On Tue, 18 Jan 2022 12:20:18 +0300 (EET) Mehmet "E. Şahin (BAŞKANLIK-BİDB)" mehmet.sahin@tubitak.gov.tr wrote:
Hi Everyone,
We have NAV to monitor network switches and also Palo Alto Firewall. We can only use Palo Alto api to query its arp table as it does not support it over snmp.
Hi Mehmet! This sounds like the exact same problem users have described for the Cisco ASA range of firewalls over the years.
Could there be a way to import those ARP records from palo alto firewall to NAV periodically ?
I recall some users describing trying to hack their way around the Cisco ASA limitations by writing expect scripts that fetch the data and modify the NAV database externally.
A quick search of the archives reveals that the last time this issue was discussed was in July of 2019:
https://sympa.uninett.no/lists/uninett.no/arc/nav-users/2019-07/msg00001.htm...
I did respond with some tips and ideas for making this idea work with NAV, but the user never got back to me.
Now that has better support for configuring other management protocols than SNMP, we would stand a better chance of actually implementing an alternative collector mechanism in NAV itself.
I lack access to firewalls to test on, so someone else would have to write the code, but I could assist in getting it worked into NAV.
What kind of APIs do Palo Alto provide? Are they NETCONF compatible? I do see there is a community-built PAN-OS driver for NAPALM: https://github.com/napalm-automation-community/napalm-panos