Re: NNMi9 Monitor Devices Behind DMZ (359 Views)
Reply
Advisor
Demitree
Posts: 18
Registered: ‎03-08-2011
Message 1 of 10 (373 Views)

NNMi9 Monitor Devices Behind DMZ

Hi All,

 

We have some devices behind the DMZ that requires monitoring.  ICMP is disabled but SNMP is allowed through the firewall.  NNMi shows all the snmp information populated but the ip addresses are down because the firewall prevented all icmp traffic to that node.  Is there a way to setup in NNMi9 to poll the status of the interfaces and ip addresses through SNMP and disable ICMP all together?

 

Thanks in advance,

 

Demitree

Please use plain text.
Respected Contributor
asoloperto
Posts: 166
Registered: ‎03-10-2010
Message 2 of 10 (370 Views)

Re: NNMi9 Monitor Devices Behind DMZ

Hello Demitree,

 

you can define this in the monitoring configuration of NNMi. This monitors the snmp agent and also the interfaces (no ip addresses as there is no mib table with status or ip addresses).

 

HTH and kind regards

 

Allessandro

Please use plain text.
Honored Contributor
DJ Hogeweg
Posts: 288
Registered: ‎11-22-2010
Message 3 of 10 (369 Views)

Re: NNMi9 Monitor Devices Behind DMZ

Hi,

 

That's possible for it's the primary thing NNMi today does. What you have to do is define a rule(s) for the interfaces you want to monitor at Communication Configuration (the right rule order is import here). In you rule don't check 'Enable ICMP Fault Polling' and check 'Enable Interface Fault Polling' and 'Poll Unconnected interfaces' or 'Poll Interfaces Hosting IP Addresses'.

 

To find out which monitor rule NNMi uses to monitor an interface goto your NNMi console and select Inventory > Interfaces > mark (tickbox) for an interface in question > menu Action > Monitoring Settings. The monitoring configuration window will tell you a lot. Whether monitoring is applied on the basis of interface or node settings and which group does this for you. Success,

 

DJ

Please use plain text.
Advisor
Demitree
Posts: 18
Registered: ‎03-08-2011
Message 4 of 10 (364 Views)

Re: NNMi9 Monitor Devices Behind DMZ

Hi DJ,

 

According to your guide this will disable icmp fault polling for all nodes in NNMi,  Is there a way to only set this up for specific nodes that are behind the DMZ?  I have already disabled ICMP under the communication settings for this specific node.  I would like to turn on SNMP fault polling for that single device as well.  Can this be done?  Thanks.

 

Demitree

Please use plain text.
Respected Contributor
asoloperto
Posts: 166
Registered: ‎03-10-2010
Message 5 of 10 (359 Views)

Re: NNMi9 Monitor Devices Behind DMZ

Hello Demitree,

sure. Go to Configuration > MONITORING CONFIGURATION and define a rule under Node Settings. You have to create a node group which contains your nodes in the DMZ (e.g. based on hostedIPAddress) and use this in the rule.

HTH

Allessandro
Please use plain text.
Advisor
Demitree
Posts: 18
Registered: ‎03-08-2011
Message 6 of 10 (358 Views)

Re: NNMi9 Monitor Devices Behind DMZ

Thanks Allessandro for the quick reply. I will try that.
Please use plain text.
Advisor
Demitree
Posts: 18
Registered: ‎03-08-2011
Message 7 of 10 (343 Views)

Re: NNMi9 Monitor Devices Behind DMZ

After implementing the suggestions above I am still unable to recieve the WAN int status.  NNM shows that the IP Address is down and the interface as no status.  Any suggestion?

 

Thanks,

Demitree

Please use plain text.
Honored Contributor
DJ Hogeweg
Posts: 288
Registered: ‎11-22-2010
Message 8 of 10 (330 Views)

Re: NNMi9 Monitor Devices Behind DMZ

[ Edited ]

Hi Demitree,

 

Looks like you monitoring rule doesn't hit the situation you want. The basic setup is as follows.

 

  • Define a node group with the DMZ nodes in it.
  • Define an interface group and add the DMZ node group to this group. Also add interface filters for the interface you want to monitor (you can define at additional filters a '... like *' to speed things up for the time being and fine tune it later).
  • At monitoring configuration you can define now your rule. Create a rule with a low ordering number, the DMZ interface group you created, at fault monitoring tick mark only "Enable interface fault polling", at "extend the scope ..." tick mark only "Poll unconnected interfaces".

 

Go to Inventory > Interfaces > use the DMZ node group as list filter.
Check here the monitoring status of you interfaces. If it's not as you expected check which monitoring rule is being used by NNMi. You can check this by selecting the interface row > menu Action > Monitoring Settings. The second table is the one you're looking for. The first two rows here tell you which rule and type (can be either node or interface) was applied to monitor the interface. Hope this will help you a little.

 

DJ

 

Please use plain text.
Advisor
Demitree
Posts: 18
Registered: ‎03-08-2011
Message 9 of 10 (317 Views)

Re: NNMi9 Monitor Devices Behind DMZ

Hi DJ,

 

Thanks for the detail description.  I was able to get the monitoring to display correctly for the interfaces.  There is only 1 slight change I had to make following your guideline.  For step 3, instead of going into the communication configuration I went into the monitoring configuration and everything worked like a charm!

 

Thanks for the help guys!

 

Demitree

Please use plain text.
Honored Contributor
DJ Hogeweg
Posts: 288
Registered: ‎11-22-2010
Message 10 of 10 (309 Views)

Re: NNMi9 Monitor Devices Behind DMZ

Hi Demitree,

You're right, stupid of me. I corrected the text. Regards,

DJ
Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation