Please consider donating: https://www.corelan.be/index.php/donate/


4,361 views

Monitoring Juniper/Netscreen firewalls with Ops Mgr 2007 (using snmp and syslog)

As far as I know, there are no free Management Packs available for monitoring Juniper/Netscreen firewalls with Operations Manager 2007. Catching snmp traps and syslog events seems to be the only "easy"/free way to monitor what is going on on your Juniper devices.

The following steps will need to be taken :

  • Prepare the OS running Ops Mgr to perform snmp discoveries and accept snmp traps
  • Set up the Juniper device to send snmp traps and syslog events to Ops Mgr
  • Discover the Juniper devices in Ops Mgr
  • Determine what you want to look for and alert on
  • Create rule to catch all syslog events
  • Create specific rules based on what you want to look for

 

Prepare the (OpsMgr) Windows OS for snmp discovery and traps

Open "Control Panel" – "Add or Remove Programs", choose "Add/Remove Windows Components", go to "Management and monitoring tools" and enable SNMP and WMI provider for SNMP

021008_1020_MonitoringJ1

After installing SNMP, open "Services.msc" and locate the SNMP service. Make sure the service is set to start automatically.
Next, Right-click SNMP Service and choose properties. Go to the security page and add all of your accepted community names. Make sure you set the Rights to "READ CREATE" for each community name. Finally, verify that SNMP will accept packets from any host
021008_1020_MonitoringJ2
Save these settings, and then restart the snmp service. Since snmp is listening on udp port 161, you should see a corresponding entry to this port in the output of a netstat –na :

021008_1020_MonitoringJ3

 

Set up Juniper to forward snmp traps and syslog events

You can set this up using the web console or the command line. These are the command line entries :

First, enable snmp on one of the interfaces (so you can discover the device using snmp). I’ll assume that ethernet0/0 is the LAN interface and that is was enabled for management.

set interface ethernet0/0 manage snmp

Set up communities. Assuming that you will send snmp v2c traps with community "public" to OpsMgr running at 192.168.0.1

set snmp community "public" Read-Only Trap-on traffic version v2c
set snmp host "public" 192.168.0.1 255.255.255.255 src-interface ethernet0/0 trap v2
set snmp location "Location of the firewall"
set snmp contact "Who to contact"
set snmp name "firewall01"
set snmp port listen 161
set snmp port trap 162

Notes :
1. if you have created a virtual IP address for management, then that is the IP address that will be used for snmp and syslog.
2. You can use the name of the firewall for dynamic firewall discovery. A good naming convention (which could be as easy as firewall01, firewall02, etc) will be very helpful later on in this document.

Now set up syslog on the Juniper. If 192.168.0.1 is the IP address of your server running OpsMgr and if you want to forward all local1 facilities to that host, then you should use the following commands :

set syslog config "192.168.0.1"
set syslog config "192.168.0.1" facilities local1 local1
set syslog src-interface ethernet0/0
set syslog enable

Discover the devices in OpsMgr

We are ready to discover the devices in OpsMgr. We’ll have to use snmp for this, as we cannot push out an agent to the firewall (which would be a bad idea anyway)

Open the Operations Manager console and go to Administration. Somewhere under Device Management, right click and choose "Discovery Wizard"

Choose Advanced discovery and set the type to "Network Devices"

021008_1020_MonitoringJ4

Enter the IP address or address range that needs to be snmp queried in order to find your firewall. Set the community string to the same string that was configured in the SNMP Service properties and SNMP parameters on the Juniper. Version : v2

021008_1020_MonitoringJ5

Start the discovery and wait for the process to complete. You can discover up to 1000 hosts per run.

If the hosts were discovered, you should see their IP address in the list of Network Devices

021008_1020_MonitoringJ6

Go to the Authoring pane in OpsMgr, right click and choose "Create a new Group". Choose a name for the group and save the group in your custom management pack.

021008_1020_MonitoringJ7

Leave the explicit members empty (unless you don’t want this group to get populated automatically), and under Dynamic Inclusion Rules, click the "Create/Edit rules" button. This is where our naming convention will come handy. Suppose your naming convention says "firewall1", "firewall2" and so on, then you will be able to use the ‘firewall’ part of the string as selection criteria to populate the group.

Select SNMP Network Device and click the Add button

021008_1020_MonitoringJ8

Select "Device Name" as property

021008_1020_MonitoringJ9

Operator : contains, Value firewall

021008_1020_MonitoringJ10

Save/Close the rule

Leave "subgroups" empty

Leave "excluded members" empty

Save the new group.

Find the newly created group in the list of groups, right click and choose ‘View group members’

021008_1020_MonitoringJ11

You should see your firewall(s) listed in this group. Note : it might take a couple of minutes before the members are populated. If they don’t populate, verify the group definition and make sure group population is enabled

021008_1020_MonitoringJ12

 

Determine what you want to look for and alert on

This next step is very important, as it will dictate the number of rules and content of rules that need to be generated. Before continuing : this document will only describe how to use the syslog messages. We have only used snmp to discover the devices and to group them so we can create an override for them later on.

In this example, I want to know when a policy has been changed, when a configuration has been changed, and when someone has logged on to the firewall. So I need to create 3 rules for this. But before you can create the rules, you need to know how to identify these alerts. The best way to do so is to create a "catch all" syslog rule, alerting on every syslog packet that is presented to OpsMgr.

 

Create the catch all rule

In the authoring pane of OpsMgr, go to rules. Set the scope of the view to SNMP Network Device.

021008_1020_MonitoringJ13

Right click and choose "Create a new rule"

Create an alert generating rule, event based, for syslog events. Save the rule in your custom management pack

021008_1020_MonitoringJ14

Set a rule name and choose a category (such as notification)

Target : do NOT select the Group as a target, as the rule would look for the events coming from the group object, not the members.
We know that the Juniper firewalls are snmp devices, so choose SNMP Network Device as the target, and leave the rule disabled

021008_1020_MonitoringJ15

Event expression : we only want to look for syslog events coming from firewalls, so we’ll use that criterium to filter events. Click "insert"

Set parameter name to "Hostname", operator to "Contains" and Value to "firewall". Again, this assumes that you have created a naming convention that implies the use of the word "firewall" in the hostname/device name of the firewall.

In the alert section, make sure the rule creates an alert. Put the following lines in the alert description field :

Facility : $Data/EventData/DataItem/Facility$
Severity : $Data/EventData/DataItem/Severity$
Priority : $Data/EventData/DataItem/Priority$
PriorityName : $Data/EventData/DataItem/PriorityName$
TimeStamp : $Data/EventData/DataItem/TimeStamp$
HostName : $Data/EventData/DataItem/HostName$
Message : $Data/EventData/DataItem/Message$

Note : if you want a syslog rule that really catches all events, then first create a rule that contains one expression. Save the rule, edit the rule again, and then remove the expression again. You’ll need to do it this way because you cannot create a rule without setting an expression. So you need to remove the expression after creating and saving the rule.

 

Save the rule. The rule is still disabled, so we will create an override and target it to the group of Juniper firewalls.

Right click on the rule, choose ‘overrides – override the Rule – For a group"

021008_1020_MonitoringJ16

Select the Juniper/Netscreen Firewalls Group

Enable the Override for "Enabled" and set the override setting to "True"

021008_1020_MonitoringJ17

Save the override.

From this point forward, all syslog messages coming from your Juniper firewall will be catched by the OpsMgr. You should see an entry in netstat –na on the firewall that indicates that UDP port 514 is listening

We have determined that we want to look for 3 types of events :

  • Policy changes
  • Configuration changes
  • Users logging on

You will need to create those 3 events, basically by performing those 3 tasks on your firewall. This will ensure they are being logged within OpsMgr, so we can look at them and create a specific rule for those 3 tasks.

 

Create specific rules

If you have generated those 3 events, you can look at the body/alert description and use contents of that field to create your rules.

When creating rules, these are the fields that can be used in the parameter name field :

Facility (numeric value)
Severity (numeric value)
Priority
PriorityName
TimeStamp
HostName (string)
Message (string)

http://support.microsoft.com/kb/942863

Facilities are configured using the values in the table below : (use the numeric value from the second column in your rule expression)

Facility

Value

Kernel

0

User

1

Mail

2

Daemons

3

Auth

4

Syslog

5

LPR

6

News

7

UUCP

8

Cron

9

Auth2

10

FTP

11

NTP

12

LogAudit

13

LogAlert

14

Cron2

15

Local0

16

Local1

17

Local2

18

Local3

19

Local4

20

Local5

21

Local6

22

Local7

23

 

Severities are configured using the numeric values in the table below :

Severity

Value

Emergency

0

Alert

1

Critical

2

Error

3

Warning

4

Notice

5

Info

6

Debug

7

 

So if you want to create an expression that filters on events from Facility Local1, with severity Error, the expression should look like this :

021008_1020_MonitoringJ18

Let’s now create those 3 rules. First disable the override for the "catch all" rule/group again.

First rule : check for policy changes

Create a new rule and choose a good name. Set the Rule Target to SNMP Network Device and leave the rule disabled. Save the rule in your custom management pack.

021008_1020_MonitoringJ19

Rule expression : "Message" contains "Policy". Set the alert settings and save the rule.

021008_1020_MonitoringJ20

Now create an override for the group of Juniper firewalls, enabling the rule, and you’re all set.

Second rule : check for configuration changes. Set the rule expression to
"Message" contains "configuration" AND
"Message" does not contain "policy"

021008_1020_MonitoringJ21
Save and create the override

Third rule : check for logon events. Set the rule expression to "Message" contains "logged in".

021008_1020_MonitoringJ22

Save and create the override

Wait for the events to happen (or re-generate the events) and see if your rules kick in.

If you are getting multiple similar alerts for a single policy change, you’ll need to configure alert suppression.

021008_1020_MonitoringJ23

Edit the rule, go to alerting, and click the "Alert Suppression" button. Click advanced, and enter the following 2 lines in the box :

021008_1020_MonitoringJ24

Save the rule and see if the duplicate alert issue was solved. (You will still see 3 events for a single policy change – that’s just the way Netscreen works)

 

 

 

 

© 2008 – 2015, Peter Van Eeckhoutte (corelanc0d3r). All rights reserved.

Comments are closed.

Corelan Training

We have been teaching our win32 exploit dev classes at various security cons and private companies & organizations since 2011

Check out our schedules page here and sign up for one of our classes now!

Donate

Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?



Your donation will help funding server hosting.

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Protected by Copyscape Web Plagiarism Tool

Corelan on Slack

You can chat with us and our friends on our Slack workspace:

  • Go to our facebook page
  • Browse through the posts and find the invite to Slack
  • Use the invite to access our Slack workspace
  • Categories