CISCO PIX Firewall System Management (3)

Using the firewall and the memory pool MIB (using the Firewall and Memory pool MIBs)

The Cisco firewall and memory Pool MIB allow you to poll for failover and system state. This section includes the following:

o ipaddrtable notes (ipaddrtable notes)

o Browse for failover status (viewing Failover status)

o Verify memory usage (verifying Memory Usage)

o Browse Connection number (viewing the Connection count)

o Browse System cache usage (viewing systems buffer Usage)

In the last table in each section, the meaning of each return value is displayed in parentheses.

Ipaddrtable notes (ipaddrtable notes)
The use of SNMP ip.ipaddrtable requires that all interfaces have their own unique addresses. If the interface is not assigned an IP address, its IP address defaults to 127.0.0.1. Having duplicate IP addresses can cause an unlimited loop of SNMP management stations. A work cycle is the assignment of a different address to each interface. For example, you can set an address to 127.0.0.1 and another address to 127.0.0.2.

SNMP uses a series of getnext operations to convert MIB trees. Each GetNext request is based on the previous-requested result. Therefore, if two consecutive interfaces have the same IP 127.0.0.1 (table index), GetNext function returns 127.0.0.1, which is correct; however, when SNMP uses the same result (127.0.0.1) to generate the next GetNext request, the request is the same as the previous request, resulting in an infinite loop of the management station.

For example: GetNext (ip.ipaddrtable.ipaddrentry.ipadentaddr.127.0.0.1)

In the SNMP protocol, the MIB table index must be unique so that the agent recognizes a row of the MIB table. Ip. The Addrtable table index is the PIX firewall interface IP address, so the IP address should be unique, otherwise the SNMP agent will be confused and may return information for another interface (row) with the same IP (index).

Browse for failover status (viewing Failover status)

Cfshardwarestatustable of the Cisco Firewall MIB allows you to determine whether to initiate a failover and which cell is active. The Cisco Firewall MIB indicates the failover state through two rows in the Cfwhardwarestatustable object. From the PIX Firewall command line, you can browse the failover state using the show Failover command. You can access the object table from the following path:

. Iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.ciscoFirewallMIB.

CiscoFirewallMIBObjects.cfwSystem.cfwStatus.cfwHardwareStatusTable

Failed transition state Object
Object
Object type
Line 1: Returns if the failover is disabled
Line 1: Return if failover is enabled
Line 2: Return?/td> if failover is enabled
Cfwhardwaretype
(table Index)
Hardware
6 (as basic unit)
6 (as basic unit)
7 (as a spare unit)
Cfwhardware
Information
Snmpadminstring
Blank
Blank
Blank
Cfwhardware
Statusvalue
Hardwarestatus
0 (not used?/td>
Active or 9 (for example, active cell) or standby or 10 (for example, standby unit)
Active or 9 (for example, active cell) or standby or 10 as a standby unit
Cfwhardware
Statusdetail
Snmpadminstring
Failover off
Blank
Blank