Dear Checkmates,
If a customer have asked to you how to monitor the concurrent VPN sessions per user with a specific SNMP tool you will have to follow the following procedure:
1. Login to the Gateway via SSH
2. From clish run the command "show configuration snmp" to check which is your community
The Output should be something like this:
CPSG> show configuration snmp
set snmp mode default
set snmp agent on
set snmp agent-version any
set snmp community labtest read-only
add snmp interface eth2.4
add snmp interface lo
Note: The community in this case is "labtest"
3. Go again to expert mode and create a directory:
CPSG# mkdir /var/log/snmpmon_script
4. Navigate to the directory you created in the previous step
CPSG# cd /var/log/snmpmon_script
5. Create a script in which you will put the following command:
CPSG# vi vpnconcurrentmon.sh
fw tab -t userc_users -s | awk '{print $4}' | grep -v -e "#VALS"
Notes: If you want to insert press "i" then paste the command and to save the changes and exit type
5.1. ":"
5.2. "wq!"
5.3. "Enter"
6. Then we have to make sure that the script that we have created works "sh vpnconcurrentmon.sh"
-It should give you the number of concurrent VPN users
7. Then you have to use snmpwalk to make sure your firewall is not using the OID you are about to configure:
CPSG# snmpwalk -v 2c -c labtest localhost .1.2.3.4.5.6.7.8.15
Note: The OID that we want to use in this case is: .1.2.3.4.5.6.7.8.15
8. Then we will create a copy of the original file, to have a copy and modify the original:
CPSG# cd /etc/snmp
CPSG# cp userDefinedSettings.conf userDefinedSettings.conf_original
9. Then to modify the original file we have to make a new "vi" to the file named: "userDefinedSettings.conf"
CPSG# vi userDefinedSettings.conf
9.1 In the editor add the line at the end of the comments "#":
extend .1.2.3.4.5.6.7.8.15 process_monitor /bin/sh /var/log/snmpmon_script/vpnconcurrentmon.sh
10. In clish mode restart snmp services:
CAT-EP> set snmp agent off
CAT-EP> set snmp agent on
CAT-EP> save config
CAT-EP> exit
11. In expert mode validate your OID:
CPSG# snmpwalk -v2c -c labtest localhost .1.2.3.4.5.6.7.8.15
iso.2.3.4.5.6.7.8.15.1.0 = INTEGER: 1
iso.2.3.4.5.6.7.8.15.2.1.2.15.112.114.111.99.101.115.115.95.109.111.110.105.116.111.114 = STRING: "/bin/sh"
iso.2.3.4.5.6.7.8.15.2.1.3.15.112.114.111.99.101.115.115.95.109.111.110.105.116.111.114 = STRING: "/var/log/snmpmon_script/concurrentvpn.sh"
iso.2.3.4.5.6.7.8.15.2.1.4.15.112.114.111.99.101.115.115.95.109.111.110.105.116.111.114 = ""
iso.2.3.4.5.6.7.8.15.2.1.5.15.112.114.111.99.101.115.115.95.109.111.110.105.116.111.114 = INTEGER: 5
iso.2.3.4.5.6.7.8.15.2.1.6.15.112.114.111.99.101.115.115.95.109.111.110.105.116.111.114 = INTEGER: 1
iso.2.3.4.5.6.7.8.15.2.1.7.15.112.114.111.99.101.115.115.95.109.111.110.105.116.111.114 = INTEGER: 1
iso.2.3.4.5.6.7.8.15.2.1.20.15.112.114.111.99.101.115.115.95.109.111.110.105.116.111.114 = INTEGER: 4
iso.2.3.4.5.6.7.8.15.2.1.21.15.112.114.111.99.101.115.115.95.109.111.110.105.116.111.114 = INTEGER: 1
iso.2.3.4.5.6.7.8.15.3.1.1.15.112.114.111.99.101.115.115.95.109.111.110.105.116.111.114 = STRING: "2"
iso.2.3.4.5.6.7.8.15.3.1.2.15.112.114.111.99.101.115.115.95.109.111.110.105.116.111.114 = STRING: "2"
iso.2.3.4.5.6.7.8.15.3.1.3.15.112.114.111.99.101.115.115.95.109.111.110.105.116.111.114 = INTEGER: 1
iso.2.3.4.5.6.7.8.15.3.1.4.15.112.114.111.99.101.115.115.95.109.111.110.105.116.111.114 = INTEGER: 0
iso.2.3.4.5.6.7.8.15.4.1.2.15.112.114.111.99.101.115.115.95.109.111.110.105.116.111.114.1 = STRING: "2"
CPSG#
CPSG# fw tab -t userc_users -s | awk '{print $4}' | grep -v -e "#VALS"
2
11.1 Then use again the snmpwalk command to navigate to the correct OID:
CPSG# snmpwalk -v2c -c labtest localhost .1.2.3.4.5.6.7.8.15.4.1.2.15.112.114.111.99.101.115.115.95.109.111.110.105.116.111.114.1