KBI 311839 New Feature: Monitor Generic VPN Devices
Version
Argent Advanced Technology 5.1A-2007-A and above
Date
Tuesday, 16 June 2020
Summary
Argent AT implements a set of Generic VPN Rules that target any non-CISCO VPN devices
The following vendors are supported out of the box:
- Check Point
- Fortinet
- Juniper
- SonicWall
- Zyxel
The Rule gathers common performance metrics such as total tunnels and in/out bandwidth usage
More importantly, it provides unique security features for real-time alerts for potential hacking:
- VPN tunnel creation
- VPN tunnel termination
- VPN connection coming from locations that should have no employee working
- Multiple connections coming from the same remote IP, which is unusual unless both residents work for the same company
The feature has been implemented in Argent AT 5.1A-2007-A
Technical Background
The Rule is built on a VPN tunnel MIB for the specific vendor
Some vendors are listed as follows:
Check Point | CHECKPOINT-MIB.mib | ||
CISCO | CISCO-IPSEC-FLOW-MONITOR-MIB.mib | ||
CISCO-IPSEC-FLOW-MONITOR-MIB.mib | |||
CISCO-MEDIA-GATEWAY-MIB.mib | |||
CISCO-REMOTE-ACCESS-MONITOR-MIB.mib | |||
CISCO-SMI.mib | |||
CISCO-TC.mib | |||
FORTINET | FORTINET-CORE-MIB.mib | ||
FORTINET-FORTIGATE-MIB.mib | |||
JUNIPER | JUNIPER-SMI.mib | ||
JUNIPER-VPN-MIB.mib | |||
BARRACUDA | PHION-MIB.mib | ||
SONICWALL | SONICWALL-FIREWALL-IP-STATISTICS-MIB.mib | ||
SONICWALL-FIREWALL-TRAP-MIB.mib | |||
SONICWALL-SMI.mib | |||
ZYXEL | ZYXEL-MIB.mib | ||
ZYXEL-ZYWALL-MIB.mib | |||
The vendor-specific VPN Rule is defined in Product.xml under the Argent for SNMP home directory
After understanding how it can be done, it would be easy to add a new VPN rule if the customer’s device vendor is not in the list of out-of-the-box Rules
Take SonicWall as an example; its VPN tunnel table is “sonicSAStatTable”
The SonicWall VPN Rule is defined in Product.xml as follows:
UUID – Rule category UUID. Use the utility “UUIDGEN.exe” to generate a UUID for new Rule category
LINK – This must be “2c34a747-2022-4613-9215-abfed1c5ffef”
NAME – Rule name
PATH – Rule tree structure
APP-NAME- This must be “SNMP”
PREFIX – Enter an appropriate string
VENDOR – Enter an appropriate string
ROOT – This should be the OID of the table entry. For SonicWall, it is “sonicIpsecSaIndex”
USER – This should the OID of the table column that can identify the user, removing the ROOT OID. For SonicWall, it is “sonicSAStatUserName”
REMOTE_IP – This should the OID of the table column that can identify the remote IP address, removing the ROOT OID. For SonicWall, it is “sonicSAStatPeerGateway”
Resolution
Upgrade to Argent Advanced Technology 5.1A-2007-A and above