#!/usr/bin/perl -w
############################## check_snmp_cpfw ##############
# Version : 0.7
# Date : Oct 02 2004
# Author : Patrick Proy (patrick at proy.org)
# Help : http://www.manubulon.com/nagios/
# Licence : GPL - http://www.fsf.org/licenses/gpl.txt
# TODO :
# - check sync method
# Help : ./check_snmp_cpfw.pl -h
use strict;
use Net::SNMP;
use Getopt::Long;
# Nagios specific
use lib "@NAGIOS_PLUGINS@";
use utils qw(%ERRORS $TIMEOUT);
#my $TIMEOUT = 15;
# Oreon specific
if (eval "require oreon" ) {
use oreon qw(get_parameters create_rrd update_rrd &is_valid_serviceid);
use vars qw($VERSION %oreon);
} else {
print "Unable to load oreon perl module\n";
my $pathtorrdbase = $oreon{GLOBAL}{DIR_RRDTOOL};
########### SNMP Datas ###########
###### FW data
my $policy_state = ""; # "Installed"
my $policy_name = ""; # Installed policy name
my $connections = ""; # number of connections
#my $connections_peak = ""; # peak number of connections
my @fw_checks = ($policy_state,$policy_name,$connections);
###### SVN data
my $svn_status = ""; # "OK" svn status
my %svn_checks = ($svn_status,"OK");
my %svn_checks_n = ($svn_status,"SVN status");
my @svn_checks_oid = ($svn_status);
###### HA data
my $ha_active = ""; # "yes"
my $ha_state = ""; # "active"
my $ha_block_state = ""; #"OK" : ha blocking state
my $ha_status = ""; # "OK" : ha status
my %ha_checks =( $ha_active,"yes",$ha_state,"active",$ha_block_state,"OK",$ha_status,"OK");
my %ha_checks_n =( $ha_active,"HA active",$ha_state,"HA state",$ha_block_state,"HA block state",$ha_status,"ha_status");
my @ha_checks_oid =( $ha_active,$ha_state,$ha_block_state,$ha_status);
my $ha_mode = ""; # "Sync only" : ha Working mode
my $ha_tables = ""; # ha status table
my $ha_tables_index = ".1";
my $ha_tables_name = ".2";
my $ha_tables_state = ".3"; # "OK"
my $ha_tables_prbdesc = ".6"; # Description if state is != "OK"
#my @ha_table_check = ("Synchronization","Filter","cphad","fwd"); # process to check
####### MGMT data
my $mgmt_status = ""; # "active" : management status
my $mgmt_alive = ""; # 1 : management is alive if 1
my $mgmt_stat_desc = ""; # Management status description
my $mgmt_stats_desc_l = ""; # Management status long description
my %mgmt_checks = ($mgmt_status,"active",$mgmt_alive,"1");
my %mgmt_checks_n = ($mgmt_status,"Mgmt status",$mgmt_alive,"Mgmt alive");
my @mgmt_checks_oid = ($mgmt_status,$mgmt_alive);
#################################### Globals ##############################""
my $Version='0.7';
my $o_host = undef; # hostname
my $o_community = undef; # community
my $o_port = 161; # port
my $o_help= undef; # wan't some help ?
my $o_verb= undef; # verbose mode
my $o_version= undef; # print version
my $o_warn= undef; # Warning for connections
my $o_crit= undef; # Crit for connections
my $o_svn= undef; # Check for SVN status
my $o_fw= undef; # Check for FW status
my $o_ha= undef; # Check for HA status
my $o_mgmt= undef; # Check for management status
my $o_policy= undef; # Check for policy name
my $o_conn= undef; # Check for connexions
my $o_perf= undef; # Performance data output
# SNMPv3 specific
my $o_login= undef; # Login for snmpv3
my $o_passwd= undef; # Pass for snmpv3
# Oreon specific
my $o_step= undef;
my $o_g= undef;
my $o_S= undef;
my $step= undef;
my $rrd= undef;
my $start= undef;
my $ServiceId= undef;
my @rrd_data= undef;
# functions
sub p_version { print "check_snmp_cpfw version : $Version\n"; }
sub print_usage {
print "Usage: $0 [-v] -H <host> -C <snmp_community> | (-l login -x passwd) [-s] [-w [-p=pol_name] [-c=warn,crit]] [-m] [-a] [-f] [-p <port>] [-t <timeout>] [-V]\n";
sub isnnum { # Return true if arg is not a number
my $num = shift;
if ( $num =~ /^(\d+\.?\d*)|(^\.\d+)$/ ) { return 0 ;}
return 1;
sub help {
print "\nSNMP Checkpoint FW-1 Monitor for Nagios version ",$Version,"\n";
print "(c)2004 - to my cat Ratoune\n\n";
print <<EOT;
-v, --verbose
print extra debugging information (including interface list on the system)
-h, --help
print this help message
-H, --hostname=HOST
name or IP address of host to check
-C, --community=COMMUNITY NAME
community name for the host's SNMP agent (implies v1 protocol)
-s, --svn
check for svn status
-w, --fw
check for fw status
-a, --ha
check for ha status
-m, --mgmt
check for management status
-p, --policy=POLICY_NAME
check if installed policy is POLICY_NAME (must have -w)
-c, --connexions=WARN,CRIT
check warn and critical number of connexions (must have -w)
-f, --perfparse
perfparse output (only works with -c)
-l, --login=LOGIN
Login for snmpv3 authentication (implies v3 protocol with MD5)
-x, --passwd=PASSWD
Password for snmpv3 authentication
-P, --port=PORT
SNMP port (Default 161)
-t, --timeout=INTEGER
timeout for SNMP (Default: Nagios default)
-V, --version
prints version number
-g (--rrdgraph) Create a rrd base if necessary and add datas into this one
--rrd_step Specifies the base interval in seconds with which data will be fed into the RRD (300 by default)
-S (--ServiceId) Oreon Service Id
# For verbose output
sub verb { my $t=shift; print $t,"\n" if defined($o_verb) ; }
sub check_options {
Getopt::Long::Configure ("bundling");
'v' => \$o_verb, 'verbose' => \$o_verb,
'h' => \$o_help, 'help' => \$o_help,
'H:s' => \$o_host, 'hostname:s' => \$o_host,
'P:i' => \$o_port, 'port:i' => \$o_port,
'C:s' => \$o_community, 'community:s' => \$o_community,
'l:s' => \$o_login, 'login:s' => \$o_login,
'x:s' => \$o_passwd, 'passwd:s' => \$o_passwd,
't:i' => \$TIMEOUT, 'timeout:i' => \$TIMEOUT,
'V' => \$o_version, 'version' => \$o_version,
's' => \$o_svn, 'svn' => \$o_svn,
'w' => \$o_fw, 'fw' => \$o_fw,
'a' => \$o_ha, 'ha' => \$o_ha,
'm' => \$o_mgmt, 'mgmt' => \$o_mgmt,
'p:s' => \$o_policy, 'policy:s' => \$o_policy,
'c:s' => \$o_conn, 'connexions:s' => \$o_conn,
'f' => \$o_perf, 'perfparse' => \$o_perf,
# For Oreon rrdtool graph
"rrd_step:s" => \$o_step,
"g" => \$o_g, "rrdgraph" => \$o_g,
"S=s" => \$o_S, "ServiceId=s" => \$o_S
if (defined ($o_help) ) { help(); exit $ERRORS{"UNKNOWN"}};
if (defined($o_version)) { p_version(); exit $ERRORS{"UNKNOWN"}};
if ( ! defined($o_host) ) # check host and filter
{ print_usage(); exit $ERRORS{"UNKNOWN"}}
# check snmp information
if ( !defined($o_community) && (!defined($o_login) || !defined($o_passwd)) )
{ print "Put snmp login info!\n"; print_usage(); exit $ERRORS{"UNKNOWN"}}
# Check firewall options
if ( defined($o_conn)) {
if ( ! defined($o_fw))
{ print "Cannot check connexions without checking fw\n"; print_usage(); exit $ERRORS{"UNKNOWN"}}
my @warncrit=split(/,/ , $o_conn);
if ( $#warncrit != 1 )
{ print "Put warn,crit levels with -c option\n";print_usage(); exit $ERRORS{"UNKNOWN"}}
if ( isnnum($o_warn) || isnnum($o_crit) )
{ print "Numeric values for warning and critical in -c options\n";print_usage(); exit $ERRORS{"UNKNOWN"}}
if ($o_warn >= $o_crit)
{ print "warning <= critical ! \n";print_usage(); exit $ERRORS{"UNKNOWN"}}
if ( defined($o_policy)) {
if (! defined($o_fw))
{ print "Cannot check policy name without checking fw\n"; print_usage(); exit $ERRORS{"UNKNOWN"}}
if ($o_policy eq "")
{ print "Put a policy name !\n"; print_usage(); exit $ERRORS{"UNKNOWN"}}
if (defined($o_perf) && ! defined ($o_conn))
{ print "Nothing selected for perfparse !\n";print_usage(); exit $ERRORS{"UNKNOWN"}}
if (!defined($o_fw) && !defined($o_ha) && !defined($o_mgmt) && !defined($o_svn))
{ print "Must select a product to check !\n";print_usage(); exit $ERRORS{"UNKNOWN"}}
###### Oreon #######
if (!defined($o_S)) { $o_S="1_1" }
$ServiceId = is_valid_serviceid($o_S);
if (!defined($o_step)) { $o_step="300" }
$step = $1 if ($o_step =~ /(\d+)/);
########## MAIN #######
$rrd = $pathtorrdbase.$ServiceId.".rrd";
# Check gobal timeout if snmp screws up
# Connect to host
my ($session,$error);
if ( defined($o_login) && defined($o_passwd)) {
# SNMPv3 login
verb("SNMPv3 login");
($session, $error) = Net::SNMP->session(
-hostname => $o_host,
-version => '3',
-username => $o_login,
-authpassword => $o_passwd,
-authprotocol => 'md5',
-privpassword => $o_passwd
} else {
# SNMPV1 login
($session, $error) = Net::SNMP->session(
-hostname => $o_host,
-community => $o_community,
-port => $o_port,
-timeout => $TIMEOUT
if (!defined($session)) {
printf("ERROR opening session: %s.\n", $error);
########### Global checks #################
my $global_status=0; # global status : 0=OK, 1=Warn, 2=Crit
my ($resultat,$key)=(undef,undef);
########## Check SVN status #############
my $svn_print="";
my $svn_state=0;
if (defined ($o_svn)) {
$resultat = $session->get_request(
Varbindlist => \@svn_checks_oid
if (defined($resultat)) {
foreach $key ( keys %svn_checks) {
verb("$svn_checks_n{$key} : $svn_checks{$key} / $$resultat{$key}");
if ( $$resultat{$key} ne $svn_checks{$key} ) {
$svn_print .= $svn_checks_n{$key} . ":" . $$resultat{$key} . " ";
} else {
$svn_print .= "cannot find oids";
#Critical state if not found because it means soft is not activated
if ($svn_state == 0) {
$svn_print="SVN : OK";
} else {
$svn_print="SVN : " . $svn_print;
########## Check mgmt status #############
my $mgmt_state=0;
my $mgmt_print="";
if (defined ($o_mgmt)) {
# Check all states
$resultat = $session->get_request(
Varbindlist => \@mgmt_checks_oid
if (defined($resultat)) {
foreach $key ( keys %mgmt_checks) {
verb("$mgmt_checks_n{$key} : $mgmt_checks{$key} / $$resultat{$key}");
if ( $$resultat{$key} ne $mgmt_checks{$key} ) {
$mgmt_print .= $mgmt_checks_n{$key} . ":" . $$resultat{$key} . " ";
} else {
$mgmt_print .= "cannot find oids";
#Critical state if not found because it means soft is not activated
if ($mgmt_state == 0) {
$mgmt_print="MGMT : OK";
} else {
$mgmt_print="MGMT : " . $mgmt_print;
########### Check fw status ##############
my $fw_state=0;
my $fw_print="";
my $perf_conn=undef;
if (defined ($o_fw)) {
# Check all states
$resultat = $session->get_request(
Varbindlist => \@fw_checks
if (defined($resultat)) {
verb("State : $$resultat{$policy_state}");
verb("Name : $$resultat{$policy_name}");
verb("connections : $$resultat{$connections}");
if ($$resultat{$policy_state} ne "Installed") {
$fw_print .= "Policy:". $$resultat{$policy_state}." ";
verb("Policy state not installed");
if (defined($o_policy)) {
if ($$resultat{$policy_name} ne $o_policy) {
$fw_print .= "Policy installed : $$resultat{$policy_name}";
if (defined($o_conn)) {
if ($$resultat{$connections} > $o_crit) {
$fw_print .= "Connexions : ".$$resultat{$connections}." > ".$o_crit." ";
} else {
if ($$resultat{$connections} > $o_warn) {
$fw_print .= "Connexions : ".$$resultat{$connections}." > ".$o_warn." ";
## RRD management
if ($o_g) {
if (! -e $rrd) {
update_rrd($rrd,$start, $perf_conn);
} else {
$fw_print .= "cannot find oids";
#Critical state if not found because it means soft is not activated
if ($fw_state==0) {
$fw_print="FW : OK";
} else {
$fw_print="FW : " . $fw_print;
########### Check ha status ##############
my $ha_state_n=0;
my $ha_print="";
if (defined ($o_ha)) {
# Check all states
$resultat = $session->get_request(
Varbindlist => \@ha_checks_oid
if (defined($resultat)) {
foreach $key ( keys %ha_checks) {
verb("$ha_checks_n{$key} : $ha_checks{$key} / $$resultat{$key}");
if ( $$resultat{$key} ne $ha_checks{$key} ) {
$ha_print .= $ha_checks_n{$key} . ":" . $$resultat{$key} . " ";
#my $ha_mode = ""; # "Sync only" : ha Working mode
} else {
$ha_print .= "cannot find oids";
#Critical state if not found because it means soft is not activated
# get ha status table
$resultat = $session->get_table(
Baseoid => $ha_tables
my %status;
my (@index,@oid) = (undef,undef);
my $nindex=0;
my $index_search= $ha_tables . $ha_tables_index;
if (defined($resultat)) {
foreach $key ( keys %$resultat) {
if ( $key =~ /$index_search/) {
@oid=split (/\./,$key);
} else {
$ha_print .= "cannot find oids" if ($ha_state_n ==0);
#Critical state if not found because it means soft is not activated
verb ("found $nindex ha softs");
if ( $nindex == 0 )
$ha_print .= " no ha soft found" if ($ha_state_n ==0);
} else {
my $ha_soft_name=undef;
for (my $i=0;$i<$nindex;$i++) {
$key=$ha_tables . $ha_tables_name . "." . $index[$i] . ".0";
$ha_soft_name= $$resultat{$key};
$key=$ha_tables . $ha_tables_state . "." . $index[$i] . ".0";
if (($status{$ha_soft_name} = $$resultat{$key}) ne "OK") {
$key=$ha_tables . $ha_tables_prbdesc . "." . $index[$i] . ".0";
$status{$ha_soft_name} = $$resultat{$key};
$ha_print .= $ha_soft_name . ":" . $status{$ha_soft_name} . " ";
verb ("$ha_soft_name : $status{$ha_soft_name}");
if ($ha_state_n == 0) {
$ha_print = "HA : OK";
} else {
$ha_print = "HA : " . $ha_print;
########## print results and exit
my $f_print=undef;
if (defined ($o_fw)) { $f_print = $fw_print }
if (defined ($o_svn)) { $f_print = (defined ($f_print)) ? $f_print . " / ". $svn_print : $svn_print }
if (defined ($o_ha)) { $f_print = (defined ($f_print)) ? $f_print . " / ". $ha_print : $ha_print }
if (defined ($o_mgmt)) { $f_print = (defined ($f_print)) ? $f_print . " / ". $mgmt_print : $mgmt_print }
my $exit_status=undef;
$f_print .= " / CPFW Status : ";
if (($ha_state_n+$svn_state+$fw_state+$mgmt_state) == 0 ) {
$f_print .= "OK";
$exit_status= $ERRORS{"OK"};
} else {
if (($fw_state==1) || ($ha_state_n==1) || ($svn_state==1) || ($mgmt_state==1)) {
$f_print .= "WARNING";
$exit_status= $ERRORS{"WARNING"};
} else {
$f_print .= "CRITICAL";
if (defined($o_perf) && defined ($perf_conn)) {
$f_print .= " | fw_connexions=" . $perf_conn;
print "$f_print\n";
exit $exit_status;