Hi Everyone,
We started using the new Palo Alto plugin with excitement. It successfully retrieves the ARP table from the Palo Alto firewall as XML every 20 minutes.
However, for some reason, while reading the ARP table from Palo Alto, the records are constantly expiring and being added again. This does not occur for the ARP records received via SNMP. Has anyone observed this situation?
In the example below, the IP address 192.168.0.250 belongs to a server. There is no disconnection, but for some reason, the MAC tracker records show that a re-connection is happening every 20 minutes. (BTW - our nav version is the latest (5.10.2).)
Best Regards Mehmet E. ŞAHİN
On Wed 05 Jun 2024 at 13:53, Mehmet E. Şahin (BAŞKANLIK-BİDB) mehmet.sahin@tubitak.gov.tr wrote:
We started using the new Palo Alto plugin with excitement. It successfully retrieves the ARP table from the Palo Alto firewall as XML every 20 minutes.
However, for some reason, while reading the ARP table from Palo Alto, the records are constantly expiring and being added again. This does not occur for the ARP records received via SNMP. Has anyone observed this situation?
I have not, but I don't have access to a Palo Alto firewall myself.
However, I suspect there may be some unintended entanglement with the regular SNMMP ARP plugin that (by default config) runs immediately before the Palo Alto ARP plugin. It does mark records as missing if it doesn't find them using SNMP. The actual database updates do not happen until the entire job (including the PaloAlto plugin) is finished, so the Palo Alto plugin would have the opportunity to rectify any incorrect markings.
Unfortunately, I don't think mr. Heimonen, who contributed the Palo Alto plugin, is a member of this list, so I'm Cc:ing him. This functionality was provided courtesy of the University of Tromsø, who needed it, but I don't know what their experience with this in production is thus far.
I'm looking into it
Sent from Outlook for Androidhttps://aka.ms/AAb9ysg ________________________________ From: Morten Brekkevold morten.brekkevold@sikt.no Sent: Thursday, June 6, 2024 9:58:42 AM To: mehmet.sahin@tubitak.gov.tr mehmet.sahin@tubitak.gov.tr Cc: nav-users@lister.sikt.no nav-users@lister.sikt.no; Joar Heimonen joarheimonen@live.no Subject: Re: [Nav-users] NAV - Palo Alto Plugin: MAC Records Keep Expiring
On Wed 05 Jun 2024 at 13:53, Mehmet E. Şahin (BAŞKANLIK-BİDB) mehmet.sahin@tubitak.gov.tr wrote:
We started using the new Palo Alto plugin with excitement. It successfully retrieves the ARP table from the Palo Alto firewall as XML every 20 minutes.
However, for some reason, while reading the ARP table from Palo Alto, the records are constantly expiring and being added again. This does not occur for the ARP records received via SNMP. Has anyone observed this situation?
I have not, but I don't have access to a Palo Alto firewall myself.
However, I suspect there may be some unintended entanglement with the regular SNMMP ARP plugin that (by default config) runs immediately before the Palo Alto ARP plugin. It does mark records as missing if it doesn't find them using SNMP. The actual database updates do not happen until the entire job (including the PaloAlto plugin) is finished, so the Palo Alto plugin would have the opportunity to rectify any incorrect markings.
Unfortunately, I don't think mr. Heimonen, who contributed the Palo Alto plugin, is a member of this list, so I'm Cc:ing him. This functionality was provided courtesy of the University of Tromsø, who needed it, but I don't know what their experience with this in production is thus far.
-- Sincerely, Morten Brekkevold
Sikt – Norwegian Agency for Shared Services in Education and Research
On Wed 05 Jun 2024 at 13:53, Mehmet E. Şahin (BAŞKANLIK-BİDB) mehmet.sahin@tubitak.gov.tr wrote:
Hi Everyone,
We started using the new Palo Alto plugin with excitement. It successfully retrieves the ARP table from the Palo Alto firewall as XML every 20 minutes.
Hi Mehmet, I'm trying to dig deeper into this issue you reported, at least beyond my off-the-cuff analysis given at the time, and I posted a bug report to GitHub about it at https://github.com/Uninett/nav/issues/3252
However, it occurs to me that the pattern you're describing is eerily similar to the ARP bug that was supposedly fixed in NAV 5.10.2, which was released only a couple of days before your report (and which you said you were running at the time): https://github.com/Uninett/nav/issues/2910
Is the issue still unresolved for you? Do you see the issue for any other routers than Palo Alto firewalls?
Our network engineers have still not configured the Palo Alto plugin on the one or two customer installations where they manage Palo Alto firewalls, so I have not had the opportunity to test on field equipment quite yet, but I'll see if I can't nudge them in the right direction.
Hi Morten,
That’s correct; we are running NAV 5.10.2. Our network consists of multiple L2/L3 HP Aruba switches and Palo Alto firewalls. NAV collects ARP records using SNMP from the HP Aruba switches, and we don’t encounter any expired ARP issues with those records. However, we do experience expired ARP issues with records retrieved from the Palo Alto firewalls. For reference, our ipdevpool.conf configuration for ip2mac is as follows:
[job_ip2mac] interval: 20m intensity: 0 plugins: arp paloaltoarp description: The ip2mac job logs IP to MAC address mappings from routers and firewalls (i.e. from IPv4 ARP and IPv6 Neighbor caches)
Thank you for your support.
Best Regards
Mehmet E. ŞAHİN
Kimden: "Morten Brekkevold" morten.brekkevold@sikt.no Kime: "Mehmet E. Şahin, BAŞKANLIK-BİDB" mehmet.sahin@tubitak.gov.tr Kk: "nav-users" nav-users@uninett.no Gönderilenler: 6 Aralık Cuma 2024 16:06:28 Konu: Re: [Nav-users] NAV - Palo Alto Plugin: MAC Records Keep Expiring
On Wed 05 Jun 2024 at 13:53, Mehmet E. Şahin (BAŞKANLIK-BİDB) mehmet.sahin@tubitak.gov.tr wrote:
Hi Everyone,
We started using the new Palo Alto plugin with excitement. It successfully retrieves the ARP table from the Palo Alto firewall as XML every 20 minutes.
Hi Mehmet, I'm trying to dig deeper into this issue you reported, at least beyond my off-the-cuff analysis given at the time, and I posted a bug report to GitHub about it at https://github.com/Uninett/nav/issues/3252
However, it occurs to me that the pattern you're describing is eerily similar to the ARP bug that was supposedly fixed in NAV 5.10.2, which was released only a couple of days before your report (and which you said you were running at the time): https://github.com/Uninett/nav/issues/2910
Is the issue still unresolved for you? Do you see the issue for any other routers than Palo Alto firewalls?
Our network engineers have still not configured the Palo Alto plugin on the one or two customer installations where they manage Palo Alto firewalls, so I have not had the opportunity to test on field equipment quite yet, but I'll see if I can't nudge them in the right direction.
On Mon 09 Dec 2024 at 09:34, Mehmet E. Şahin (BAŞKANLIK-BİDB) mehmet.sahin@tubitak.gov.tr wrote:
[job_ip2mac] interval: 20m
Well, that at least explains the 20 minute intervals. We'll see if we can't find a solution where the regular SNMP-ARP plugin will stay out of the way if the Palo Alto plugin is used instead - but it might mean the order of the two plugins needs to change in the job config.
-
joar heimonen -
Mehmet E. Şahin (BAŞKANLIK-BİDB) -
Morten Brekkevold