For example, you have a firewall model that has numerous interface, it can be slow and time consuming to execute diag cmd per interface.
Take this FGT3240, we will build a script that allow us to run thru all 28ports and drop the diad commands of interest.
Than I will show how you can gather the status using a unix ssh client.
1: here's the script.
( this unit runs multi-vdom ...drop the globla cfg if your single vdom )
for ((a=1; a <= 28; a++))
do
echo -e "config global"
echo -e "diagnose hardware deviceinfo nic port$a | grep _drop \n"
echo -e "diagnose hardware deviceinfo nic port$a | grep _dp_ \n"
echo -e "diagnose hardware deviceinfo nic port$a | grep err \n"
echo -e "diag hardware deviceinfo nic port$a | grep over \n"
echo -e "end\n"
done
2: Now the fun part to execute this you could do the following;
./<scriptname.sh> | ssh <username>@firewall.address > myoutput.`date +%Z%T_%F`
3: Here's a netlink script and statistic collection plus clearing;
SOCKET01>cat looper1.sh
for ((a=1; a <= 28; a++))
do
echo -e "config vdom \n"
echo -e "edit root \n"
echo -e "diag netlink interface list port$a \n"
echo -e "diag netlink interface clear port$a \n"
echo -e "end \n"
done
YMMV but you can get very creative and use this in custom "Expect" scripts or in nagios | syslog-ng for alert triggers when a condition exists.
e.g
and syslog-ng with source and destination filters
sendmestatus.sh would be a simple bash script that runs the looper1.sh and directs the output into sendmail
.looper1.sh | socfwmongrp1@192.168.192.110 | mail -s " ALERT ME ` date +%F_%T` -c kenn1.felix@socpuppets.com SOCSUPERVISION@socpuppets.com
Just ensure you have the correct syslog message for the trigger
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment