Morning,

Currently we don't have any issues with the identity flow to the GW, but we are looking into a way to monitor this.

We are testing for now the SNMP monitoring of IA/IC through the GW, and that provides us with details on the sources connected to the IC (DC or pxGrid/ISE) . So we should be able to alert and take actions in case somethings shows up. 

Thank you,

(As example from similar SNMP implementation)

There doesn't seem to be an obvious way to monitor this directly.
That said, you should see an active TCP connection on the gateway from the Identity Collector.
Maybe we need additional instrumentation here? 
@Royi_Priov 

Morning everyone,

Like Royi said, we are monitoring via SNMP from the PDP (our GW) that shows the sources detail received from IDC (sorry for the confusion) .

We're getting all the information from the table OID  .1.3.6.1.4.1.2620.1.38.53.... with all it's members  ("Identity Collector Sources") .

That covers our current needs .

Thank you and have a nice week,

Hi,

I'm also looking into this OID for monitoring, but I would like to monitor the total number of events sent from the IDC to the firewall. It seems like under the snmp branch  .1.3.6.1.4.1.2620.1.38 you can only monitor the connection between the IDC and the ADs (in our case), not the number of events being sent over from the IDC to the firewall itself, much like what you see on the "events in last hour" column ("Gateways" tab), on the IDC GUI.

Does anyone have any idea on how to monitor these? Thanks!

I found a way to do this without SNMP, by using the gaia_api run-script. You can run any expert command there, that includes pdp conn idc. Then I just need to handle it on the client side

This below works for us, you can play with different branches of OID to suit your needs but I used .6 for 'Status' column of idc table, as shown in $FWDIR/conf/identity_server.cps:

-Add new custom poller 1.3.6.1.4.1.2620.1.38.53.1.6 (SNMP type GET TABLE) - to pull all IDC lines in one go

-Assign poller to gateways communicating with IDCs

-Alert trigger if row label = Status AND value != Connected

Some SNMP walk on the OID tree can help you to shape what you are looking to achieve, you can go one level up to get the table or just look at events received if you like (use .5 instead of .6 works, just tested).

Hi Sorin, I do not have any return on a snmpwalk to .1.3.6.1.4.1.2620.1.38.53, how comes?

hey @hemh ,

maybe the planets didn't align, I don't know 😁, 

(without knowing what you did and your environment, we can't answer)

now on a serious note, were you following the SK108235 ?

did you enabled the Registry keys on the server that is hosting the IC ?

are you seeing in the GW's the DC and/or ISE servers when you try the below commands ?

 Via cpstat CLI: cpstat identityServer -f idc
- Via pdp CLI: pdp idc status (available since R80.30)

do an snmpwalk on the GW starting from .1.3.6.1.4.1.2620.1.38 - you will see all the OID's under that root....

more details https://oidref.com/1.3.6.1.4.1.2620.1.38

Thank you,