Monitoring Cisco ASA Firewall With Nagios Core Web Application

December 13, 2017

IT Systems

, , ,

1. Overview

 

Nagios performance monitoring application or a SNMP network monitoring tools and server monitoring tools can be used to monitor various network device types such as switches, routers, firewalls as well as application performance monitoring on Linux and monitoring Windows service for host up/down status, CPU usage, memory usage, switch or router interface up/down status , ping monitor and more. It will send an alert when things go bad and when they get better.

In this instruction will show you how to monitor Cisco ASA firewall which a technology and business communication device with Nagios performance monitoring application using some Nagios plugins that work base on SNMP protocol.

2. Prerequisites

 

In this article of monitoring Cisco ASA firewall With Nagios performance monitoring application, it is supposed that:

a. You have already done the initial server setup. Please refer to this link Minimal RHEL/CentOS 7 Initial Server Setup.
b. You have already installed Nagios performance monitoring application server. Please refer to this link. Installing Nagios Core For IT Infrastructure Monitoring on RHEL/CentOS 7

3. Configure SNMP on Device

 

First of all, we need to login to Cisco ASA firewall that we want to monitor it with Nagios performance monitoring application server and configure SNMP server as the following. We will configure a read-only SNMP community string as “T@s9aMon” along with an ACL name “ACL-SNMP” to allow only a Nagios performance monitoring application server with IP address of 10.0.0.10 to be accessible to this device.

# snmp-server host insdie 10.0.0.10 community T@s9aMon version 2c
# snmp-server contact netadmin@techspacekh.com
# snmp-server location DC

To test if the SNMP server on Cisco ASA firewall is working properly, we need to login to Nagios performance monitoring application server and execute the following snmpwalk command. In the following command it is assumed that the IP address of Cisco ASA firewall is 10.0.0.1.

 

# snmpwalk -v2c -c T@s9aMon 10.0.0.1

4. Download And Test Nagios Plugin

 

To monitor a Cisco ASA firewall with Nagios performance monitoring application, we need five Nagios performance monitoring application plugins. The first one is “check_cisco_asa.pl” and the second one is “check_cisco.pl”, the third one is “check_asa_vpn.pl”, the fourth one is “check_ssh.” and the last one is “check_asa_failover.pl”. You can download it from Nagios Exchange web site or you can download it directly here, check_cisco_asa, check_cisco, check_asa_vpncheck_ssh and check_asa_failover. After download, you have to copy these five plugins into plugin directory on Nagios performance monitoring application server which is on “/usr/local/nagios/libexec”.

We will use a plugin name “check_cisco_asa.pl” to monitor CPU usage, memory usage and the temperature of the Cisco ASA firewall. This plugin is also possible to monitor interface up/down status of Cisco ASA firewall, but we will use another plugin name “check_cisco.pl” instead since it provides more comprehensive output such as interface description. The plugin “check_asa_vpn” will be used to monitor IPSec VPN connection status, “check_ssh” is used to monitor device SSH remote management, and “check_asa_failover” plugin will be used to monitor fail over clustering status of the Cisco ASA firewall.

Now let go to directory to “/usr/local/nagios/libexec” to test these five Nagios plugins, but first we need to install the prerequisite packet to be able to execute this plugin and make it executable.

# cd /usr/local/nagios/libexec
# yum -y install perl-Net-SNMP
# chmod +x check_cisco_asa.pl

Now let use plugin name “check_cisco_asa.pl” to monitoring CPU usage of a Cisco ASA firewall.

 

# ./check_cisco_asa.pl -H 10.0.0.1 -C A@B9aMon -t cpu -w 60 -c 70 
Cpu: OK - Cpu Load 3% 3% 3% | cpu_5s=3percent;60;70 cpu_1m=3percent cpu_5m=3percent

Now let use plugin name “check_cisco_asa.pl” to monitoring memory usage of a Cisco firewall.

# ./check_cisco_asa.pl -H 10.0.0.1 -C A@B9aMon -t mem -w 30 -c 20
Memory: OK - Free Memory 31% | memory_total=1156MB memory_used=794MB

Now let use plugin name “check_cisco_asa.pl” to monitoring device temperature of the Cisco ASA firewall.

# ./check_cisco_asa.pl -H 10.0.0.1 -C A@B9aMon -t temp -w 45 -c 50
Temperature: OK - Temperature is 38 Celsius | temperature=38;45;50

Now, let test to use our second plugin “check_cisco.pl” to monitor the interface status of a Cisco ASA firewall since it could provide us a more comprehensive output, but we need  to install the prerequisite packet to be able to execute this plugin and make it executable.

# cd /usr/local/nagios/libexec
# yum install -y net-snmp-utils
# chmod +x check_cisco.pl

# ./check_cisco.pl -h 10.0.0.1 -c A@B9aMon -i outside
outside up: , LastChanges: (6000) 0:01:00.00, Traffic in : 2884935859 octets, out: 3323581089 octets

# ./check_cisco.pl -h 10.0.0.1 -c A@B9aMon -i inside
inside up: , LastChanges: (11500) 0:01:55.00, Traffic in : 3974466501 octets, out: 3202158891 octet

Now let test the rest of Nagios performance monitoring application plugins, but we need to make them to be executable first.

# cd /usr/local/nagios/libexec
# chmod +x check_ssh 
# chmod +x check_asa_vpn.pl
# chmod +x check_asa_failover.pl
# ./check_ssh -H 10.0.0.1 -p 22
SSH OK - Cisco-1.25 (protocol 1.99) | time=0.002139s;;;0.000000;10.000000

# ./check_asa_vpn.pl -H 10.0.0.1 -C A@B9aMon -P 10.0.0.12 -N VPN-To-HQ
OK! VPN peer 10.0.0.12 (VPN-To-HQ) available.

# ./check_asa_failover.pl -H 10.0.0.1 -C A@B9aMon
OK! Failover operation of 10.10.0.0.1 is fine

5. Define Host And Service Groups

 

It is better to create directories to store our own configuration files as the following.

# cd /usr/local/nagios
# mkdir techspacekh
# cd techspacekh/
# mkdir commands
# mkdir remotehosts
# mkdir servicegroups
# mkdir hostgroups

Then, we need to tell Nagios performance monitoring application configuration file to also read the configuration files from the new directories we created and the restart Nagios service.

# vim /usr/local/nagios/nagios.cfg
cfg_dir=/usr/local/nagios/etc/techspacekh
# systemctl restart nagios

Right now let create a host group name “cisco-switches” for all Cisco switch by going into directory “/usr/local/nagios/techspacekh/hostgroups” and create a file with cfg extension as the following.

# cd /usr/local/nagios/techspacekh/hostgroups
 # vim genertic-hostgroup.cfg

define hostgroup{
 hostgroup_name cisco-asa-firewalls
 alias Cisco ASA Firewall
 }

Then, let create some service groups for Cisco switch such as, device-ping, memory-usage, cpu-usage, remote-ssh, device-temp, vpn-status, cisco_asa_failover, and cisco-interfacestatus by going into directory “/usr/local/nagios/techspacekh/hostgroups” and create a file with cfg extension as the following.

# cd /usr/local/nagios/techspacekh/servicegroups
# vim genertic-services.cfg

define servicegroup{
 servicegroup_name device-ping
 alias Device Ping
 }

define servicegroup{
 servicegroup_name memory-usage
 alias Memory Usage
 }

define servicegroup{
 servicegroup_name cpu-usage
 alias CPU Usage
 }

define servicegroup{
 servicegroup_name remote-ssh
 alias SSH Remote Management
 }
define servicegroup{
 servicegroup_name device-temp
 alias Device Temperature
 }

define servicegroup{
 servicegroup_name vpn-status
 alias VPN Status
 }

define servicegroup{
 servicegroup_name cisco_asa_failover
 alias Cisco ASA Failover Clustering
 }
define servicegroup{
 servicegroup_name cisco-interfacestatus
 alias Cisco Interface Status
 }

6. Define Nagios Commands

 

To use two plugins above, we need to define commands and call the plugin to use. Let define the following command to monitor power supply status, fan status, CPU usage, memory usage of a Cisco switch

# cd /usr/local/nagios/techspacekh/commands
# vim check_genertic.cfg

define command{
 command_name check_cisco_asa
 command_line $USER1$/check_cisco_asa.pl -H $HOSTADDRESS$ -C $ARG1$ -t $ARG2$ -w $ARG3$ -c $ARG4$
}

define command{
 command_name check_asa_vpn
 command_line $USER1$/check_asa_vpn.pl -H $HOSTADDRESS$ -C $ARG1$ -P $ARG2$ -N $ARG3$ -S $ARG4$
}

define command{
 command_name check_asa_failover
 command_line $USER1$/check_asa_failover.pl -H $HOSTADDRESS$ -C $ARG1$
}
define command{
 command_name check_cisco_int
 command_line $USER1$/check_cisco.pl -H $HOSTADDRESS$ -C $ARG1$ -i $ARG2$
 }
#

7. Define Hosts And Services

 

After defining host group, service groups, and Nagios performance monitoring application commands, right now we can define one host of Cisco ASA firewall to test. In this test Cisco ASA firewall we will monitor host down/up status, and some services such ping monitor, CPU usage, memory usage, device temperature, SSH remote management, IPSec VPN connection status, Fail over clustering status and the interface up/down status of two interfaces, Gi0/1 as the outside interface and Gi0/2 as the inside interface.

# cd /usr/local/nagios/techspacekh/remotehosts
# vim cisco-asa5515x.cfg

## Define Host
#
define host{
 use generic-switch
 host_name Cisco ASA 5515X
 alias Cisco ASA 5515X
 notes Branch01 Firewall
 address 10.0.0.1
 hostgroups cisco-asa-firewalls
 }
#
define service{
 use generic-service
 host_name Cisco ASA 5515X
 service_description PING
 check_command check_ping!200.0,20%!600.0,60%
 check_interval 5
 retry_interval 1
 servicegroups device-ping
 }

## Define System Health
#
define service{
 use generic-service
 host_name Cisco ASA 5515X
 service_description Memory Usage
 check_command check_cisco_asa!A@B9aMon!mem!30!20
 servicegroups memory-usage
 }
#
define service{
 use generic-service
 host_name Cisco ASA 5515X
 service_description CPU Usage
 check_command check_cisco_asa!A@B9aMon!cpu!60!70
 servicegroups cpu-usage
 }
#
define service{
 use generic-service
 host_name Cisco ASA 5515X
 service_description Device Temperature
 check_command check_cisco_asa!A@B9aMon!temp!45!50
 servicegroups device-temp
 }
#
define service{
 use generic-service
 host_name Cisco ASA 5515X
 service_description IPSec VPN To HQ
 check_command check_asa_vpn!A@B9aMon!10.0.0.12!VPN-To-HQ
 servicegroups vpn-status
 }
#
define service{
 use generic-service
 host_name Cisco ASA 5515X
 service_description Device SSH
 check_command check_ssh!22
 servicegroups remote-ssh
 }
#
define service{
 use generic-service
 host_name Cisco ASA 5515X
 service_description Failover Status
 check_command check_asa_failover!A@B9aMon
 servicegroups cisco_asa_failover
 }
#
## Define Interfaces Status 
#
define service{
 use generic-service
 host_name  Cisco ASA 5515X
 service_description Port01 Gi1/1:WAN:Outside
 check_command check_cisco_int!A@B9aMon!outside01
 servicegroups cisco-interfacestatus
 }
#
define service{
 use generic-service
 host_name  Cisco ASA 5515X
 service_description Port03 Gi1/3:LAN:Inside
 check_command check_cisco_int!A@B9aMon!inside
 servicegroups cisco-interfacestatus
 }
#

After that, we need to restart the service of Nagios performance monitoring application with the following command.

# systemctl restart nagios

Go to the web interface of Nagios performance monitoring application and we should see one host name “Cisco ASA 5515X” and some services as the following.

8. Conclusion

 

That’s all about how to monitoring Cisco ASA firewall with Nagios performance monitoring application from Tech Space KH. Nagios performance monitoring application is one of the best network monitoring tools and server monitoring tools.  Hopefully, you can find this guide informative. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.

Comments

comments

Related posts:

Installing Nagios Core For IT Infrastructure Monitoring on RHEL/CentOS 7 Monitoring Huawei Switch S5700 With Nagios Core Web Application Configuring Nagios VHost and LDAP/Active Directory Authentication (AD) Configuring Nagios HTML Email Alert