PathSolutions has built in support for the Palo Alto API to complete the information missing from regular SNMP interrogation on Palo Alto Network devices.


Information Gathered by the Palo Alto API and Not available from regular SNMP Communications:

  • Interface IP Addresses and Subnets 
  • Device Routing Table 
  • Device Arp Cache Data


Prerequisites:

  • SNMP Access is enabled on the Palo Alto Firewall
    • Palo Alto Web UI:    Device -> Setup -> Operations -> Miscellaneous -> SNMP Setup
    • Define Physical Location, Contact and SNMP Community String or V3 Connection Information
    • Select "OK" and Commit Changes
  • Palo Alto Account Created (or use existing account) on Palo Alto Networks Firewall
    • Palo Alto Web UI:   Device -> Administrators
    • Role Required:  Superuser (Read-Only)
    • Select "OK" and Commit Changes
  • Allow Access From TotalView Host to Palo Alto Firewall(s)
    • SNMP (TCP:161) v2c or v3 (Read Only) 
    • SSH Access (TCP: 22) (For Device Backup and Account Validation)
    • SSL (TCP:443) Access for API Communications


Procedure to Setup:

Make sure TotalView is correctly Connected to the Palo Alto Firewall via SNMP

   Config Tool

       Devices Tab

       Palo Alto Firewall(s) is Configured and Hostname and Interface Count are present

       Apply or OK to save changes and restart the service

Define Credentials to use to Connect to the Firewall(s)

    On the TotalView Host: Config Tool (Red Tool Box)

        Backup Tab

            Authorization Tab

                If not already Setup..  Define a Authorization Password

            Credentials Tab

                Define Palo Alto Account Username and Password

             Devices Tab

                From the Dropdown list select the Palo Alto Firewall(s)

                Select the Credentials to use for the Firewall and "Test Connection"

                Accept the SSH key if prompted

                If verified correct,  Select "OK"

                (This needs to be completed for all Palo Alto Firewalls Individually) 

                Once all Firewalls have been added Select "Apply or OK" to restart the service

               (Optional)  Schedule Tab

               Define the schedule for Backing up the Firewall

               Select the "PaloAlto(RunningConfig).txt" script to use to Backup the Firewall

               (Optional) Set the Syslog String to used for a Syslog Triggered Backup

Apply or OK to save changes and Restart the TotalView Service


Validate Information is being gathered

Connect to TotalView Web UI

   Network -> Devices Tab

       Select Palo Alto Firewall

       Review Interface IP Information

       Scroll Down to Display Firewall Routing Table



Troubleshooting:

On TotalView Host

Open Web Browser  and connect to Palo Alto Firewall

   Confirm Username and Password work for Login

   Confirm Password Is not Expired or Change Required