Quist
join:2005-11-03
17449
| SNMP on ZyWall5
Hello,
Im trying to retrieve number of sessions in the firewall thru SNMP.
But when I browse the MIB-tree with snmpwalk I cant find which OID I should use...
Do you know...or can you point me to the appropriate documentation?
Im also interested in other SNMP-OIDs like traffic stats
since I want to graph the info in cacti..so docs would be great!
Thanks for any help... |
|
Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON | The interface stats are standard IF-MIB:: ...you don't have to do anything specific in cacti, just choose Z5 as standard SNMP host and it will get you list of interfaces to choose from. |
|
DavidJWood
Premium
join:2001-10-12
UK
| reply to Quist
I'm not sure that the private MIB for the ZyWALLs is published anywhere.
As Brano  says, most of the SNMP stuff is standard MIB2 stuff. On the Z35, enet0 is LAN, enet1 is WAN1 (assuming Ethernet is in use), enet2 is DMZ, enet3 is WAN2 (assuming Ethernet is in use), enet4 is WCRD. aux0 is the dial backup interface. The poe interfaces are used for PPPoE WAN connections; I don't know what the pns interfaces are used for.
However, any firewall stats that are available via SNMP are going to be under the private OID .1.3.6.1.4.1.890 (enterprises.890).
I'm not seeing anything particularly like firewall stats under that OID, though I can see what may be the maximum number of NAT sessions per host, some interface and some VPN stuff. (I'm looking at a Z35 with 4.00(WZ.2) firmware).
David |
|
Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON | reply to Quist
To get the full snmpwalk listing including private space execute this:
snmpwalk -v2c -c public 192.168.1.1 .1 |
|
Allistaken7
join:2005-04-14
Norway | reply to Quist
Here is the list of the private MIB's
»www.zyxel.no/security/zyxel-zywa···7-14.mib
Other then that check 1213 MIB. |
|
DavidJWood
Premium
join:2001-10-12
UK
2 edits | When put together with the main ZyXEL MIB from »ftp://ftp.zyxel.com/mib in the MIB folder, that MIB doesn't work. Is there a newer version of the 'main' ZyXEL MIB anywhere - the one on the web site is dated 1996 when you get to the text file and contains numerous errors.
After a bit of hackery in the main ZyXEL MIB (most notably changing PhysAddress to import from RFC1213-MIB, and adding the lines below under the Prestige OBJECT IDENTIFIER line:
Zywall OBJECT IDENTIFIER ::= { Products 6 }
zywallCommon OBJECT IDENTIFIER ::= { Zywall 1 }
it just about works, but there's still some syntax errors in ZYXEL-MIB and not all looks well with ZYXEL-ZYWALL-MIB either.
Further, this ZyWALL MIB is out of date for 4.00; in firewallDirIndex this version doesn't cover 13-16, which presumably are the WLAN firewall rule sets.
I feel we're 95% of the way there - so near yet so far.
Is there any chance of a proper, updated and debugged release of both MIBs? My memory of MIB syntax is poor, and I've simply replaced various seemingly illegal characters in both MIBs rather than researching proper solutions (escaping, I guess).
The attached diffs result in MIBs that at least don't throw up a bunch of errors using snmpwalk from net-snmp 5.2.1.2 and work (after a fashion) with Getif 2.3.1. Note that you may have to strip a line of text off the beginning that the forum software adds before using them.
Maybe someone with who has the MIB syntax in their head can go through my changes and come up with more robust fixes. Even with these fixes, both applications complain that various objects in the ZyWALL MIB are the wrong type, but at least the objects are displayed.
David
Edit: Thought better of having complete MIBs as attachments, and changed the attachments for diffs against the ZyXEL MIBs |
|
Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
 ·TekSavvy Solutions..
2 edits | Here is newer one (already hacked to work with ZyWall MIB posted above)
It's not that bad, I'm getting no errors using MIB Browser but same OIDs are out of order (the VPN portion is not good) |
|
DavidJWood
Premium
join:2001-10-12
UK
| Is there any reason why you have a seemingly redundant "Zywall" line under the "zywallCommon" line in that MIB, Brano ? Apart from that, it's much better than the obsolete hunk of junk (full of ISDN related stuff) that I was working from - though that's the only MIB that seems to be anywhere on ZyXEL's FTP site.
Here's a challenge to ZyXEL - how about making available properly debugged MIBs for all their products? It feels so much better to have them available than trying to guess what information there is from a dump of OIDs and values. That the MIB that is publicly available is obsolete and contains so many syntax errors is rather sad, and significantly reduces the value of SNMP.
It would also be worth, in the light of recent discussions about what interface is what in various products, considering making the entries in interfaces.ifTable.ifEntry.ifDescr much more descriptive - enet0, enet1 etc. are cryptic when the interfaces are called LAN, WAN 1 etc. everywhere else.
David |
|
Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
·TekSavvy Solutions..
2 edits | said by DavidJWood :Is there any reason why you have a seemingly redundant "Zywall" line under the "zywallCommon" line in that MIB, Brano ? I'm not familiar with MIB syntax, but it was not working without the 2nd line (taken from your example  )
EDIT: I take it back ...it was working but I didn't reload the MIB to my mib browser! ...and I spent 15 min wondering why? 
I'm going to re-upload the MIB to the above post. |
|
DavidJWood
Premium
join:2001-10-12
UK
| Delete the Zywall line under -- ZyWall products. All you need there is the zywallCommon line, which is based on the zywall line immediately above -- ZyWall products. I presume the necessary fix is that zywallCommon wasn't defined; the ZyWALL MIB won't work without it.
Add the fix I posted above to the ZYXEL-ZYWALL-MIB (changing some underscores to dashes, otherwise you get various complaints about the syntax - in fact, a search and replace for _ to - will do), and you're as close as I think it's reasonable to get quickly.
A re-examination of the object types is needed - various things are defined in the ZyWALL MIB as INTEGER when they are not, at least with the Z35 running 4.00(WZ.1) firmware. However, that's a more major job and I'd definitely need to read the relevant RFCs to fix all those problems properly.
Certainly it's true to say that this MIB and 4.00(WZ.1) on the Z35 are out of line - but I don't know whether ZyXEL are intending changing the MIB or the firmware. As things are, returning INTEGERs for the various firewall counters, as the MIB suggests, would probably make graphing those parameters easier. My ZyWALL is apparently returning human readable DisplayStrings.
David |
|
Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
·TekSavvy Solutions..
2 edits | Attached is my attempt to fix the VPN. I believe I did it (at least it's working fine on my ZyWall5).
...enjoy  |
|
dslpartner
join:2005-02-18
| reply to DavidJWood
said by DavidJWood :Certainly it's true to say that this MIB and 4.00(WZ.1) on the Z35 are out of line - but I don't know whether ZyXEL are intending changing the MIB or the firmware. What do you mean by out of line, Integer where it should be String etc or that you cant walk the device correctly?
If it is the later, try to add the -Cc flag
snmpwalk -v2c -c public -Cc 192.168.1.1 .1
--
The real downside of GIT may be that _my_ way of doing things is quite possibly very rare. But it clearly is the only right way. The fact that everybody else does it some other way only means that they are wrong. -Linus |
|
DavidJWood
Premium
join:2001-10-12
UK
| I can walk the device just fine - it's that the MIB and the firmware differ on the types returned.
The -Cc flag makes no difference.
For example
ZYXEL-ZYWALL-MIB::firewallDirForwardPktCnt.LAN-TO-WAN = Wrong Type (should be INTEGER ): STRING: "83Mbytes"
ZYXEL-ZYWALL-MIB::firewallDirForwardPktCnt.WAN-TO-LAN = Wrong Type (should be INTEGER): STRING: "813Mbytes"
David |
|
Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON | I've fixed the incorrect types in my last MIB posted above (at lease I believe I've fixed it all ) |
|
DavidJWood
Premium
join:2001-10-12
UK
| I'll try your MIB shortly. The point I was trying to make is that we don't know whether the firmware or the MIB represents ZyXEL's intentions.
If the MIB is right, the firmware is going to change at some point in the future. If the MIB is wrong (as is maybe more likely, considering the omissions that I pointed out above), we've got the correct fix.
Particularly with the firewall counters mentioned above, it's a shame that ZyXEL are returning them as strings - it makes it much harder to graph what is going on with the likes of cacti.
It is a shame that ZyXEL make it so hard to get hold of accurate and up to date MIBs.
David |
|
Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
1 edit | I agree with everything you said, but we're stuck with what we have. It's better than what we had a week ago but definitely there are tons of improvements that ZyXel could do re: snmp and mibs. |
|
