MRTG/Routers2: Template Palo Alto

Here is my MRTG/Routers2 configuration for a Palo Alto Networks PA-200 firewall. It uses all available OIDs from the PAN-MIB. With a few search-and-replace runs, this template can be used in many other scenarios.

SNMP Tests

In my testbed, I am using a PA-200 with PAN-OS 6.1.1. That is, I used the Enterprise SNMP MIB 6.1 from Palo Alto. This is relevant to know since Palo Alto changed a few OIDs from PAN-OS version 5.0.x to 6.0.x.

Note that the following template must be adjusted if it is used with other Palo Alto firewalls, e.g., when more than CPU or multiple VSYS are used.

Unfortunately, the PA firewall is very limited when it comes to monitoring it via SNMP. Is has only a single MIB with a few values. Furthermore, the interfaces cannot be monitored as known from other firewall vendors. :( For example, there are no counters for subinterfaces or for VLAN interfaces. This is really bad! Furthermore, no site-to-site VPN statistics can be read out, and so on. However, at least the speed of the fan can be requested. ;)

[UPDATE] Beginning with PAN-OS 7.0 the Palo Alto firewall supports the monitoring of logical interfaces such as subinterfaces or tunnel interfaces. Great. [/UPDATE]

The following values are accessible via SNMP:

  • CPU of the data- and management-plane
  • Disk space of all partitions
  • Fan speed
  • GlobalProtect tunnels
  • Sessions: ICMP, SSL, TCP, UDP
  • Temperature
  • Memory: real and swap
  • Interfaces: all data ports + management port

My MRTG/Routers2 Configuration

At first, I ran the cfgmaker to get the interfaces. I am also using two global options: one for the icon and one for the “mirror” graph style:

Then, as always, I deleted the Global Config Options except the two ones that were added through the global options with cfgmaker. Furthermore, the “noHC[…]: yes” lines (if present) can be deleted.

For all specific Palo Alto OIDs, use the following template and copy the contents into the just generated cfg file. Of course, the targets for the interfaces should not be copied. Read the first lines of that file to know which values must be adjusted.

 

Sample Graphs

This leads to the following graphs (here in the monthly view):

Links

4 thoughts on “MRTG/Routers2: Template Palo Alto

  1. Loaded your template up and it’s not working. I get blank graphs. I checked the PA settings to make sure they were right. I am not sure what I did wrong. I didn’t get the MIB’s as I assumed the template has them built in. That could be where my mistake is.

    1. Can you check from your server whether the PA is answering to your SNMP requests? Try something like “snmpwalk -v 2c -c PASSWORD IPADDRESS .1.3.6”. The output should show all SNMP OIDs accessible from the Palo Alto. If nothing is shown, you have an SNMP problem. If there are outputs that look like counters, etc., the template might be wrong… What PA hardware are you using?

      1. I checked and it is answering. I have ommited the password and IP. I am going to check a bit further. I am betting 10 bucks on it being a find/replace fail, as the test OID is one from the file given.
        snmpwalk -Os -c ###### -v 2c #.#.#.# ‘1.3.6.1.2.1.25.3.3.1.2.2’
        hrProcessorLoad.2 = INTEGER: 1

  2. I found the issue. It’s with the memory Target. The OID’s should not have the 10 at the end. In the file it reads:
    Target[192.168.120.2_mem]: 1.3.6.1.2.1.25.2.3.1.6.1020&1.3.6.1.2.1.25.2.3.1.6.1030:COMMUNITY@192.168.120.2:::::2 * 1024

    It should Read:
    Target[192.168.120.2_mem]: 1.3.6.1.2.1.25.2.3.1.6.20&1.3.6.1.2.1.25.2.3.1.6.30:COMMUNITY@192.168.120.2:::::2 * 1024

    After that all is working well. Thanks again for your post, your template really helped me understand the configuration well.

Leave a Reply

Your email address will not be published. Required fields are marked *