Unsolved
This post is more than 5 years old
13 Posts
0
8762
Dynamic modelling for Firewall(multiple-vendors) Sessions
Hi folks,
What I am trying to do is to poll some additional oids to get the information for the session counts and session rate for a bunch of firewall devices. This is actually simple if I only have one vendor's device, let's say Cisco. I can create a dynamic model like following:
##############################################
interface fw_session : ICIM_Instrumentation
{
instrument SNMP {
ActiveSessions = "1.3.6.1.4.1.9.9.147.1.2.2.2.1.5.40.6"
};
readonly instrumented attribute int ActiveSessions
"Number of active sessions on Cisco Firewall.";
}
refine interface Firewall
{
propagate attribute int ActiveSessions
"Number of active sessions on the device."
= fw_session,InstrumentedBy,ActiveSessions;
}
################################################
However, I have multiple vendor's firewall in the network, netscreen, fortinet etc.
I could add couple of instrumented attributes and create multiple attributes in the "refine interface Firewall" section, something like following,
interface fw_session : ICIM_Instrumentation
{
instrument SNMP {
cisco_ActiveSessions = "1.3.6.1.4.1.9.9.147.1.2.2.2.1.5.40.6",
netscreen_ActiveSessions = "1.3.6.1.4.1.3224.16.3.2",
fortinet_ActiveSessions = "1.3.6.1.4.1.12356.101.4.1.8"
};
readonly instrumented attribute int cisco_ActiveSessions
"Number of active sessions on Cisco Firewall.";
readonly instrumented attribute int netscreen_ActiveSessions
"Number of active sessions on netscreen Firewall.";
readonly instrumented attribute int fortinet_ActiveSessions
"Number of active sessions on fortinet Firewall.";
}
refine interface Firewall
{
propagate attribute int cisco_ActiveSessions
"Number of active sessions on the cisco firewall."
= fw_session,InstrumentedBy,cisco_ActiveSessions;
propagate attribute int netscreen_ActiveSessions
"Number of active sessions on the netscreen firewall."
= fw_session,InstrumentedBy,netscreen_ActiveSessions;
propagate attribute int fortinet_ActiveSessions
"Number of active sessions on the fortinet firewall."
= fw_session,InstrumentedBy,fortinet_ActiveSessions;
}
the problem is: personally, I don't think it is nice to have all the three attributes showing up for all the firewalls regardless of the vendor.
I am wondering is there a way in dynamic model we can use some sort of conditional judgement to only create one general attribute
"ActiveSession", but could populate the different value from the instrumented attributes ?
I have tried using the keyword "case", but didn't get any luck.
I am still learning the modelling language, so any comment or help is really appreciated.
Thanks,
Hubery
AlanG2
17 Posts
0
January 3rd, 2014 04:00
The standard way of doing this in Smarts is to create a seperate instrumentation class for each vendor. So in your case create a toplevel class fw_session where you put code common to all vendors. Then subclass off this for each vendor, e.g. fw_session_cisco, fw_session_netscreen, etc.You put vendor specific code/definitions in these classes.
Your discovery code will need to know which instrumentation class to create for a given model/vendor.
I think then your propagate definitation in the Firewall class should work unmodified.
hhe
13 Posts
0
January 6th, 2014 22:00
Hi AlanG,
Thanks for your reply. Your input lightened me.
However, looks like most of the general instrumentations ( for example: Memory_Performance ) are complied in binary code, I can only see the specific vendor's instrumentation. The difficult part for me would be how to link the general instrumentation with the specific vendor's instrumentations.
So do you know if there is any code in Smarts installation path I can refer to ?
Cheers,
AlanG2
17 Posts
0
January 7th, 2014 01:00
There isn't much to it, something like this should work, although I haven't tested it (but it compiles).
hhe
13 Posts
0
January 9th, 2014 18:00
Thank you very much Alan, I will give it a go.
Cheers,
hhe
13 Posts
0
January 13th, 2014 23:00
Hi Alan,
Sorry to bother you again. I've loaded the dynamic model into the system and also created separate polling classes for these firewalls, but I get null value in IP domain.
I am not sure if I need to touch the discovery drives ( those .import files) under /opt/InCharge/IP/smarts/conf/discovery.
I think I only need to populate values from snmp poll and no need to create objects, so using instrument snmp plus new polling might be sufficient.
I am quite struggling on this one, as the learning materials/documents are very limited. I am wondering if you have experience on this, would you be able to explain this a bit more to me ? I believe quite a few folks on this forum are keen to know the similar stuff as well according to my searching.
What I've done so far:
###################
1. Dynamic model
###################
interface fw_session : ICIM_Instrumentation {
readonly attribute unsigned ActiveSessions;
}
interface fw_session_cisco : fw_session {
instrument SNMP {
ActiveSessions = "1.3.6.1.4.1.9.9.147.1.2.2.2.1.5.40.6"
};
refine instrumented ActiveSessions;
}
interface fw_session_netscreen : fw_session {
instrument SNMP {
ActiveSessions = "1.3.6.1.4.1.3224.16.3.2"
};
refine instrumented ActiveSessions;
}
interface fw_session_fortinet : fw_session {
instrument SNMP {
ActiveSessions = "1.3.6.1.4.1.12356.101.4.1.8"
};
refine instrumented ActiveSessions;
}
refine interface Firewall
{
propagate attribute unsigned max ActiveSessions
"Number of active sessions on the device."
= fw_Session, InstrumentedBy, ActiveSessions;
}
##################################
2. Create 3 new polling classes for 3 different vendors firewalls and associate firewalls with them, below is an example for fortinet firewalls.
##################################
/*
* fortinet_fw_setting.asl
*
*
*/
default loglevel = "warning";
/*
* These are overridden by the Setting every time the START rule is
* invoked.
*/
default SettingClass = "";
default SettingName = "";
default ElementClass = "";
default ElementName = "";
objectFactory = object("ICIM_ObjectFactory", "ICIM-ObjectFactory");
topoManager = object("ICF_TopologyManager", "ICF-TopologyManager");
icimMgrObj = object("ICIM_Manager", "ICIM-Manager");
pingerObj = object(getInstances("ICMP_AccessorInterface")[0]);
snmpPollerObj = object(getInstances("SNMP_AccessorInterface")[0]);
ruleFileName = this->ReadsRulesFrom->fileName;
DEBUG = TRUE;
START {
.. eol
} do {
print("************************* SettingClass: " . SettingClass);
print("************************* SettingName: " . SettingName);
print("************************* ElementClass: " . ElementClass);
print("************************* ElementName: " . ElementName);
prnObj = object(ElementClass, ElementName);
if (prnObj->isNull()) {
return;
}
if (!prnObj->isInstanceOf("Firewall")) {
return;
}
if ( prnObj->Vendor == "FORTINET" ) {
settingsObj = object(SettingClass, SettingName);
if (settingsObj->isNull()) {
return;
}
prnAgentObj = prnObj->getSNMPAgent();
if (prnAgentObj->isNull()) {
return;
}
credentialObj = create("SNMP_Credentials", "sys-setting-credential-" . string(thread()));
credentialObj->init();
prnInstrObj = prnObj->makeInstrumentation("fw_session_fortinet");
interval = settingsObj->PollingInterval;
timeout = settingsObj->Timeout / 1000;
retries = settingsObj->Retries;
prnInstrName = prnInstrObj->Name;
prnAgentAddress = prnAgentObj->AgentAddress;
traceSNMP = 1;
prnIndex = 0;
pollingParamList = list(prnInstrName,
interval,
interval,
timeout,
retries,
traceSNMP);
icimMgrObj->insertInstrumentation(snmpPollerObj,
prnAgentObj,
prnInstrName,
string(prnIndex),
credentialObj)? LOG(loglevel), NEXT;
snmpPollerObj->polling_parameters += pollingParamList? LOG(loglevel),NEXT;
settingsDriverObj = object("GA_PersistentDriver", "DRV-ICF_ASLSetting-devstat/sys-setting.asl");
if (settingsDriverObj->isNull()) {
settingsRuleSet = object("GA_RuleSet", "RS-ICF_ASLSetting-devstat/sys-setting.asl");
if (settingsRuleSet->isNull()) {
settingsRuleSet = create("GA_RuleSet", "RS-ICF_ASLSetting-devstat/sys-setting.asl");
settingsRuleSet->fileName = "devstat/sys-setting.asl";
}
settingsDriverObj = create("GA_PersistentDriver", "DRV-ICF_ASLSetting-devstat/sys-setting.asl");
settingsDriverObj->ReadsRulesFrom = settingsRuleSet;
settingsDriverObj->waitForCompletion = TRUE;
}
gaParameterObj = create("GA_Parameters", "settings-Parameters" . "-" . thread());
gaParameterObj->insert("SettingClass", SettingClass);
gaParameterObj->insert("SettingName", SettingName);
gaParameterObj->insert("ElementClass", ElementClass);
gaParameterObj->insert("ElementName", ElementName);
if (DEBUG) {
gaParameterObj->dump();
}
settingsDriverObj->startWithParameters(gaParameterObj);
}
}
AlanG2
17 Posts
0
January 14th, 2014 03:00
You need to sub class ICF_PollingSetting. Something like this (but may need tweaking)
interface Firewall_Session_Setting:ICF_PollingSetting {
refine DisplayName
= "Firewall Sessions SNMP Polling";
refine stored SettingKey
= "SNMP-SESS";
refine TargetClass
= "ICIM_UnitaryComputerSystem";
refine InstrumentationClass
= "fw_session";
refine RuleSet
= "health/firewall-session-setting.asl";
refine Type
= POLLING;
refine defaults
definition :
AnalysisMode = ENABLED,
PollingInterval = 240,
Timeout = 700,
Retries = 3;
}
The value of RuleSet should be your ASL for creating the instrumentation and linking to the SNMP accessor. It does not make sense to have a seperate settings file for each vendor, just have one file and create instrumentation based on the value of the vendor attribute.
If you restart your domain with this MODEL then you should have another settings option to apply in the Polling & Thresholds GUI.
hhe
13 Posts
0
January 15th, 2014 04:00
Hi Alan,
Thanks for your help.
Actually I forgot something in the post yesterday ( my brain was not working very well ), I did created another instrumentation which inherit from Connectivity_Polling_Setting, not from Class ICF_PollingSetting. The model is similar with what you have provided. ( I tried to change to Class ICF_PollingSetting, but still no luck ).
Now my concerns comes to be the RuleSet, I have enabled the debug switch in the asl, but everything looks fine.
I also used the new tool comes with the latest release called sm_oidInfo.pl, I can see the oid in the fw_session.mdl is polled.
#############################
Discovery,Performance-Probe,Performance-Fortigate-Health-Driver,.1.3.6.1.4.1.12356.101.4.1.5,(discovery/ic-fortigate-health.asl) Discovery of TemperatureSensors VoltageSensors Fans PowerSupplies
Discovery,Performance-Probe,Performance-Fortigate-Health-Driver,.1.3.6.1.4.1.12356.101.4.1.3,(discovery/ic-fortigate-health.asl) Discovery of TemperatureSensors VoltageSensors Fans PowerSupplies
Discovery,VRRPGroup-Probe,VRRP-GROUP-Driver,,
Monitoring,Firewall,fw_session_fortinet,.1.3.6.1.4.1.12356.101.4.1.8,ActiveSessions
Monitoring,IPRoute,IPRoute_Instrumentation_SNMP,.1.3.6.1.2.1.4.21.1.1,ipRouteDest
Monitoring,Interface,Interface_Fault_MIB2,.1.3.6.1.2.1.2.2.1.8,ifOperStatus
##############################
But when I went bit further - dump the snmp accessor data out by using dmctl
dmctl -s IP-AM-PM exec dmdebug --dumpAccessor=DEVSTAT-SNMP-Poller snmp-poller.log
I can see the following problem for the new created instrumentation:
######################################################
Instance Name: I-fw_session_fortinet-StateOfPlay-FW
Attribute Name: ActiveSessions
Polling Period: 0
Last Polled At: The Epoch
Cached Value:
Last Error: MR-E-NOT-CURRENT_MONITORED-Instrumented attribute ?1? is not currently being monitored by accessor.
######################################################
Any problem you can see so far ?
Thanks,
Hubery
AlanG2
17 Posts
0
January 15th, 2014 04:00
Have you defined any events that use this value? And are you subscribing to those events in SAM?
hhe
13 Posts
0
January 15th, 2014 13:00
No, I haven't, I was trying to see the value for the attribute first, then define events.
Do you mean I have to define events and subscribe to them in SAM, otherwise, the value won't be populated ?
Cheers
hhe
13 Posts
0
January 15th, 2014 22:00
Added event definition in the model and also create a .import file under /opt/InCharge/IP/smarts/local/conf/icf to subscribe the events.
###########################
GA_SubscriberProfile::PROFILE-default
{
subscriptions = {
{ "Firewall", ".*", "HighSessionCounts_Cisco", 77879 },
{ "Firewall", ".*", "HighSessionCounts_Fortinet", 77879 }
}
}
###########################
I've also tried to change the type of the attribute from int to unsigned according to the model document.
But the value is stilling showing "0".
Now I am lost, as I am not sure what is the next steps to troubleshoot.
Again, I will paste my asl code here. this is the RuleSet for the new polling instrumentation
##############################
/*
* firewall_session_setting.asl
*
*
*/
//default loglevel = "warning";
default loglevel = "debug";
/*
* These are overridden by the Setting every time the START rule is
* invoked.
*/
default SettingClass = "";
default SettingName = "";
default ElementClass = "";
default ElementName = "";
objectFactory = object("ICIM_ObjectFactory", "ICIM-ObjectFactory");
topoManager = object("ICF_TopologyManager", "ICF-TopologyManager");
icimMgrObj = object("ICIM_Manager", "ICIM-Manager");
//pingerObj = object(getInstances("PingerAccessorInterface")[0]);
pingerObj = object(getInstances("ICMP_AccessorInterface")[0]);
snmpPollerObj = object(getInstances("SNMP_AccessorInterface")[0]);
ruleFileName = this->ReadsRulesFrom->fileName;
DEBUG = TRUE;
START {
.. eol
} do {
print("************************* SettingClass: " . SettingClass);
print("************************* SettingName: " . SettingName);
print("************************* ElementClass: " . ElementClass);
print("************************* ElementName: " . ElementName);
prnIndex = "";
prnObj = object(ElementClass, ElementName);
if (prnObj->isNull()) {
return;
}
if (!prnObj->isInstanceOf("Firewall")) {
return;
}
settingsObj = object(SettingClass, SettingName);
if (settingsObj->isNull()) {
return;
}
prnAgentObj = prnObj->getSNMPAgent();
if (prnAgentObj->isNull()) {
return;
}
credentialObj = create("SNMP_Credentials", "sys-setting-credential-" . string(thread()));
credentialObj->init();
//Different vendor using different Insturmentation.
if ( prnObj->Vendor == "FORTINET" ) {
prnInstrObj = prnObj->makeInstrumentation("fw_session_fortinet");
prnIndex = 0;
}
if ( prnObj->Vendor == "CISCO" ) {
prnInstrObj = prnObj->makeInstrumentation("fw_session_cisco");
}
if ( prnObj->Vendor == "NETSCREEN" ) {
prnInstrObj = prnObj->makeInstrumentation("fw_session_netscreen");
}
print("Instrumentation Name is: ".prnInstrObj);
// prnInstrObj = prnObj->makeInstrumentation("fw_session");
interval = settingsObj->PollingInterval;
timeout = settingsObj->Timeout / 1000;
retries = settingsObj->Retries;
prnInstrName = prnInstrObj->Name;
prnAgentAddress = prnAgentObj->AgentAddress;
traceSNMP = 1;
// prnIndex = 0;
pollingParamList = list(prnInstrName,
interval,
interval,
timeout,
retries,
traceSNMP);
// instanceName oid
icimMgrObj->insertInstrumentation(snmpPollerObj,
prnAgentObj,
prnInstrName,
string(prnIndex),
credentialObj)? LOG(loglevel), NEXT;
snmpPollerObj->polling_parameters += pollingParamList? LOG(loglevel),NEXT;
//add more debug
if ( DEBUG ) {
print("snmpPollerObj = ".snmpPollerObj." prnAgentObj = ".prnAgentObj." prnInstrName = ".prnInstrName." prnIndex = ".prnIndex." CredentialObj = ".credentialObj);
print("Polling Interval=".interval." Timeout=".timeout." Retries=".retries);
}
settingsDriverObj = object("GA_PersistentDriver", "DRV-ICF_ASLSetting-devstat/sys-setting.asl");
if (settingsDriverObj->isNull()) {
settingsRuleSet = object("GA_RuleSet", "RS-ICF_ASLSetting-devstat/sys-setting.asl");
if (settingsRuleSet->isNull()) {
settingsRuleSet = create("GA_RuleSet", "RS-ICF_ASLSetting-devstat/sys-setting.asl");
settingsRuleSet->fileName = "devstat/sys-setting.asl";
}
settingsDriverObj = create("GA_PersistentDriver", "DRV-ICF_ASLSetting-devstat/sys-setting.asl");
settingsDriverObj->ReadsRulesFrom = settingsRuleSet;
settingsDriverObj->waitForCompletion = TRUE;
}
gaParameterObj = create("GA_Parameters", "settings-Parameters" . "-" . thread());
gaParameterObj->insert("SettingClass", SettingClass);
gaParameterObj->insert("SettingName", SettingName);
gaParameterObj->insert("ElementClass", ElementClass);
gaParameterObj->insert("ElementName", ElementName);
if (DEBUG) {
gaParameterObj->dump();
}
settingsDriverObj->startWithParameters(gaParameterObj);
}
###############################
AlanG2
17 Posts
0
January 21st, 2014 09:00
When I was having issues recently it seemed to be resolved by exporting and subscribing to events using the instrumentation, but it seems that's not the problem here.
I guess the error message must mean that the OID is not linked to the SNMP accessor, which would suggest a problem with your settings script. What did you use as the template for your script? I've used rules/health/fs-setting.asl in the past with success. I just take a copy and make the fewest changes possible to make it work with my classes.
hhe
13 Posts
0
January 21st, 2014 13:00
Hi Alan,
I was thinking there might be something wrong with the ruleset, however, when I enabled the debug in topomgr.conf, I actually can see that the rule was parsed successfully and no error message at all. The template was from one of the old dynamic training document - provided by EMC support.
But I do see some errors complaining can't find the property "ActiveSession", I checked the refined instrumentation for Firewall, the spell is correct, when I get into office, I will post the detailed error message found in IP domain log file.
Thanks for your input, appreciate that.
Hubery
hhe
13 Posts
0
January 27th, 2014 15:00
Hi Alan,
I checked all the configs and dynamic model files, finally, I located the problem.
There was a typo in one of propagate lines. But without enabling the debug switch in topomgr.conf, I would not be able to find this. I focused on the hard part, but didn't pay enough attention on the simple stuff.
I will post the detailed solution here when I get a chance.
I appreciated all your help in this case.
Cheers,
Hubery
Nirala_Shobhit
4 Posts
0
July 25th, 2018 18:00
Hi Hubery, Still Waiting for detailed solution
Nirala_Shobhit
4 Posts
0
August 6th, 2018 17:00
Thanks for great example,
interface CheckPoint_Session_Setting : ICF_Setting {
refine stored DisplayName
= "Check Point Threshold Setting";
#pragma Uses Propagation
attribute int [0 .. 100000] ActiveSessionsThreshold
"Check Point Connection Monitoring threshold."
=100;
}
refine interface CheckPoint
{
propagate attribute unsigned max ActiveSessions
"Number of active sessions on the device."
= fw_session,InstrumentedBy,ActiveSessions;
propagate attribute unsigned max ActiveSessionsThreshold
"Session table utilization percentage threshold (%)."
= CheckPoint_Session_Setting, InstrumentedBy, ActiveSessionsThreshold;
event HighSessionCounts_CheckPoint
"Indicates when reached to Max Sessions"
= ActiveSessions > ActiveSessionsThreshold;
export HighSessionCounts_CheckPoint;
}
i was trying to access threshold variable "ActiveSessionsThreshold" in Class "CheckPoint" but do not know why it is not getting populated while i was getting value for "ActiveSessions"
can you please help to debug? or do i need to add something asl as well?