Zabbix: Monitoring a Cisco ASA Firewall

I recently started to trial Zabbix 3.4 as a network monitoring solution, so far I really like it. Monitoring my Cisco LAN worked out the box using the built-in template “Template Net Cisco IOS SNMPv2”, however, this template would not monitor the bandwidth on my ASA’s interfaces so I had to look elsewhere.

The template “Cisco ASA Discovery” was the answer but it took me a little while to get it working so I thought I would share the following.

Table of Contents

• Cisco ASA setup
• Zabbix Server Prerequisites 
• Pre-checks
• Template download and tweaks
• Importing and using the template
• Troubleshooting
  • Problem 1
  • Problem 2

Cisco ASA setup

On your ASA you will need to give your Zabbix server SNMP access.

The IOS for this would be;

snmp-server host inside <zabbix-ip> poll community <community-string> version 2c

Or via ASDM would need to add an SNMP host under Configuration\Device Management\Management Access\SNMP

Zabbix Server Prerequisites

• Needless to say you nee Zabbix installed and working. I am using 3.4.10
• Your Zabbix server will need the “snmp” package installed. I am using an Ubuntu server on some other distributions such as Redhat you would need to install the packages “net-snmp” and “net-snmp-utils”
• Your server will need the “snmp-mibs-downloader” package installed. Again I am using Ubuntu you may have to find the equivalent for your distro if it is not Debian based.
• Your server has had a reboot after installing the above packages.

Pre-checks

Before we get started in Zabbix we want to confirm that Zabbix server and successfully poll our ASA using SNMP-walk on your servers shell.

snmpwalk -v 2c -c <community-string> <asa-ip-address>

For example snmpwalk -v 2c -c public 172.16.100.100

You should get a long output and not an error.

Template download and tweaks

• Download the template “Cisco ASA Discovery” from one of the below locations, I am using the version from GitHub, last commit 27th Feb 2018.
  • ZShare : https://share.zabbix.com/network_devices/cisco/cisco-asa-discovery
  • GitHub : https://share.zabbix.com/network_devices/cisco/cisco-asa-discovery/visit
• Edit the file “Template Cisco ASA Discovery.xml” and find the string “@Firewalls”
• Replace the text between <value> and </value> with your ASA’s interface names.
  • If you don’t have named interface something like “TenGigabitEthenet|GigabitEthernet|Loopback|Vlan|Port-channel|FastEthernet” should work.
  • Or if you have a mixture of named and unnamed interface then you would using something like this “GigabitEthernet|inside|Management|Internet|namedinterface1|namedinterface2”
  • All of my interfaces are named, my changes look like the below

Importing and using the template

• In Zabbix navigate to Configuration => Templates and client Import in the top right
• Browse to your editing xml file and click Import.
• Under Configuration => Hosts use the “Create host” button in the top right to add your ASA.
  • Complete the “Host name” field and add it to the desired group
  • Remove the “Agent interfaces” configuration and either your ASA’s IP address or hostname in the “SNMP interfaces” selection
  • Click “Add”
• Edit the newly created hos and select the “Templates” tab.
• Select and add the “Template Cisco ASA Discovery” template

• If you don’t already have a global Macro for {$SNMP_COMMUNITY} or if your ASA uses a different community string you can add or change this unde the “Macros” tab.

Troubleshooting

Problem 1

On my first attempt to get the template working the SNMP icon for the host would not light up green or red. When viewing the host’s items was greeted by the message “snmp_parse_oid(): cannot parse OID…..” for pretty much every item.

Solution: It turned out the server did not have the package  “snmp-mibs-downloader”. After the package was installed and the server was rebooted Zabbix started collecting SNMP data.

Problem 2

One of the host’s items “cpmCPUTotal5secRev” still would not work “No Such Object available on this agent at this OID”

It turns out on newer ASA firmware this OID “cpmCPUTotal5secRev” has been depreciated.

I am hoping the creator of the template will release an update to address this. For my situation, I didn’t need this functionality so I disabled the item and its associated trigger.

If you need this functionality Robert on the ZShare comments suggests replacing “cpmCPUTotal5secRev” with “cpmCPUTotalMonIntervalValue” in the template and then re-importing it.