Hi Everyone,
We have NAV to monitor network switches and also Palo Alto Firewall. We can only use Palo Alto api to query its arp table as it does not support it over snmp.
Could there be a way to import those ARP records from palo alto firewall to NAV periodically ?
We are asking this because the machine tracer tool on NAV is very useful and would be great if those arp recods from palo alto to be imported to the NAV.
Best Regards
Mehmet Emin Şahin
Hi Everyone,
We have NAV to monitor network switches and also Palo Alto Firewall. We can only use Palo Alto api to query its arp table as it does not support it over snmp.
Could there be a way to import those ARP records from palo alto firewall to NAV periodically ?
We are asking this because the machine tracer tool on NAV is very useful and would be great if those arp recods from palo alto to be imported to the NAV.
+1 in favour of this feature!
Since Palo Alto seems to be The Firewall used by Universities in Norway in the future, I guess more of us would like this.
--Ingeborg
On Tue, 18 Jan 2022 12:20:18 +0300 (EET) Mehmet "E. Şahin (BAŞKANLIK-BİDB)" mehmet.sahin@tubitak.gov.tr wrote:
Hi Everyone,
We have NAV to monitor network switches and also Palo Alto Firewall. We can only use Palo Alto api to query its arp table as it does not support it over snmp.
Hi Mehmet! This sounds like the exact same problem users have described for the Cisco ASA range of firewalls over the years.
Could there be a way to import those ARP records from palo alto firewall to NAV periodically ?
I recall some users describing trying to hack their way around the Cisco ASA limitations by writing expect scripts that fetch the data and modify the NAV database externally.
A quick search of the archives reveals that the last time this issue was discussed was in July of 2019:
https://sympa.uninett.no/lists/uninett.no/arc/nav-users/2019-07/msg00001.htm...
I did respond with some tips and ideas for making this idea work with NAV, but the user never got back to me.
Now that has better support for configuring other management protocols than SNMP, we would stand a better chance of actually implementing an alternative collector mechanism in NAV itself.
I lack access to firewalls to test on, so someone else would have to write the code, but I could assist in getting it worked into NAV.
What kind of APIs do Palo Alto provide? Are they NETCONF compatible? I do see there is a community-built PAN-OS driver for NAPALM: https://github.com/napalm-automation-community/napalm-panos
Guilty. Sorry. Our organisation depends quite heavyli on NAV and it's as simple as I have not found the courage to implement this. I also do a lot of work with our remote work solutions and the last two years have been a bit intense.
But the wish for this still applies even if I haven't executed anything yet.
Best regards Martin Burman University of Gothenburg
-----Ursprungligt meddelande----- Från: nav-users-request@uninett.no nav-users-request@uninett.no För Morten Brekkevold Skickat: den 20 januari 2022 12:39 Till: Mehmet E. Şahin (BAŞKANLIK-BİDB) mehmet.sahin@tubitak.gov.tr Kopia: nav-users-request@uninett.no; nav-users@uninett.no Ämne: Re: NAV - Palo Alto ARP table import for Machine Tracer
On Tue, 18 Jan 2022 12:20:18 +0300 (EET) Mehmet "E. Şahin (BAŞKANLIK-BİDB)" mehmet.sahin@tubitak.gov.tr wrote:
Hi Everyone,
We have NAV to monitor network switches and also Palo Alto Firewall. We can only use Palo Alto api to query its arp table as it does not support it over snmp.
Hi Mehmet! This sounds like the exact same problem users have described for the Cisco ASA range of firewalls over the years.
Could there be a way to import those ARP records from palo alto firewall to NAV periodically ?
I recall some users describing trying to hack their way around the Cisco ASA limitations by writing expect scripts that fetch the data and modify the NAV database externally.
A quick search of the archives reveals that the last time this issue was discussed was in July of 2019:
https://sympa.uninett.no/lists/uninett.no/arc/nav-users/2019-07/msg00001.htm...
I did respond with some tips and ideas for making this idea work with NAV, but the user never got back to me.
Now that has better support for configuring other management protocols than SNMP, we would stand a better chance of actually implementing an alternative collector mechanism in NAV itself.
I lack access to firewalls to test on, so someone else would have to write the code, but I could assist in getting it worked into NAV.
What kind of APIs do Palo Alto provide? Are they NETCONF compatible? I do see there is a community-built PAN-OS driver for NAPALM: https://github.com/napalm-automation-community/napalm-panos
-- Best regards Morten Brekkevold Senior engineer, The Data and Infrastructure Division
Sikt – Norwegian Agency for Shared Services in Education and Research www.sikt.no
On Thu, 20 Jan 2022 13:19:03 +0000 Martin Burman martin.burman@gu.se wrote:
I also do a lot of work with our remote work solutions and the last two years have been a bit intense.
Understandably so :)
But the wish for this still applies even if I haven't executed anything yet.
I appreciate the feedback, thanks! We're gaining more experience with alternatives to SNMP, particularly with the changes that have been made to PortAdmin - hopefully we can benefit from this when looking at alternative models for polling also. Things are moving along, albeit slowly.
Hi Morten,
Thank you for the details you shared. Palo Alto has REST API and provides data as XML. For example "show arp all" command dumps all arp table entries over API as below. I hope this may help to understand how Palo Alto API works.
Example python project: [ http://api-lab.paloaltonetworks.com/pan-python.html | http://api-lab.paloaltonetworks.com/pan-python.html ]
(Besides, you may get a free Palo Alto firewall trial VM image for 30 days as you wish.)
<response status="success"> <result> <max>16000</max> <total>1625</total> <timeout>1800</timeout> <dp>dp0</dp> <entries> <entry> <status> c </status> <ip>100.64.41.1</ip> <mac>10:e8:78:8f:4d:32</mac> <ttl>1694</ttl> <interface>ethernet1/2</interface> <port>ethernet1/2</port> </entry> <entry> <entry> <status> c </status> <ip>10.19.101.13</ip> <mac>00:0c:26:11:23:b9</mac> <ttl>537</ttl> <interface>ae1.101</interface> <port>ae1</port> </entry> ..... <entry> <status> c </status> <ip>10.19.101.14</ip> <mac>00:19:d1:b5:47:cc</mac> <ttl>677</ttl> <interface>ae1.101</interface> <port>ae1</port> </entry> </entries> </result> </response>
Best Regards Mehmet Emin Şahin
Kimden: "Morten Brekkevold" morten.brekkevold@sikt.no Kime: "Mehmet E. Şahin, BAŞKANLIK-BİDB" mehmet.sahin@tubitak.gov.tr Kk: "nav-users-request" nav-users-request@uninett.no, "nav-users" nav-users@uninett.no Gönderilenler: 20 Ocak Perşembe 2022 14:39:21 Konu: Re: NAV - Palo Alto ARP table import for Machine Tracer
On Tue, 18 Jan 2022 12:20:18 +0300 (EET) Mehmet "E. Şahin (BAŞKANLIK-BİDB)" mehmet.sahin@tubitak.gov.tr wrote:
Hi Everyone,
We have NAV to monitor network switches and also Palo Alto Firewall. We can only use Palo Alto api to query its arp table as it does not support it over snmp.
Hi Mehmet! This sounds like the exact same problem users have described for the Cisco ASA range of firewalls over the years.
Could there be a way to import those ARP records from palo alto firewall to NAV periodically ?
I recall some users describing trying to hack their way around the Cisco ASA limitations by writing expect scripts that fetch the data and modify the NAV database externally.
A quick search of the archives reveals that the last time this issue was discussed was in July of 2019:
https://sympa.uninett.no/lists/uninett.no/arc/nav-users/2019-07/msg00001.htm...
I did respond with some tips and ideas for making this idea work with NAV, but the user never got back to me.
Now that has better support for configuring other management protocols than SNMP, we would stand a better chance of actually implementing an alternative collector mechanism in NAV itself.
I lack access to firewalls to test on, so someone else would have to write the code, but I could assist in getting it worked into NAV.
What kind of APIs do Palo Alto provide? Are they NETCONF compatible? I do see there is a community-built PAN-OS driver for NAPALM: https://github.com/napalm-automation-community/napalm-panos
On Thu, 20 Jan 2022 16:28:04 +0300 (EET) Mehmet "E. Şahin (BAŞKANLIK-BİDB)" mehmet.sahin@tubitak.gov.tr wrote:
Thank you for the details you shared.
And sorry for the slow followup this time around, Covid-19 got the better of me this past week :P
as XML. For example "show arp all" command dumps all arp table entries over API as below. I hope this may help to understand how Palo Alto API works.
Example python project: [ http://api-lab.paloaltonetworks.com/pan-python.html | http://api-lab.paloaltonetworks.com/pan-python.html ]
In fact, the NAPALM driver I pointed to employs the pan-python library behind the scenes, so there is some potential for synergy here.
(Besides, you may get a free Palo Alto firewall trial VM image for 30 days as you wish.)
Interesting. Do you have a direct URL?
It might be prudent to post a feature request about this to our issue tracker at https://github.com/Uninett/nav/issues/new/choose - then there is a place to post and track reference material without wading through loads of unrelated e-mail.
-
Ingeborg Hellemo -
Martin Burman -
Mehmet E. Şahin (BAŞKANLIK-BİDB) -
Morten Brekkevold