nv-l

[nv-l] Cisco PIX / Firewall switch module in Netview

2004-09-20 17:31:09
Subject: [nv-l] Cisco PIX / Firewall switch module in Netview
From: Francois Le Hir <flehir AT ca.ibm DOT com>
To: nv-l AT lists.us.ibm DOT com
Date: Mon, 20 Sep 2004 17:21:43 -0400


I am wondering what the best practice is for managing Cisco firewalls with
statefull and/or failover interfaces.

Theses firewalls work in pair with a primary and a secondary. When there is
a failover, all the interfaces of the primary end up in the secondary and
all the interfaces of the secondary end up in the primary. Except that the
statefull/failover interfaces stay in the original device.
The way this is seen by Netview is that the statefull/failover interface
looks like it is the one changing side as the selection name of the devices
do not change in Netview.

To add to the difficulty, theses statefull/failover interfaces are not
reachable directly. Only the inside interface can be pinged by Netview and
we configure netmon.seed to monitor the whole device with snmp so that we
get the status of all the interfaces. Also the two devices in the pair
share the same configuration. That means that they have the same hostname
and there seams to be no other way to configure it.

I tried configuring Netview with theses interfaces as HSRP in netmon.seed
(%) but because the hostname of the two devices is the same I know it can
not work correctly. The way it eventually end up is with both
statefull/failover in both devices (like a duplicate IP).

any idea on how to handle this ?

more specifically:
- do you configure theses interfaces as HSRP in netmon.seed ?
- do you have the "S" flag configured in oid_to_type for the oids
(1.3.6.1.4.1.9.1.392, 1.3.6.1.4.1.9.1.522,...)?

Thanks,
Salutations, / Regards,

Francois Le Hir
Network Projects & Consulting Services
IBM Global Services
Phone: (514) 964 2145