Re: [nv-l] Cisco PIX / Firewall switch module in Netview

To:	nv-l@lists.us.ibm.com
Subject:	Re: [nv-l] Cisco PIX / Firewall switch module in Netview
From:	Leslie Clark <lclark@us.ibm.com>
Date:	Mon, 20 Sep 2004 18:22:14 -0400
Delivery-date:	Mon, 20 Sep 2004 23:31:06 +0100
Envelope-to:	nv-l-archive@lists.skills-1st.co.uk
In-reply-to:	<OF779262A3.02977806-ON85256F15.00738D03-85256F15.0075587E@ca.ibm.com>
Reply-to:	nv-l@lists.us.ibm.com
Sender:	owner-nv-l@lists.us.ibm.com

Francois, I have not run across this, but I wonder if it would be possible (or helpful) to discover the devices by those stateful interface by doing loadhosts (without the small p) listing also the inside address? If name resolution was associated with the address that does not change, I wonder if that might help with one part of the problem.

Cordially,

Leslie A. Clark
IBM Global Services - Systems Mgmt & Networking
Detroit

Francois Le Hir <flehir@ca.ibm.com>
Sent by: owner-nv-l@lists.us.ibm.com

09/20/2004 05:21 PM

Please respond to
nv-l

To	nv-l@lists.us.ibm.com
cc
Subject	[nv-l] Cisco PIX / Firewall switch module in Netview

I am wondering what the best practice is for managing Cisco firewalls with statefull and/or failover interfaces. Theses firewalls work in pair with a primary and a secondary. When there is a failover, all the interfaces of the primary end up in the secondary and all the interfaces of the secondary end up in the primary. Except that the statefull/failover interfaces stay in the original device. The way this is seen by Netview is that the statefull/failover interface looks like it is the one changing side as the selection name of the devices do not change in Netview. To add to the difficulty, theses statefull/failover interfaces are not reachable directly. Only the inside interface can be pinged by Netview and we configure netmon.seed to monitor the whole device with snmp so that we get the status of all the interfaces. Also the two devices in the pair share the same configuration. That means that they have the same hostname and there seams to be no other way to configure it. I tried configuring Netview with theses interfaces as HSRP in netmon.seed (%) but because the hostname of the two devices is the same I know it can not work correctly. The way it eventually end up is with both statefull/failover in both devices (like a duplicate IP). any idea on how to handle this ? more specifically: - do you configure theses interfaces as HSRP in netmon.seed ? - do you have the "S" flag configured in oid_to_type for the oids (1.3.6.1.4.1.9.1.392, 1.3.6.1.4.1.9.1.522,...)? Thanks, Salutations, / Regards, Francois Le Hir Network Projects & Consulting Services IBM Global Services Phone: (514) 964 2145

<Prev in Thread]	Current Thread	[Next in Thread>
[nv-l] Cisco PIX / Firewall switch module in Netview, Francois Le Hir Re: [nv-l] Cisco PIX / Firewall switch module in Netview, Leslie Clark <= Re: [nv-l] Cisco PIX / Firewall switch module in Netview, Francois Le Hir RE: [nv-l] Cisco PIX / Firewall switch module in Netview, Barr, Scott RE: [nv-l] Cisco PIX / Firewall switch module in Netview, James Shanks RE: [nv-l] Cisco PIX / Firewall switch module in Netview, Francois Le Hir

Previous by Date:	[nv-l] Cisco PIX / Firewall switch module in Netview, Francois Le Hir
Next by Date:	[nv-l] RE: NetView, Firewalls and netSNMP, Vidal, Chaz
Previous by Thread:	[nv-l] Cisco PIX / Firewall switch module in Netview, Francois Le Hir
Next by Thread:	Re: [nv-l] Cisco PIX / Firewall switch module in Netview, Francois Le Hir
Indexes:	[Date] [Thread] [Top] [All Lists]