix Cisco IOS Firewall MIB Reference: http://www.ciscosystems.com/en/us/products/ps6441/products_feature_guide09186a00805ee103.html MRTG homepage: http://oss.oetiker.ch/mrtg/ Printed in USA C11-406403-00 4/07 All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information