Ad Widget

Collapse

Server behind firewall nat, cannot monitor a service on a single internal interface

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

    Server behind firewall nat, cannot monitor a service on a single internal interface

    Hi,

    I am interested to see if anyone has any suggestions as to how i can achieve monitoring on a particular interface of a server behind a NAT firewall.

    We have one server stuck on a different network that for many stupid reasons we are not allowed to move to within the network that the Zabbix server is setup on. I am not allowed to add any more virtual machines to the remote network so cannot setup a proxy, nor am i allowed to install the proxy software on the box itself (again daft political and regulatory reasons)

    I have (after much arguing) installed the agent on the remote machine and have created two filtered port forwards (TCP:10050) on the firewalls that are between the networks to allow the agent and server to communicate, this bit is working I am receiving data for pretty much all my items.


    The problem i have is with one particular service that only listens on one internal IP of the remote server, not on all interfaces.

    the netstat entry is: tcp 0 0 192.168.78.10:30011 0.0.0.0:* LISTEN

    If I add a standard item (net.tcp.service[tcp,,30011]) to the host it constantly returns a fail (0). - This type of item works for all the other services that are listening on all IP's

    If I add in the internal IP to the item (net.tcp.service[tcp,192.168.78.10,30011]) i get a "not supported on the agent" error, but i assume because that host does not have that IP listed in its entry on the Zabbix server.

    If i add the 192.x address to the host (not as default) I do not get the "not supported error" but then all the other items stop returning data.

    I am new to this Zabbix system so apologise if i have just done something daft, but can anyone see how i can get this service to monitor?

    Cheers




    #2
    Hi DigitalSushi, You might be able to work around the issue if you are able( allowed) to use iptables on your host.
    You can NAT a valid destination-IP/Port to the 192.168.78.10:30011. If needed nating the source -ip to match your routing in the last hop
    Regards M-H

    Comment

    Announcement

    Collapse
    No announcement yet.
    Working...
    X