Finally, this is how I am monitoring my Juniper ScreenOS SSG firewalls with MRTG/Routers2. Beside the interfaces (that can be built with cfgmaker) I am using my template in order to monitor the CPU & memory, count of sessions & VPNs, count of different kind of attacks, etc.
SNMP MIBs
The ScreenOS MIBs can be downloaded here. There are really many OIDs to query on the ScreenOS device (compared to some other firewall vendors…). However, some statistics are not available, such as subinterfaces.
Site-to-Site VPNs can be monitored with the NetscreenVpnMon MIB while the “tunnel interfaces” itself do not provide any counters.
Finally, in my template all hit counts of the zone screening from the untrust zone are monitored. Though a bit unclear, at least the summary graph with all attack vectors at a glance gives a hint whether the firewall is under attack or not.
MRTG/Routers2 Configuration
The first step is to build the *.cfg file with cfgmaker in order to capture all interfaces. A command such as the following can be used:
sudo cfgmaker --snmp-options=:::::2 --show-op-down --zero-speed=100000000 --global "routers.cgi*Icon: firewall3-sm.gif" --global "routers.cgi*GraphStyle[_]: mirror" --output=NAMEOFTHEFIREWALL.cfg COMMUNITY@IPADDRESS
As always, some sections of the output file can be removed, e.g., all “noHC[…]: yes” lines, and all “PageTops” with html code. The global options at the beginning of the file can be deleted, too, except the two options that were generated with the cfgmaker command above. Furthermore, all tunnel interfaces can be deleted since the SSG does not provide any counters there. For monitoring site-to-site VPN tunnels, my template below offers some OIDs.
This is my complete cfg file for MRTG/Routers2. There are several things to change before it can be used somewhere. The first lines of the template give some hints. (Of course, all the lines with the interfaces must be deleted, since they are already created with the cfgmaker tool.)
Sample Graphs
In summary, this is how my graphs look like:
