September 1, 2009 Leave a comment
Detecting changes in Checkpoint Firewall (Splat) High Availability State
The checkpoint mib includes a good set of SNMP objects exposed for state and performance monitoring of Checkpoint Secure Platform firewalls. The state of firewall modules can be polled with the xxStatCode (numeric) or xxStatShortDescr (string) objects. For example, Secure Virtual Networking can be monitored with the svnStatCode (18.104.22.168.4.1.2622.214.171.124) or svnStatShortDescr (126.96.36.199.4.1.26188.8.131.52) objects. Likewise for the other modules such as HA, DTPS, or WAM (etc) modules. However, in order to detect HA failovers, I monitor the haState (184.108.40.206.4.1.26220.127.116.11) object for changes (i.e. from “standby” to “active”).
Detecting Default Gateway (ipRouteNextHop) Changes on Cisco Routers
In some redundant configurations, a change in the device’s default gateway may be the best indicator of a failover to an alternate Wide-Area connection, which could be a problem if the backup WAN link is a slower bandwidth connection. The ipRouteNextHop (18.104.22.168.22.214.171.124.1.7) object is located in the ipRoute table of the ubiquitous RFC1213 (MIB II) mib. The device’s default gateway is the first row listed in this table.
Detecting Serial Interface Flapping
Increases in the locIFResets (126.96.36.199.188.8.131.52.184.108.40.206) Cisco counter on a serial interface are a good indicator of flapping on the serial connection. If the serial interface resets more than two times in a polling cycle, we can probably assume that it is flapping (an administrative shut and start would be one reset, so by monitoring for 2 or more resets, we can avoid alerts when planned maintenance is being performed). If the reset count doesn’t change for a few polling cycles, it can probably be assumed that the connection has stabilized.