What is fw1vpntools

These are some little nifty helpers, which we are using for monitoring and maintaing a bunch of VPN's terminated at two clustered Firewall at my employer. Due to some strange SLA's we have to monitor the availabilty of the affected VPN. Since the opposite side doesn't allow active monitoring of resources on their site the check_vpn tool reads some CheckPoint FW-1 Tables and checks for the IKE SA and in and outgoing SPI to the corresponding peers.

check_vpn

check_vpn is a monitoring plugin for Nagios (see http://www.nagios.org/). check_vpn reads the VPN-1 Rulebase for list of monitored peers and checks for all peers the presence of IKE SA's and In-/Outgoing SPI's in the VPN-1 tables. Since we have a setup with 2 Firewall Clusters with 4 Nodes check_vpn is able to check all nodes at once.

vpnstatus

vpnstatus displays all VPN IKE SA and SPI's in human readable form. the output contains the IP address, object name in the rulebase, monitoring indicator, sum of IKE SA and SPI's on all firewall nodes, and the number of IKE SA's and SPI's for each firewall node.

remarks

Both tools needs some time for processing, for our setup with 2 Firewall Clusters with 4 Nodes and a Object-Database with about 500 Objects it takes about 15 sec to get a result from the tools. 7 seconds are needed for reading the Object database and the rest is needed for reading the tables from the "fw tab" util.

Download

fw1vpntools v0.1

Links

Freshmeat Record

Contact

steve (AT) weinreich DOT org