MRTG/Routers2: Template Juniper SSG

Finally, this is how I am monitoring my Juniper ScreenOS SSG firewalls with MRTG/Routers2. Beside the interfaces (that can be built with cfgmaker) I am using my template in order to monitor the CPU & memory, count of sessions & VPNs, count of different kind of attacks, etc.

SNMP MIBs

The ScreenOS MIBs can be downloaded here. There are really many OIDs to query on the ScreenOS device (compared to some other firewall vendors…). However, some statistics are not available, such as subinterfaces.

Site-to-Site VPNs can be monitored with the NetscreenVpnMon MIB while the “tunnel interfaces” itself do not provide any counters.

Finally, in my template all hit counts of the zone screening from the untrust zone are monitored. Though a bit unclear, at least the summary graph with all attack vectors at a glance gives a hint whether the firewall is under attack or not.

MRTG/Routers2 Configuration

The first step is to build the *.cfg file with cfgmaker in order to capture all interfaces. A command such as the following can be used:

As always, some sections of the output file can be removed, e.g., all “noHC[…]: yes” lines, and all “PageTops” with html code. The global options at the beginning of the file can be deleted, too, except the two options that were generated with the cfgmaker command above. Furthermore, all tunnel interfaces can be deleted since the SSG does not provide any counters there. For monitoring site-to-site VPN tunnels, my template below offers some OIDs.

This is my complete cfg file for MRTG/Routers2. There are several things to change before it can be used somewhere. The first lines of the template give some hints. (Of course, all the lines with the interfaces must be deleted, since they are already created with the cfgmaker tool.)

 

Sample Graphs

In summary, this is how my graphs look like:

4 thoughts on “MRTG/Routers2: Template Juniper SSG

  1. So this is cool. By any chance, how are you using cfgmaker and indexmaker such that you can display a different device, or group of devices on different pages?

    Thanks

    1. The monitoring system “MRTG with Routers2” displays every *.cfg file as a new page. That is, when I configured my devices with cfgmaker, I created a new *.cfg file for each device. Therefore I got a new page for every device. Does that help you?

        1. It depends. 😉
          Mostly I am using cfgmaker for the interfaces (such as the several interfaces on a firewall), but I add the template presented here manually. That is: Yes, I am using cfgmaker for each cfg file separately.

Leave a Reply

Your email address will not be published. Required fields are marked *