#! /usr/bin/perl -w
#
# check_netscreen_vpn - nagios plugin 
#
# Description: plugin to query a netscreen firewall and report 
# state of a VPN
#
##
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
#
#
# Report bugs to: s.barbereau@securalis.com, nagiosplug-help@lists.sf.net
#
# This plugin is based on existing work from warious users. 
# No liability

use POSIX;
use strict;
# Update the following value to reflect your install
use lib "/usr/lib/nagios/script_securalis"  ;
use lib "/usr/local/nagios/libexec"  ;
use utils qw($TIMEOUT %ERRORS &print_revision &support);

use Net::SNMP;
use Getopt::Long;
&Getopt::Long::config('bundling');

my $PROGNAME = "check_netscreen_vpn";
my $status;
my $version='1.0';
my $state = "UNKNOWN";
my $answer = "";
my $snmpkey = undef;
my $community = "public";
my $port = 161;
my $hostname=undef;
my $session;
my $error=undef;
my $response=undef;
my $snmp_version = 1 ;
my $opt_h ;
my $opt_list;
my $opt_w = 40 ;
my $opt_c = 60;
my $opt_V ;
my $opt_tunnelname = undef;
my $opt_checktunnelstate = undef;
my $opt_checkP1state = undef;
my $opt_checkP2state = undef;
my $session_used=0;

my @snmpoids;
my $snmpnsVpnMonP2State = '.1.3.6.1.4.1.3224.4.1.1.1.23';
my $snmpnsVpnMonP1State = '.1.3.6.1.4.1.3224.4.1.1.1.21';
my $snmpnsVpnMonTunnelState = '.1.3.6.1.4.1.3224.4.1.1.1.20';
my $snmpnsVpnMonMonState = '.1.3.6.1.4.1.3224.4.1.1.1.19';
my $snmpnsVpnMonVpnName = '.1.3.6.1.4.1.3224.4.1.1.1.4';

# Just in case of problems, let's not hang Nagios
$SIG{'ALRM'} = sub {
     print ("ERROR: No snmp response from $hostname (alarm)\n");
     exit $ERRORS{"UNKNOWN"};
};
alarm($TIMEOUT);


$status = GetOptions(
			"V"   => \$opt_V, "version"    => \$opt_V,
			"n=s" => \$opt_tunnelname, "tunnelname=s" => \$opt_tunnelname,
			"t"   => \$opt_checktunnelstate, "tunnelstate" => \$opt_checktunnelstate,
			"1"   => \$opt_checkP1state, "phase1state" => \$opt_checkP1state,
			"2"   => \$opt_checkP2state, "phase2state" => \$opt_checkP2state,
			"h"   => \$opt_h, "help"       => \$opt_h,
			"l"   => \$opt_list, "list"       => \$opt_list,
			"v=i" => \$snmp_version, "snmp_version=i"  => \$snmp_version,
			"C=s" =>\$community, "community=s" => \$community,
			"p=i" =>\$port,  "port=i",\$port,
			"H=s" => \$hostname, "hostname=s" => \$hostname);


				
if ($status == 0)
{
	print_help();
	exit $ERRORS{'OK'};
}
  
if ($opt_V) {
	print_revision($PROGNAME,$version);
	exit $ERRORS{'OK'};
}

if ($opt_h) {
	print_help();
	exit $ERRORS{'OK'};
}

if (! utils::is_hostname($hostname)){
	usage();
	exit $ERRORS{"UNKNOWN"};
}


if ( $snmp_version =~ /[12]/ ) {
   ($session, $error) = Net::SNMP->session(
		-hostname  => $hostname,
		-community => $community,
		-port      => $port,
		-version   => $snmp_version
	);

	if (!defined($session)) {
		$state='UNKNOWN';
		$answer=$error;
		print ("$state: $answer");
		exit $ERRORS{$state};
	}
}elsif ( $snmp_version =~ /3/ ) {
	$state='UNKNOWN';
	print ("$state: No support for SNMP v3 yet");
	exit $ERRORS{$state};
}else{
	$state='UNKNOWN';
	print ("$state: No support for SNMP v$snmp_version yet");
	exit $ERRORS{$state};
}

if (! $opt_tunnelname) {
	$session->close;
	print ("-t tunnelname : tunnel name muse be specified");
	usage();
	exit $ERRORS{$state};
} else {
    # retrieve snmpkey from tunnel name
    # get NSVPN interface table from nsvpnmon
    my $response=$session->get_table(
	    Baseoid => $snmpnsVpnMonVpnName
    );
    if(!defined($response)) {
	printf("ERROR: Interface table: %s",$session->error);
	$session->close;
	exit $ERRORS{$state};
    }
    foreach my $key ( keys %$response) {
	if($opt_list) {
	    print "Found interface: ".$$response{$key}."\n";
	}
	if($$response{$key} eq $opt_tunnelname) {
	    my @oid_list = split(/\./,$key);
	    $snmpkey = pop(@oid_list);
	}
    }
    if(!defined($snmpkey)) {
	printf("ERROR: Tunnel name not found.");
	$state='UNKNOWN';
	$session->close;
	exit $ERRORS{$state};
    }
    $snmpnsVpnMonTunnelState .= ".".$snmpkey;
    $snmpnsVpnMonMonState .= ".".$snmpkey;
    $snmpnsVpnMonP1State .= ".".$snmpkey;
    $snmpnsVpnMonP2State .= ".".$snmpkey;
    @snmpoids=($snmpnsVpnMonTunnelState,$snmpnsVpnMonMonState,$snmpnsVpnMonP1State,$snmpnsVpnMonP2State);
}

if (!defined($response = $session->get_request(@snmpoids))) {
    $answer=$session->error;
    $session->close;
    $state = 'CRITICAL';
    print ("$state: $answer");
    exit $ERRORS{$state};
}
$session->close;

if(defined($opt_checktunnelstate) && defined($opt_checktunnelstate)) {
    if(! $$response{$snmpnsVpnMonMonState}) {
	$state = 'WARNING';
	$answer .= "Monitor disabled ";
    } else {
	if($$response{$snmpnsVpnMonTunnelState}) {
	    $state = 'OK';
	    $answer .= "Tunnel UP ";
	} else {
    	    $state = 'CRITICAL';
    	    $answer .= "Tunnel DOWN ";
        }
    }
}

if(defined($opt_checkP1state)) {
    if($$response{$snmpnsVpnMonP1State}) {
	$state = 'OK';
	$answer .= "(P1 OK) ";
    } else {
        $state = 'CRITICAL';
	$answer .= "(P1 Problem) ";
    }
}

if(defined($opt_checkP2state)) {
    if($$response{$snmpnsVpnMonP2State}) {
	$state = 'OK';
	$answer .= "(P2 OK)";
    } else {
        $state = 'CRITICAL';
	$answer .= "(P2 Problem)";
    }
}


print ("$state: $answer");
exit $ERRORS{$state};


sub usage {
  printf "\nMissing arguments!\n";
  printf "\n";
  printf "usage: \n";
  printf "$PROGNAME -H <HOSTNAME> [-C <community>] [-p port] [-l] [-n tunnelname] [-t] [-1] [-2] \n";
  printf "For help, try: $PROGNAME -h \n";
  printf "Copyright (C) 2003 Sebastien Barbereau\n";
  printf "$PROGNAME comes with ABSOLUTELY NO WARRANTY\n";
  printf "This programm is licensed under the terms of the ";
  printf "GNU General Public License\n(check source code for details)\n";
  printf "\n\n";
  exit $ERRORS{"UNKNOWN"};
}

sub print_help {
	printf "$PROGNAME plugin for Nagios monitors the state of  \n";
  	printf "VPN tunnels for a Netscreen/Juniper firewall\n";
	printf "\nUsage:\n";
	printf "   -H (--hostname)     Hostname to query - (required)\n";
	printf "   -C (--community)    SNMP read community (defaults to public,\n";
	printf "                       used with SNMP v1 and v2c\n";
	printf "   -v (--snmp_version)  1 for SNMP v1 (default)\n";
	printf "                        2 for SNMP v2c\n";
	printf "                        SNMP v2c will use get_bulk for less overhead\n";
	printf "                        if monitoring with -d\n";
	printf "   -p (--port)         SNMP port (default 161)\n";
	printf "   -n (--tunnemname)   Tunnel name to monitor - (required)\n";
	printf "   -l (--list)         List possible tunnel names\n";
	printf "   -t (--tunnelstate)  Tunnel state for specified tunnel name\n";
	printf "   -1 (--phase1state)  Phase 1 state for specified tunnel name\n";
	printf "   -2 (--phase2state)  Phase 2 state for specified tunnel name\n";
	printf "   -V (--version)      Plugin version\n";
	printf "   -h (--help)         usage help \n\n";
	print_revision($PROGNAME, $version);
	
}
