Monitoring VPN statistics in Checkpoint

Hi,

I want to monitor VPN statistics and availability on a Checkpoint firewall (R77.30). Currently, this firewall is already on LibreNMS and I can monitor interface statistics, cpu, memory, etc.

What I want is to monitor the VPN statistics and, unfortunately, that is not configured. I have the required MIBs and SNMP OIDs to monitor what I need, however, I just can’t find how to add these graphs.

I’ve looked at the “Add a custom graph” section of the docs but it seems outdated as the first file that I’m told to open is not user editable (as specified by comments on the file itself)

I’m sorry if this is a basic question, but I’ve googled around and can’t seem to find an answer to this.

Thank you

The files are marked as not user editable as we don’t want users to edit them - at this stage you are a developer so edit away.

Alrighty… Anyway, how do I go about editing it? The documentation did not mention how to specify an OID to monitor…

edit docs

You have to determine the appropriate OID from the MIB.

After a lot of tests and research, I think I found the way:

Create the sensor count: "./includes/discovery/sensors/count/gaia.inc.php"
<?php

$connections = [
    'Number of concurrent connections' => ['.1.3.6.1.4.1.2620.1.1.25.3', 'fwNumConn'],  //CHECKPOINT-MIB::fwNumConn.0
    'Peak number of concurrent connections' => ['.1.3.6.1.4.1.2620.1.1.25.4', 'fwPeakNumConn'],  //CHECKPOINT-MIB::fwPeakNumConn.0
    'Limit of Connections table' => ['.1.3.6.1.4.1.2620.1.1.25.10', 'fwConnTableLimit'],  //CHECKPOINT-MIB::fwConnTableLimit.0
    'Connections rate' => ['.1.3.6.1.4.1.2620.1.1.26.11.6', 'fwConnectionsStatConnectionRate'],  //CHECKPOINT-MIB::fwConnectionsStatConnectionRate.0
    'Number of connections handled by SecureXL' => ['.1.3.6.1.4.1.2620.1.36.1.2', 'fwSXLConnsExisting'],  //CHECKPOINT-MIB::fwSXLConnsExisting.0
];

foreach ($connections as $descr => $oid) {
    $oid_num = $oid[0];
    $oid_txt = $oid[1];
    $group = 'Connections';
    $result = snmp_getnext($device, $oid_txt, '-Ovq', 'CHECKPOINT-MIB');
    $result = str_replace(' Sessions Per Second', '', $result);

    discover_sensor(
        $valid['sensor'],
        'count',
        $device,
        $oid_num . '.0',
        $oid_txt . '.0',
        'sessions',
        $descr,
        1,
        1,
        null,
        null,
        null,
        null,
        $result,
        'snmp',
        null,
        null,
        null,
        $group		
    );
}

$vpn = [
    'Number of IKE current SAs' => ['.1.3.6.1.4.1.2620.1.2.9.1.1', 'cpvIKECurrSAs'],  //CHECKPOINT-MIB::cpvIKECurrSAs.0
    'Number of IPsec current Inbound ESP SAs' => ['.1.3.6.1.4.1.2620.1.2.5.2.1', 'cpvCurrEspSAsIn'],  //CHECKPOINT-MIB::cpvCurrEspSAsIn.0
    'Number of IPsec current Outbound ESP SAs' => ['.1.3.6.1.4.1.2620.1.2.5.2.3', 'cpvCurrEspSAsOut'],  //CHECKPOINT-MIB::cpvCurrEspSAsOut.0
];

foreach ($vpn as $descr => $oid) {
    $oid_num = $oid[0];
    $oid_txt = $oid[1];
    $group = 'VPN';
    $result = snmp_getnext($device, $oid_txt, '-Ovq', 'CHECKPOINT-MIB');
    $result = str_replace(' Sessions Per Second', '', $result);

    discover_sensor(
        $valid['sensor'],
        'count',
        $device,
        $oid_num . '.0',
        $oid_txt . '.0',
        'sessions',
        $descr,
        1,
        1,
        null,
        null,
        null,
        null,
        $result,
        'snmp',
        null,
        null,
        null,
        $group
    );
}

Hi @rpardim
These “count” sensors should be added via the YAML file instead of PHP code. Simpler, shorter, and easier to maintain.

And as written in the other message, we suggest you to submit your changes and contribute the project to ensure you continue to receive updates.

Bye

1 Like