centreon / centreon-plugins

Collection of standard plugins to discover and gather cloud-to-edge metrics and status across your whole IT infrastructure.
https://www.centreon.com
Apache License 2.0
311 stars 275 forks source link

[network::paloalto::ssh::plugin] Mode Ipsec #2178

Open gueliljko opened 4 years ago

gueliljko commented 4 years ago

Hi,

I want to know if it's possible to have a add a new feature with the mode IPSEC, infact the plugin is working but it displays only active current tunnel withnthe phase 1 and if the tunnel is not up it doesn't trig an alert.

Do you think it's possible to put a filter on the name of the tunnel and if the tunnel is not present it will trig critical alerte.

Regards

garnier-quentin commented 4 years ago

Could you provide the full output of the plugin ?

gueliljko commented 4 years ago

hi,

Please find below the output of the command:

OK: All ipsec tunnels are ok | 'tunnels.ipsec.total.count'=4;;;0; Tunnel ipsec 'IKE-PARIS' state: active [monitor status: off][ike phase1 state: up] Tunnel ipsec 'IKE-RENNES' state: active [monitor status: off][ike phase1 state: up] Tunnel ipsec 'IKE-TOULOUSE' state: active [monitor status: off][ike phase1 state: up] Tunnel ipsec 'IKE-MARSEILLE' state: active [monitor status: off][ike phase1 state: up]

But another command exist in Palo to show IKE phase1 and Phase 2 and more information like the Established and Expiration of the tunnel , this command is show vpn ike-sa gateway "name of gateway", i try to add the output but when a paste the result in the form it's trunked, so please in attachment a sample of the result. TUNNEL.txt

garnier-quentin commented 4 years ago

Could you provide following results on ssh session

set cli op-command-xml-output on
show vpn ike-sa
show vpn ipsec-sa
show vpn flow
gueliljko commented 4 years ago

Hi, Please find in attachment the result for the commands show vpn ike-sa.txt show vpn ipsec-sa.txt show vpn flow.txt

Regards

garnier-quentin commented 4 years ago

I have followed that documentation: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVGCA0

From documentation, to check if phase 2 ipsec tunnel is up: show vpn ipsec-sa

If after, we check Encryption and Decryption (encap/decap) across tunnel: show vpn flow

If there is no phase 2 ipsec tunnel, you'll get 'state' = 'unknown'.

Anyway, i will add a option to filter tunnels.

garnier-quentin commented 4 years ago

Could you test it ?

gueliljko commented 4 years ago

Hi

Thanks for your return it's working. Regards

garnier-quentin commented 4 years ago

Thanks for the feedback!

mikedo01 commented 1 year ago

Hi,

for me the results are not valid. I have configured 22 VPN connections on one Palo Alto. Of this 22 VPNs are actually 9 VPNs Up and healthy. The rest is still in rollout.

So i assumed that the output will be an Alert, because only 9 out of 22 VPNs are UP. But this is the output i get: OK: All ipsec tunnels are ok | 'tunnels.ipsec.total.count'=9;;;0;

Maybe this is because the command "show vpn ike-sa" shows only VPNs with state UP. To get all VPNs you can use "show vpn flow". This shows also SAs whre "mon" is "down".

Is it possible for you to fix this?

tizianosartori commented 5 months ago

Is it possible for you to fix this?

For me is the same

show vpn flow return this response: `

dp0 6 1` but check return `OK: All ipsec tunnels are ok | 'tunnels.ipsec.total.count'=4;;;0;`
lucie-dubrunfaut commented 5 months ago

Hello :)

I've re-open this issue. Can you explain us the most most precisely your issue and if you have an idea how we can handle it? If I understand well @mikedo01 comment, a this moment we use this command: show vpn ike-sa which only show the VPN with state UP and you need to see all configured VPN which can be checked with the command show vpn flow ?

tizianosartori commented 5 months ago

Thank you @lucie-dubrunfaut, i think the correct way is that all ipsec VPNs which are listed by show vpn flow should be checked.

If show vpn ike-sa gateway GATEWAYNAME gives no output it means that the IKE negotiation has failed

If show vpn ipsec-sa tunnel TUNNELNAME as output <error>IPSec SA for tunnel TUNNELNAME not found.</error> it means the IPSEC tunnel is down

lucie-dubrunfaut commented 5 months ago

I had take a look at the current version of the mode :

First the mode checks command => 'show vpn ike-sa'and then loop on the result. If no result had been found (there is a filter in filter-name if it had been defined) then it check two new commands (and resultats) : command => 'show vpn ipsec-sa'and then command => 'show vpn flow'

In your case you wan to trigger the command => 'show vpn flow' even if command => 'show vpn ike-sa' give result am I right?

tizianosartori commented 5 months ago

The goal is to check which IPsec VPNs are down so it seems correct to me to first list them (command => 'show vpn flow'), then understand which IKE negotiations are up and which are down (command => 'show vpn ike-sa gateway GATEWAYNAME') and finally understand which IPSEC tunnels are up and which are down (command => 'show vpn ipsec-sa tunnel TUNNELNAME')

lucie-dubrunfaut commented 5 months ago

Ok I understand, thank you for the explanation :) Do you think you can provide us some data to help us troubleshooting this issue? This may help us to be in the conditions closest to yours. Something like it had been ask here previously :

set cli op-command-xml-output on
show vpn ike-sa
show vpn ipsec-sa
show vpn flow

You can anonymized what is needed to be.

tizianosartori commented 5 months ago

See the attached files show vpn flow.txt show vpn ipsec-sa.txt show vpn ike-sa.txt

tizianosartori commented 5 months ago

Just to inform you that we have changed the check method to use it on time:

/bin/sh -c '/usr/lib/centreon/plugins/centreon_paloalto_ssh.pl --mode ipsec --hostname MYIP --ssh-username=MYUSER --ssh-password=MYPWD --ssh-backend=libssh --verbose --filter-name MYTUNNELNAME --critical-ipsec-total 1:'

This match also ike-sa down