Graphing Sonicwall VPN Tunnel Usage
I have the need to track the network usage between each of our offices. We currently use IPSec based tunnels across the Internet for connectivity between all of our offices (we use a full mesh configuration). I looked around for way to monitor and graph the data for these tunnels off our Sonicwall firewalls, but found no good solution.
So I created the following templates and scripts for monitoring our Sonicwall firewalls via my favorite network monitoring application Cacti. The template includes graphs for CPU Utilization, Memory Usage, Current Connections Cache, and most importantly VPN utilization on a tunnel-by-tunnel.
The script portion (written is PERL) queries the firewall and returns the list of currently active tunnels (by the IP address on the Peer Gateway) as well as the tunnel name and decrypted (received) bytes and encrypted (transmitted) bytes. Because the tunnels are renegotiated (by default every 8 hours) you will experience spikes in your graph unless you follow the installation instructions.
Also because the firewall does not always return the VPN tunnel name you must renegotiate each tunnel prior to creating the graphs the first time in order for it to correctly pull in the name. You may need to do this a couple of times being sure to press the green reload O button in Cacti before they will all show up.
Installation Instructions: Visit my post on the Cacti forums for installing the software.
If you are running SonicOS Enhanced then you be able to graph everything, if you are running SonicOS Standard or the older the 6.X firmware, then you will only get the VPN monitoring as the other stats are unavailable via SNMP.
The following is the usage syntax if you would like to run the script by itself.
query_sonicwall_vpn.pl host community index
query_sonicwall_vpn.pl host community query {peergateway, vpnname, decryptbytes, encryptbytes}
query_sonicwall_vpn.pl host community get {peergateway, vpnname, decryptbytes, encryptbytes} DEVICE
DEVICE is the IP address of the PeerGateway of the tunnel you want
I know the script is less than optimal, but then I’m not really a programmer so I’d appreciate any feedback. Additionally, the basis for the script came from Dan Brummer in this post
Tags: cacti, graph, sonicwall, tunnel, vpn
You can comment below, or link to this permanent URL from your own site.
January 19, 2007 at 9:25 pm
Awesome! Thanks for the script!
Only problem I am running into is that I dont fully understand what you mean by:
When creating graphs you will be prompted to enter a maximum value for decrypt/encrypt bytes. You MUST enter a value equal to the fast connection of any of the tunnels being monitored from this device. Otherwise you will see huge spikes every 8 hours.
Where do I get the maximum value for decrypt/encrypt bytes?
Thanks!
January 22, 2007 at 11:24 am
Bryan,
What is need is the maximum link speed in bytes/second. I would also recommend that you put some fudge factor in there particularly if you think you might be increasing the link speed at anytime. (For example we replaced a 786K DSL with a 3M connection).
The following formula should work, but I have not tried it (I just guessed).
(Link speed in bits/second /
* (1 + “fudge factor”)
For example for a T1 connection (1.5 Mb/s = 1572864 b/s) which we think will double some point the future with a 5% additional
(1572864 / 8 ) * (1 + 1.05) = 403046
I hope this helps.
–ken