MRTG/Routers2: Template Palo Alto

Here is my MRTG/Routers2 configuration for a Palo Alto Networks PA-200 firewall. It uses all available OIDs from the PAN-MIB. With a few search-and-replace runs, this template can be used in many other scenarios.

SNMP Tests

In my testbed, I am using a PA-200 with PAN-OS 6.1.1. That is, I used the Enterprise SNMP MIB 6.1 from Palo Alto. This is relevant to know since Palo Alto changed a few OIDs from PAN-OS version 5.0.x to 6.0.x.

Note that the following template must be adjusted if it is used with other Palo Alto firewalls, e.g., when more than CPU or multiple VSYS are used.

Unfortunately, the PA firewall is very limited when it comes to monitoring it via SNMP. Is has only a single MIB with a few values. Furthermore, the interfaces cannot be monitored as known from other firewall vendors. :( For example, there are no counters for subinterfaces or for VLAN interfaces. This is really bad! Furthermore, no site-to-site VPN statistics can be read out, and so on. However, at least the speed of the fan can be requested. ;)

[UPDATE] Beginning with PAN-OS 7.0 the Palo Alto firewall supports the monitoring of logical interfaces such as subinterfaces or tunnel interfaces. Great. [/UPDATE]

The following values are accessible via SNMP:

  • CPU of the data- and management-plane
  • Disk space of all partitions
  • Fan speed
  • GlobalProtect tunnels
  • Sessions: ICMP, SSL, TCP, UDP
  • Temperature
  • Memory: real and swap
  • Interfaces: all data ports + management port

My MRTG/Routers2 Configuration

At first, I ran the cfgmaker to get the interfaces. I am also using two global options: one for the icon and one for the “mirror” graph style:

Then, as always, I deleted the Global Config Options except the two ones that were added through the global options with cfgmaker. Furthermore, the “noHC[…]: yes” lines (if present) can be deleted.

For all specific Palo Alto OIDs, use the following template and copy the contents into the just generated cfg file. Of course, the targets for the interfaces should not be copied. Read the first lines of that file to know which values must be adjusted.

 

Sample Graphs

This leads to the following graphs (here in the monthly view):

Links

15 thoughts on “MRTG/Routers2: Template Palo Alto

  1. Loaded your template up and it’s not working. I get blank graphs. I checked the PA settings to make sure they were right. I am not sure what I did wrong. I didn’t get the MIB’s as I assumed the template has them built in. That could be where my mistake is.

    1. Can you check from your server whether the PA is answering to your SNMP requests? Try something like “snmpwalk -v 2c -c PASSWORD IPADDRESS .1.3.6”. The output should show all SNMP OIDs accessible from the Palo Alto. If nothing is shown, you have an SNMP problem. If there are outputs that look like counters, etc., the template might be wrong… What PA hardware are you using?

      1. I checked and it is answering. I have ommited the password and IP. I am going to check a bit further. I am betting 10 bucks on it being a find/replace fail, as the test OID is one from the file given.
        snmpwalk -Os -c ###### -v 2c #.#.#.# ‘1.3.6.1.2.1.25.3.3.1.2.2’
        hrProcessorLoad.2 = INTEGER: 1

  2. I found the issue. It’s with the memory Target. The OID’s should not have the 10 at the end. In the file it reads:
    Target[192.168.120.2_mem]: 1.3.6.1.2.1.25.2.3.1.6.1020&1.3.6.1.2.1.25.2.3.1.6.1030:COMMUNITY@192.168.120.2:::::2 * 1024

    It should Read:
    Target[192.168.120.2_mem]: 1.3.6.1.2.1.25.2.3.1.6.20&1.3.6.1.2.1.25.2.3.1.6.30:COMMUNITY@192.168.120.2:::::2 * 1024

    After that all is working well. Thanks again for your post, your template really helped me understand the configuration well.

  3. Have you done this for Palo Alto with MRTG and SNMPv3?

    my config file looks like:

    /usr/bin/cfgmaker \
    –enablesnmpv3 \
    –global “Workdir: /home/mrtg/pa” \
    –global “Options[_]: bits, growright” \
    –output /home/mrtg/cfg/pa.cfg \
    –ifdesc=name \
    –ifref=name \
    –username=jsmith \
    –contextengineid=80001f888099a87c5038864b5600000000 \
    –authpassword=’pass123′ \
    –authprotocol=sha \
    –privpassword=’pass456′ \
    –privprotocol=aes128 \
    –snmp-options=:::::3 \
    192.168.1.1

    This runs ok but I get graphs with no data, for ethernet1/2, 1/2, 1/3, 1/4 and mgmt.

    1. Hi Roger,

      are you getting other data rather than the interface stats? If so, your OIDs for the interfaces are probably incorrect.

      I have worked with SNMPv3 and Palo Alto, but with a different NMS at the customers site. I have NOT yet worked with SNMPv3 and MRTG.

      Cheers.

  4. Hi,
    Might be a dummy question but I’m lost when you say “For all specific Palo Alto OIDs, use the following template and copy the contents into the just generated cfg file” which file and directory should this template go to, what should we name the file..?
    Much appreciated in advance!

    1. Hey cyBaba.
      Of course you need a working MRTG/Routers2 setup. Note that MTRG/Routers2 is NOT recommended nowadays anymore, because it is really old. If you are new to MRTG/Routers2, then DO NOT use my template at all but look for a more modern monitoring system such as Zabbix.

      If you have a MRTG/Routers2, then you should use the *.cfg file in the same way as all your others. ;)

      Cheers, Johannes

      1. Thanks foe getting back to me, so for my curiosity back to my question, should name the file say test.cfg and which directory should the file be saved, is it under /etc/mrtg?

        1. ;)
          You can name the file whatever you like. I am naming them according to my firewall names such as “paloalto.cfg” or “fw01.cfg”.
          Yes, in *my* MRTG/Routers2 installation, I am storing these files under /etc/mrtg/. But this depends on *your* installation of MRTG. If you are interested in MRTG/Routers2, have a look at my tutorial: https://blog.webernetz.net/mrtg-with-rrdtool-and-routers2-installation-from-scratch/
          (But again, if you’re new to it -> search for a more modern monitoring system. ;))

  5. One more question and I rest my case, how about rdd files, do we need them to displays the graph, if so and I’m sure we do how come I don’t see or can find them under /etc/mrtg, do we have to make them manually.. again thanks in advance and please be patient with me as this are all new to me and I will do read the suggested link

  6. Hi Johannes,
    Gone through the doc and link you have provided, now it seems everything works except that the graph does not display correctly , it display only for an hour, when click 6 hours, and if click daily nothing will be displayed!

Leave a Reply

Your email address will not be published. Required fields are marked *