Guest

Cisco IOS Firewall

Monitoring Cisco IOS FW Inspection Activity with Multi-Router Traffic Grapher

  • Viewing Options

  • PDF (97.5 KB)
  • Feedback

Introduction

Cisco ® introduced support for the new Cisco Unified Firewall MIB in Cisco IOS ® Software Release 12.4(6)T. The Cisco Unified Firewall MIB provides a Simple Network Management Protocol (SNMP) interface to monitor various firewall counters by network-management utilities such as Ipswitch's What's Up Gold, Solarwinds Orion, and the popular network monitoring tool, Multi-Router Traffic Grapher (MRTG).

About MRTG

MRTG is a free performance management application for Unix/Linux and Microsoft Windows. It monitors SNMP statistics from any SNMP-capable device on your network and:

• Captures, stores, and graphically presents SNMP data on a Web interface. By default, a Webpage with four graphs per MIB object identifier (OID) is created by MRTG. The graphs show the variation of MIB data over time.

• Runs automatically on a user-defined schedule in *nix cron or Windows Scheduler. Periodically, MRTG queries a user-configured list of SNMP objects on one or more network devices. After each data collection cycle, the MRTG software posts updated graphs to a Webpage.

• Efficiently compresses and archives data samples to create graphs.

• Enables you to determine if trending data is useful for monitoring your environment before you invest in network performance software. If trending data is beneficial for your network management, you may need to purchase a commercial network monitoring package, such as HP OpenView or Computer Associates Concord eHealth. However, you may find that MRTG is all you need.

Figure 1.

Preparing for Firewall Monitoring

This document does not provide configuration steps for setting up MRTG or a Web server on your network. This documentation is available from the MRTG site at http://oss.oetiker.ch/mrtg/. Configuration assistance is available on the MRTG support alias http://oss.oetiker.ch/mrtg/support/index.en.html.
Once you have a working MRTG configuration, you must select the firewall OIDs that you wish to monitor. Typically, the most relevant firewall activity indicators are the one- or five-minute session setup rates, and active connection volume. Several other firewall activity objects are available, as well as object monitoring other router performance indicators.

• For descriptions of supported MIBs and how to use MIBs, visit the Cisco MIB Website: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

• To obtain lists of MIBs supported by platform and Cisco IOS Software release and to download MIB modules, also visit the Cisco MIB Website: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

• Cisco IOS Firewall does not support all the objects available in the Cisco Unified Firewall MIB. You may wish to use a utility such as iReasoning MIB Browser with the Cisco Unified Firewall MIB loaded to browse the values your Cisco IOS Firewall router returns, and select the specific OIDs that will be most useful for your network monitoring requirements.

• Cisco IOS Firewall introduced a new hierarchy of "show" commands, offering visibility into the same values that the Cisco Unified Firewall MIB queries. These commands are available under the show ip inspect mib command. Examples of useful commands for viewing firewall activity from the router command-line interface include the following:

Shows global firewall MIB counter objects:

show ip inspect mib connection-statistics global:

Shows Layer 4 (TCP, UDP, ICMP) and Layer 7 (PAM-service specific) firewall MIB counter objects:

show ip inspect mib connection-statistics [ L4-Protocol [ TCP | UDP | ICMP | all ]] | [L7-Protocol [ PAM-service-name ]]

Shows Layer 4 (TCP, UDP, ICMP) and Layer 7 (PAM-service specific) firewall MIB counter objects specific to firewall policies and the interfaces they are applied to:

show ip inspect mib connection-statistics policy [policy-name] interface [interface-name] [ L4-Protocol [ TCP | UDP | ICMP | all ]] | [L7-Protocol [ PAM-service-name ]]
Caution: Polling OIDs that retrieve large amounts of data can cause CPU problems on a Cisco IOS device. For example, do not get the ARP table, walk large portions of a MIB tree, poll the wrong OID too frequently, or get statistics that have an entry for every interface. For example, a Cisco 7200 may have 10 interfaces, whereas a Cisco AS5800 may have 3000 interfaces
Table 1 lists supported connection statistics-global, protocol-specific 1, or firewall-policy-specific 2-that are available via SNMP. Most of the protocol-specific and policy-specific statistics will require additional values in the OID to specify the particular value instantiation. Specific OIDs are generally best determined by an MIB walk or by browsing the contents of the MIB.

Table 1. Connection Statistics

Statistic Type

OID

Connection Type

Description

Global

.1.3.6.1.4.1.9.9.491.1.1.1.1

Attempted

Number of connection attempts sent to the firewall system

Protocol-specific

.1.3.6.1.4.1.9.9.491.1.1.4.1.1.2

Firewall-policy-specific

.1.3.6.1.4.1.9.9.491. 1.1.4.3.1.5

Global

.1.3.6.1.4.1.9.9.491.1.1.1.2

Setups Aborted

Number of session setups that aborted during session setup.

Protocol-specific

.1.3.6.1.4.1.9.9.491.1.1.4.1.1.3

Firewall-policy-specific

.1.3.6.1.4.1.9.9.491. 1.1.4.3.1.6

Global

.1.3.6.1.4.1.9.9.491.1.1.1.3

Policy Declined

Number of connection attempts that were declined due to application of a firewall security policy

Protocol-specific

.1.3.6.1.4.1.9.9.491.1.1.4.1.1.4

Firewall-policy-specific

.1.3.6.1.4.1.9.9.491. 1.1.4.3.1.7

Global

.1.3.6.1.4.1.9.9.491.1.1.1.4

Resource Declined

Number of connection attempts that were declined due to firewall resource constraints

Protocol-specific

.1.3.6.1.4.1.9.9.491.1.1.4.1.1.5

Firewall-policy-specific

.1.3.6.1.4.1.9.9.491. 1.1.4.3.1.8

Global

.1.3.6.1.4.1.9.9.491.1.1.1.5

Half-Open

Number of connections that are currently in the process of being established (half-open)

Protocol-specific

.1.3.6.1.4.1.9.9.491.1.1.4.1.1.6

Firewall-policy-specific

.1.3.6.1.4.1.9.9.491. 1.1.4.3.1.9

Global

.1.3.6.1.4.1.9.9.491.1.1.1.6

Active

Number of connections that are currently active

Protocol-specific

.1.3.6.1.4.1.9.9.491.1.1.4.1.1.7

Firewall-policy-specific

.1.3.6.1.4.1.9.9.491. 1.1.4.3.1.10

Global

.1.3.6.1.4.1.9.9.491.1.1.1.7

Expired

Number of connections that were active but have since been terminated normally

Global

.1.3.6.1.4.1.9.9.491.1.1.1.8

Aborted

Number of connections that were abnormally terminated after successful establishment

Protocol-specific

.1.3.6.1.4.1.9.9.491.1.1.4.1.1.8

Firewall-policy-specific

.1.3.6.1.4.1.9.9.491. 1.1.4.3.1.11

Global

.1.3.6.1.4.1.9.9.491.1.1.1.9

Embryonic

Number of embryonic-application-layer connections

Global

.1.3.6.1.4.1.9.9.491.1.1.1.10

One-Minute Connection Rate

Number of connection attempts that were established per second, averaged over the last 60 seconds

Protocol-specific

.1.3.6.1.4.1.9.9.491.1.1.4.1.1.9

Global

.1.3.6.1.4.1.9.9.491.1.1.1.11

Five-Minute Connection Rate

Number of connection attempts that were established per second, averaged over the last 300 seconds

Protocol-specific

.1.3.6.1.4.1.9.9.491.1.1.4.1.1.

Configuring the Router for SNMP Monitoring

You will need to enable the SNMP server in your Cisco IOS router. The SNMP server offers two user communities: the read-only community and the read-write community. You may use either to monitor the Cisco IOS Firewall, but the Cisco Unified Firewall MIB does not presently offer the capability to modify the firewall's configuration, so the read-only community will offer ample functionality to monitor the firewall's activity. You should define a reasonably secure SNMP community-string name, and you may also define a standard access control list (ACL) to limit SNMP queries to a specific group of hosts:
snmp-server community [community-string-name] RO [optional standard ACL]

Configuring MRTG for Firewall Queries and Graphing

Assuming you have a working MRTG setup, you can manually modify the MRTG configuration file, or you can have MRTG automatically discover MIB values by loading the MIB into MRTG and using MRTG's cfgmaker utility to "walk" the MIB and discover usable OIDs. This document describes the manual addition for the MRTG configuration to monitor a few attributes.
The default MRTG installation displays activity for two OIDs on each graph, so you must provide two OIDs for every graph object in the configuration file. The following text tracks global active session count and global five-minute rate on router `10.1.1.1', with a read-only SNMP community named `cisco':
Target[10.1.1.1_fw-act]:1.3.6.1.4.1.9.9.491.1.1.1.6.0&1.3.6.1.4.1.9.9.491.1.1.1.11.0:cisco@10.1.1.1:
MaxBytes[10.1.1.1_fw-act]: 1000
Ylegend[10.1.1.1_fw-act]: # Sessions
LegendI[10.1.1.1_fw-act]:Active Firewall Sessions
LegendO[10.1.1.1_fw-act]:Five-Minute Session Rate
Title[10.1.1.1_fw-act]: Firewall Activity
PageTop[10.1.1.1_fw-act]: <h1>Firewall Activity</h1>
Options[10.1.1.1_fw-act]: gauge
Busier networks may wish to monitor the global one-minute rate for firewall activity trends.
Additional configuration sections may be included to monitor additional firewall activity for policy- or protocol-specific trends. MRTG has added more capabilities for increasing MIB query rates and adding multiple OIDs per graph, to offer greater flexibility in graphing displays. References for these additional capabilities are available on the MRTG Webpage.

Interpreting MRTG Firewall Graph Output

Different types of network traffic display widely varying behavioral patterns. For instance, connections to servers providing DNS, POP, and SMTP mail, along with some HTTP and HTTPS, typically employ short-lived connections to exchange dialogue. Microsoft Networking, peer-to-peer traffic, instant messaging, and other Web services such as Webmail, e-commerce services, and Web/SSL VPN employ longer-lived connections, with a possibility of leaving established connections for long periods of time during transactions or content transfers. Thus, an understanding of your network's typical behavior will provide a useful basis for interpreting your network's activity through the Unified Firewall MIB. As with most security activity monitoring, an understanding of the typical activity of your network will allow you to recognize departures from your network's baseline behavior. Behaviors you should watch for include:

• Dramatic increases in connection rates or numbers of established connections

• Broad disparity between number of attempted versus established connections

• A dramatic reduction in established connections (this may be indicative of the failure of a commonly used service)

Appendix