#! /usr/bin/perl -w # # check_netscreen_vpn - nagios plugin # # Description: plugin to query a netscreen firewall and report # state of a VPN # ## # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # # # Report bugs to: s.barbereau@securalis.com, nagiosplug-help@lists.sf.net # # This plugin is based on existing work from warious users. # No liability use POSIX; use strict; # Update the following value to reflect your install use lib "/usr/lib/nagios/script_securalis" ; use lib "/usr/local/nagios/libexec" ; use utils qw($TIMEOUT %ERRORS &print_revision &support); use Net::SNMP; use Getopt::Long; &Getopt::Long::config('bundling'); my $PROGNAME = "check_netscreen_vpn"; my $status; my $version='1.0'; my $state = "UNKNOWN"; my $answer = ""; my $snmpkey = undef; my $community = "public"; my $port = 161; my $hostname=undef; my $session; my $error=undef; my $response=undef; my $snmp_version = 1 ; my $opt_h ; my $opt_list; my $opt_w = 40 ; my $opt_c = 60; my $opt_V ; my $opt_tunnelname = undef; my $opt_checktunnelstate = undef; my $opt_checkP1state = undef; my $opt_checkP2state = undef; my $session_used=0; my @snmpoids; my $snmpnsVpnMonP2State = '.1.3.6.1.4.1.3224.4.1.1.1.23'; my $snmpnsVpnMonP1State = '.1.3.6.1.4.1.3224.4.1.1.1.21'; my $snmpnsVpnMonTunnelState = '.1.3.6.1.4.1.3224.4.1.1.1.20'; my $snmpnsVpnMonMonState = '.1.3.6.1.4.1.3224.4.1.1.1.19'; my $snmpnsVpnMonVpnName = '.1.3.6.1.4.1.3224.4.1.1.1.4'; # Just in case of problems, let's not hang Nagios $SIG{'ALRM'} = sub { print ("ERROR: No snmp response from $hostname (alarm)\n"); exit $ERRORS{"UNKNOWN"}; }; alarm($TIMEOUT); $status = GetOptions( "V" => \$opt_V, "version" => \$opt_V, "n=s" => \$opt_tunnelname, "tunnelname=s" => \$opt_tunnelname, "t" => \$opt_checktunnelstate, "tunnelstate" => \$opt_checktunnelstate, "1" => \$opt_checkP1state, "phase1state" => \$opt_checkP1state, "2" => \$opt_checkP2state, "phase2state" => \$opt_checkP2state, "h" => \$opt_h, "help" => \$opt_h, "l" => \$opt_list, "list" => \$opt_list, "v=i" => \$snmp_version, "snmp_version=i" => \$snmp_version, "C=s" =>\$community, "community=s" => \$community, "p=i" =>\$port, "port=i",\$port, "H=s" => \$hostname, "hostname=s" => \$hostname); if ($status == 0) { print_help(); exit $ERRORS{'OK'}; } if ($opt_V) { print_revision($PROGNAME,$version); exit $ERRORS{'OK'}; } if ($opt_h) { print_help(); exit $ERRORS{'OK'}; } if (! utils::is_hostname($hostname)){ usage(); exit $ERRORS{"UNKNOWN"}; } if ( $snmp_version =~ /[12]/ ) { ($session, $error) = Net::SNMP->session( -hostname => $hostname, -community => $community, -port => $port, -version => $snmp_version ); if (!defined($session)) { $state='UNKNOWN'; $answer=$error; print ("$state: $answer"); exit $ERRORS{$state}; } }elsif ( $snmp_version =~ /3/ ) { $state='UNKNOWN'; print ("$state: No support for SNMP v3 yet"); exit $ERRORS{$state}; }else{ $state='UNKNOWN'; print ("$state: No support for SNMP v$snmp_version yet"); exit $ERRORS{$state}; } if (! $opt_tunnelname) { $session->close; print ("-t tunnelname : tunnel name muse be specified"); usage(); exit $ERRORS{$state}; } else { # retrieve snmpkey from tunnel name # get NSVPN interface table from nsvpnmon my $response=$session->get_table( Baseoid => $snmpnsVpnMonVpnName ); if(!defined($response)) { printf("ERROR: Interface table: %s",$session->error); $session->close; exit $ERRORS{$state}; } foreach my $key ( keys %$response) { if($opt_list) { print "Found interface: ".$$response{$key}."\n"; } if($$response{$key} eq $opt_tunnelname) { my @oid_list = split(/\./,$key); $snmpkey = pop(@oid_list); } } if(!defined($snmpkey)) { printf("ERROR: Tunnel name not found."); $state='UNKNOWN'; $session->close; exit $ERRORS{$state}; } $snmpnsVpnMonTunnelState .= ".".$snmpkey; $snmpnsVpnMonMonState .= ".".$snmpkey; $snmpnsVpnMonP1State .= ".".$snmpkey; $snmpnsVpnMonP2State .= ".".$snmpkey; @snmpoids=($snmpnsVpnMonTunnelState,$snmpnsVpnMonMonState,$snmpnsVpnMonP1State,$snmpnsVpnMonP2State); } if (!defined($response = $session->get_request(@snmpoids))) { $answer=$session->error; $session->close; $state = 'CRITICAL'; print ("$state: $answer"); exit $ERRORS{$state}; } $session->close; if(defined($opt_checktunnelstate) && defined($opt_checktunnelstate)) { if(! $$response{$snmpnsVpnMonMonState}) { $state = 'WARNING'; $answer .= "Monitor disabled "; } else { if($$response{$snmpnsVpnMonTunnelState}) { $state = 'OK'; $answer .= "Tunnel UP "; } else { $state = 'CRITICAL'; $answer .= "Tunnel DOWN "; } } } if(defined($opt_checkP1state)) { if($$response{$snmpnsVpnMonP1State}) { $state = 'OK'; $answer .= "(P1 OK) "; } else { $state = 'CRITICAL'; $answer .= "(P1 Problem) "; } } if(defined($opt_checkP2state)) { if($$response{$snmpnsVpnMonP2State}) { $state = 'OK'; $answer .= "(P2 OK)"; } else { $state = 'CRITICAL'; $answer .= "(P2 Problem)"; } } print ("$state: $answer"); exit $ERRORS{$state}; sub usage { printf "\nMissing arguments!\n"; printf "\n"; printf "usage: \n"; printf "$PROGNAME -H [-C ] [-p port] [-l] [-n tunnelname] [-t] [-1] [-2] \n"; printf "For help, try: $PROGNAME -h \n"; printf "Copyright (C) 2003 Sebastien Barbereau\n"; printf "$PROGNAME comes with ABSOLUTELY NO WARRANTY\n"; printf "This programm is licensed under the terms of the "; printf "GNU General Public License\n(check source code for details)\n"; printf "\n\n"; exit $ERRORS{"UNKNOWN"}; } sub print_help { printf "$PROGNAME plugin for Nagios monitors the state of \n"; printf "VPN tunnels for a Netscreen/Juniper firewall\n"; printf "\nUsage:\n"; printf " -H (--hostname) Hostname to query - (required)\n"; printf " -C (--community) SNMP read community (defaults to public,\n"; printf " used with SNMP v1 and v2c\n"; printf " -v (--snmp_version) 1 for SNMP v1 (default)\n"; printf " 2 for SNMP v2c\n"; printf " SNMP v2c will use get_bulk for less overhead\n"; printf " if monitoring with -d\n"; printf " -p (--port) SNMP port (default 161)\n"; printf " -n (--tunnemname) Tunnel name to monitor - (required)\n"; printf " -l (--list) List possible tunnel names\n"; printf " -t (--tunnelstate) Tunnel state for specified tunnel name\n"; printf " -1 (--phase1state) Phase 1 state for specified tunnel name\n"; printf " -2 (--phase2state) Phase 2 state for specified tunnel name\n"; printf " -V (--version) Plugin version\n"; printf " -h (--help) usage help \n\n"; print_revision($PROGNAME, $version); }