Hello NAV community,
I recently added a Paloalto firewall to the NAV to be monitored. This is the gateway for some vlan.
NAV lists all interfaces, but does not classify them as routing or switching ports. There are other things that are not recognized as power supply sensors, for example.
I believe this is because the NAV does not have specific MIBs configured.
Is there a way to import MIBs to this specific device, or a workaround ?
Thanks in advance. Great tool ;)
On Mon, 18 May 2020 21:37:24 +0100 Edgar Matias edgar.matias@fccn.pt wrote:
I recently added a Paloalto firewall to the NAV to be monitored. This is the gateway for some vlan.
NAV lists all interfaces, but does not classify them as routing or switching ports. There are other things that are not recognized as power supply sensors, for example.
I believe this is because the NAV does not have specific MIBs configured.
It depends. Some firewall products seem to be pretty picky about what they want to reveal using SNMP.
IP addresses and prefixes are normally fetched from the IP-MIB (IETF RFC 4293). Reading tech docs [1] at Palo Alto Networks homepage indicates that their products do no support this MIB explicitly.
However, it mentions support for MIB-II, which is defined by the ancient IETF RFC 1213 (March 1991). RFC 4293 redefines and updates the IP group of the original MIB-II (and in this version, the ipAddrTable object is deprecated in favor of a an IP version agnostic table - which Palo Alto really should support if their products work with IPv6).
NAV does however support IP-MIB::ipAddrTable, which should be the same as RFC1213-MIB::ipAddrTable. I'd say you should monitor ipdevpoll.log for any error messages related to your firewalls, and verify that this information can actually be collected from the firewall. Something akin to `snmpwalk -v2c COMMUNITY FIREWALL-IP RFC1213-MIB::ipAddrTable`.
[1] https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/snmp-mo...
Great tool ;)
Thanks :)
-- sincerely, Morten Brekkevold Uninett
Thanks for the answer Morten,
I was checking what you said. In the logs of ipdevpoll.log fortunately I have not a single error. Regarding standard mibs, Paloalto only has a few things available. In the case of MIB-II, is only available: System and Interfaces.
For ipAddrTable in fact I was tested different mibs and nothing was returned.
I believe that for now we have to live with this.
By the way, is there any way to do "acknowledge" an WatchDog warnig? Becouse paloalto firewall does not count switchport or routerport, I have these alerts permanently.
I take the opportunity to ask another question. There is some possibility of generate alerts for switchports in err-disable on network devices?
Tnks again, sincerely,
Edgar Matias
Application Infrastructures Area
Fundação para a Ciência e a Tecnologia Unidade FCCN – Computação Científica Nacional Av. do Brasil, 101, 1700-066 Lisboa, Portugal T: [+351] 218 440 100 | [+351] 900 000 000 www.fccn.pt
On 19-05-2020 07:35, Morten Brekkevold wrote:
On Mon, 18 May 2020 21:37:24 +0100 Edgar Matias edgar.matias@fccn.pt wrote:
I recently added a Paloalto firewall to the NAV to be monitored. This is the gateway for some vlan.
NAV lists all interfaces, but does not classify them as routing or switching ports. There are other things that are not recognized as power supply sensors, for example.
I believe this is because the NAV does not have specific MIBs configured.
It depends. Some firewall products seem to be pretty picky about what they want to reveal using SNMP.
IP addresses and prefixes are normally fetched from the IP-MIB (IETF RFC 4293). Reading tech docs [1] at Palo Alto Networks homepage indicates that their products do no support this MIB explicitly.
However, it mentions support for MIB-II, which is defined by the ancient IETF RFC 1213 (March 1991). RFC 4293 redefines and updates the IP group of the original MIB-II (and in this version, the ipAddrTable object is deprecated in favor of a an IP version agnostic table - which Palo Alto really should support if their products work with IPv6).
NAV does however support IP-MIB::ipAddrTable, which should be the same as RFC1213-MIB::ipAddrTable. I'd say you should monitor ipdevpoll.log for any error messages related to your firewalls, and verify that this information can actually be collected from the firewall. Something akin to `snmpwalk -v2c COMMUNITY FIREWALL-IP RFC1213-MIB::ipAddrTable`.
[1] https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/snmp-mo...
Great tool ;)
Thanks :)
-- sincerely, Morten Brekkevold Uninett
On Fri, 29 May 2020 00:36:10 +0100 Edgar Matias edgar.matias@fccn.pt wrote:
Regarding standard mibs, Paloalto only has a few things available. In the case of MIB-II, is only available: System and Interfaces.
For ipAddrTable in fact I was tested different mibs and nothing was returned.
I believe that for now we have to live with this.
Sounds like Palo Alto's SNMP imeplementation is severely lacking. Does Palo Alto devices support other means of management, such as NETCONF or RESTCONF?
By the way, is there any way to do "acknowledge" an WatchDog warnig? Becouse paloalto firewall does not count switchport or routerport, I have these alerts permanently.
Unfortunately, no. WatchDog warnings were never designed to be part of NAV's alert system, they are basically just internal "health" checks to ensure NAV is operating properly.
One of those checks is to verify that devices registered as GW/GSW have at least one router port, and that devices registered as SW/GSW have at least one switch port. Typically, such a warning might signal something is wrong with either the classification of or collection from that device.
In your case, the problem is with the device itself, and if that cannot be corrected your best option might be to reclassify the device as e.g. "OTHER".
I take the opportunity to ask another question. There is some possibility of generate alerts for switchports in err-disable on network devices?
Not sure I follow you there. What is "err-disable"?
-
Edgar Matias -
Morten Brekkevold