Hi Morten,

Thank you for the details you shared. Palo Alto has REST API and provides data as XML. For example "show arp all" command dumps all arp table entries over API as below. I hope this may help to understand how Palo Alto API works.

Example python project:
http://api-lab.paloaltonetworks.com/pan-python.html

(Besides, you may get a free Palo Alto firewall trial VM image for 30 days as you wish.)


<response status="success">
<result>
<max>16000</max>
<total>1625</total>
<timeout>1800</timeout>
<dp>dp0</dp>
<entries>
    <entry>
      <status>  c  </status>
      <ip>100.64.41.1</ip>
      <mac>10:e8:78:8f:4d:32</mac>
      <ttl>1694</ttl>
      <interface>ethernet1/2</interface>
      <port>ethernet1/2</port>
    </entry>
    <entry>
    <entry>
      <status>  c  </status>
      <ip>10.19.101.13</ip>
      <mac>00:0c:26:11:23:b9</mac>
      <ttl>537</ttl>
      <interface>ae1.101</interface>
      <port>ae1</port>
    </entry>
.....
    <entry>
      <status>  c  </status>
      <ip>10.19.101.14</ip>
      <mac>00:19:d1:b5:47:cc</mac>
      <ttl>677</ttl>
      <interface>ae1.101</interface>
      <port>ae1</port>
    </entry>
</entries>
</result>
</response>



Best Regards
Mehmet Emin Şahin


Kimden: "Morten Brekkevold" <morten.brekkevold@sikt.no>
Kime: "Mehmet E. Şahin, BAŞKANLIK-BİDB" <mehmet.sahin@tubitak.gov.tr>
Kk: "nav-users-request" <nav-users-request@uninett.no>, "nav-users" <nav-users@uninett.no>
Gönderilenler: 20 Ocak Perşembe 2022 14:39:21
Konu: Re: NAV - Palo Alto ARP table import for Machine Tracer

On Tue, 18 Jan 2022 12:20:18 +0300 (EET) Mehmet "E. Şahin (BAŞKANLIK-BİDB)" <mehmet.sahin@tubitak.gov.tr> wrote:

> Hi Everyone,
>
> We have NAV to monitor network switches and also Palo Alto
> Firewall. We can only use Palo Alto api to query its arp table as it
> does not support it over snmp.

Hi Mehmet! This sounds like the exact same problem users have described
for the Cisco ASA range of firewalls over the years.

> Could there be a way to import those ARP records from palo alto
> firewall to NAV periodically ?

I recall some users describing trying to hack their way around the Cisco
ASA limitations by writing expect scripts that fetch the data and modify
the NAV database externally.

A quick search of the archives reveals that the last time this issue was
discussed was in July of 2019:

https://sympa.uninett.no/lists/uninett.no/arc/nav-users/2019-07/msg00001.html

I did respond with some tips and ideas for making this idea work with
NAV, but the user never got back to me.

Now that has better support for configuring other management protocols
than SNMP, we would stand a better chance of actually implementing an
alternative collector mechanism in NAV itself.

I lack access to firewalls to test on, so someone else would have to
write the code, but I could assist in getting it worked into NAV.

What kind of APIs do Palo Alto provide? Are they NETCONF compatible? I
do see there is a community-built PAN-OS driver for NAPALM:
https://github.com/napalm-automation-community/napalm-panos



--
Best regards
Morten Brekkevold
Senior engineer, The Data and Infrastructure Division

Sikt – Norwegian Agency for Shared Services in Education and Research
www.sikt.no