Monitor Checkpoint VPN links

Adams, Gavin gadams at promisant.com
Thu Jul 10 20:21:59 CEST 2003
Previous message: Monitor Checkpoint VPN links
Next message: Monitor Checkpoint VPN links
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
My $0.02 :

Experience based off of FW-1 4.1 and VPN setups via IPsec. SNMP
capabilities of FW-1 are limited to high level packet counts for
enforcement points, etc. Not really of use for ensuring site A to site B
access.

If everything is being sent to a central management server, you could
parse the log files looking for bad SA setups, timeouts etc. Once again,
if some sites on the VPN don't communicate regularly, this may not find
it.

The only solution I see would be to actually pass traffic from each site
to all other sites. Maybe through the use of NRPE/NCSA and a plugin on a
server in each site (that can ICMP and is allowed to communicate to the
other sites).


For example, fully meshed network of sites A, B, C, and D with Nagios
running at site A, and accessible servers at B, C, and D. Traffic checks
would be for:

>From     To
A        B C D
B        A C D
C        A B D
D        A B C

Site A is easy, Nagios can ping devices in B, C, and D. On the server at
the other sites, create a plugin that pings the remote sites and returns
OK is all is good, else WARNING or CRITICAL if there is a problem.

Additional work and resources required to set it up, but in the end, the
only way to know if an VPN tunnel is up and operational is to push some
traffic across it (or wait for the complaints to come in).

HTH,

--- Gavin

> -----Original Message-----
> From: Dan Tulovsky [mailto:Dan.Tulovsky at sbiandcompany.com]
> Sent: Thursday, July 10, 2003 11:14 AM
> To: nagios-users at lists.sourceforge.net
> Subject: RE: [Nagios-users] Monitor Checkpoint VPN links
> 
> I think an even better idea is to use machines that are behind the
> firewalls if you are going to do that... Since you just need to test
the
> link, it's often better to test it from behind...
> 
> Dan
> 
> 
> -----Original Message-----
> From: Roy S. Rapoport [mailto:nagios-users at ols.inorganic.org]
> Sent: Wednesday, July 09, 2003 7:03 PM
> To: nagios-users at lists.sourceforge.net
> Subject: Re: [Nagios-users] Monitor Checkpoint VPN links
> 
> 
> On Wed, Jul 09, 2003 at 06:21:50PM -0400, Rob Nelson wrote:
> > It's always an ugly hack, but one can do just about anything with
> > "expect".
> > I'd suggest using ssh keys tho, rather than putting your ssh
password
> in
> > cleartext in the scriptfile.
> 
> As a security person, this makes me shudder.
> 
> Remember, this is your firewall.
> 
> I won't tell you how to manage your security devices, but the concept
of
> allowing automated, non-passworded (or passphrased) access to a
firewall
> scares the bejesus out of me.  I would aruge, with respect to the
> requester's experience and knowledge, that it's a Bad Idea.
> 
> If you *are* going to do that, for God's sake, make sure that the SSH
> key is only authorized for the very minimal actions that you need to
> monitor the system -- in other words, you shouldn't just SSH and run
> some commands
> -- you should 'ssh user at fw <command>' and make sure that the SSH key
> ONLY allows you to run <command>.
> 
> -roy
> 
> 
> -------------------------------------------------------
> This SF.Net email sponsored by: Parasoft
> Error proof Web apps, automate testing & more.
> Download & eval WebKing and get a free book.
> www.parasoft.com/bulletproofapps
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when
> reporting any issue.
> ::: Messages without supporting info will risk being sent to /dev/null
> 
> 
> -------------------------------------------------------
> This SF.Net email sponsored by: Parasoft
> Error proof Web apps, automate testing & more.
> Download & eval WebKing and get a free book.
> www.parasoft.com/bulletproofapps
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when
> reporting any issue.
> ::: Messages without supporting info will risk being sent to /dev/null


-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps1
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null
Previous message: Monitor Checkpoint VPN links
Next message: Monitor Checkpoint VPN links
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Users mailing list