Here is my MRTG/Routers2 configuration for a Palo Alto Networks PA-200 firewall. It uses all available OIDs from the PAN-MIB. With a few search-and-replace runs, this template can be used in many other scenarios.
SNMP Tests
In my testbed, I am using a PA-200 with PAN-OS 6.1.1. That is, I used the Enterprise SNMP MIB 6.1 from Palo Alto. This is relevant to know since Palo Alto changed a few OIDs from PAN-OS version 5.0.x to 6.0.x.
Note that the following template must be adjusted if it is used with other Palo Alto firewalls, e.g., when more than one CPU or multiple VSYS are used.
Unfortunately, the PA firewall is very limited when it comes to monitoring it via SNMP. It has only a single MIB with a few values. Furthermore, the interfaces cannot be monitored as known by other firewall vendors. :( For example, there are no counters for subinterfaces or for VLAN interfaces. This is really bad! Furthermore, no site-to-site VPN statistics can be read out, and so on. However, at least the speed of the fan can be requested. ;)
[UPDATE] Beginning with PAN-OS 7.0 the Palo Alto firewall supports the monitoring of logical interfaces such as subinterfaces or tunnel interfaces. Great. [/UPDATE]The following values are accessible via SNMP:
- CPU of the data- and management-plane
- Disk space of all partitions
- Fan speed
- GlobalProtect tunnels
- Sessions: ICMP, SSL, TCP, UDP
- Temperature
- Memory: real and swap
- Interfaces: all data ports + management port
My MRTG/Routers2 Configuration
At first, I ran the cfgmaker to get the interfaces. I am also using two global options: one for the icon and one for the “mirror” graph style:
1 |
cfgmaker --snmp-options=:::::2 --show-op-down --zero-speed=1000000000 --global "routers.cgi*Icon: firewall3-sm.gif" --global "routers.cgi*GraphStyle[_]: mirror" --output=NAMEOFTHEFIREWALL.cfg COMMUNITY@192.168.120.2 |
Then, as always, I deleted the Global Config Options except for the two ones that were added through the global options with cfgmaker. Furthermore, the “noHC[…]: yes” lines (if present) can be deleted.
For all specific Palo Alto OIDs, use the following template and copy the contents into the just generated cfg file. Of course, the targets for the interfaces should not be copied. Read the first lines of that file to know which values must be adjusted.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 |
################################################################################################################ #Palo Alto NGFW MRTG/Routers2 Template #Author: Johannes Weber (johannes@webernetz.net) #Homepage: https://weberblog.net #Last Modified: 2015-01-06 ################################################################################################################ ### TO DO: #Specify the MaxBytes for: #-Memory #-Storage Partitions #-Sessions #-GlobalProtect # #If there are multiple VSYS or CPU cores used, the appropriate settings must be adjusted, too. # #Search and Replace: #COMMUNITY : for the SNMP read string #192.168.120.2 : for the IP address of the Palo Alto #NAMEOFTHEFIREWALL : for the name of the firewall ### routers.cgi*Icon: firewall3-sm.gif routers.cgi*GraphStyle[_]: mirror ################################################################################################################ ########################################## CPU Management Plane ################################################ ################################################################################################################ Target[192.168.120.2_CPUMgmt]: 1.3.6.1.2.1.25.3.3.1.2.1&PseudoZero:COMMUNITY@192.168.120.2:::::2 Title[192.168.120.2_CPUMgmt]: CPU Management Plane -- NAMEOFTHEFIREWALL MaxBytes[192.168.120.2_CPUMgmt]: 100 Options[192.168.120.2_CPUMgmt]: gauge Colours[192.168.120.2_CPUMgmt]: LIGHTYELLOW#FEED01, LIGHTYELLOW#FEED01, ORANGE#FF6307, ORANGE#FF6307 UnScaled[192.168.120.2_CPUMgmt]: dwmy YLegend[192.168.120.2_CPUMgmt]: Percentage use Legend1[192.168.120.2_CPUMgmt]: CPU Management Plane Legend2[192.168.120.2_CPUMgmt]: CPU Unit 2 usage Legend3[192.168.120.2_CPUMgmt]: Peak CPU Management Plane Legend4[192.168.120.2_CPUMgmt]: Peak CPU Unit 2 LegendI[192.168.120.2_CPUMgmt]: CPU Mgmt: LegendO[192.168.120.2_CPUMgmt]: CPU 2: ShortLegend[192.168.120.2_CPUMgmt]: % routers.cgi*Options[192.168.120.2_CPUMgmt]: noo nopercent nototal routers.cgi*Mode[192.168.120.2_CPUMgmt]: cpu routers.cgi*ShortDesc[192.168.120.2_CPUMgmt]: CPU Mgmt routers.cgi*InSummary[192.168.120.2_CPUMgmt]: yes ################################################################################################################ ############################################## CPU Data Plane ################################################## ################################################################################################################ Target[192.168.120.2_CPUData]: 1.3.6.1.2.1.25.3.3.1.2.2&PseudoZero:COMMUNITY@192.168.120.2:::::2 #If the Palo Alto provides two different OIDs for the Data Plane CPU, the following Target line can be used, while the Target line above must be deleted. #Reference: https://live.paloaltonetworks.com/docs/DOC-1744 #Target[192.168.120.2_CPUData]: 1.3.6.1.2.1.25.3.3.1.2.2&1.3.6.1.2.1.25.3.3.1.2.3:COMMUNITY@192.168.120.2:::::2 Title[192.168.120.2_CPUData]: CPU Data Plane -- NAMEOFTHEFIREWALL MaxBytes[192.168.120.2_CPUData]: 100 Options[192.168.120.2_CPUData]: gauge Colours[192.168.120.2_CPUData]: LIGHTYELLOW#FEED01, RED#FF0000, ORANGE#FF6307, BLACK#000000 UnScaled[192.168.120.2_CPUData]: dwmy YLegend[192.168.120.2_CPUData]: Percentage use Legend1[192.168.120.2_CPUData]: CPU System Functions Legend2[192.168.120.2_CPUData]: CPU Packet Processing Legend3[192.168.120.2_CPUData]: Peak CPU System Functions Legend4[192.168.120.2_CPUData]: Peak Packet Processing LegendI[192.168.120.2_CPUData]: CPU System: LegendO[192.168.120.2_CPUData]: CPU Packet: ShortLegend[192.168.120.2_CPUData]: % ###### routers.cgi*Options[192.168.120.2_CPUData]: noo nopercent nototal #Same as above: If the PA provides both CPU values, use the Options line below while deleting the one above. #routers.cgi*Options[192.168.120.2_CPUData]: nopercent nototal ###### routers.cgi*Mode[192.168.120.2_CPUData]: cpu routers.cgi*ShortDesc[192.168.120.2_CPUData]: CPU Data routers.cgi*InSummary[192.168.120.2_CPUData]: yes ################################################################################################################ ################################################### Memory ##################################################### ################################################################################################################ #Management Memory and Management Swap Target[192.168.120.2_mem]: 1.3.6.1.2.1.25.2.3.1.6.1020&1.3.6.1.2.1.25.2.3.1.6.1030:COMMUNITY@192.168.120.2:::::2 * 1024 Title[192.168.120.2_mem]: Management Memory Usage -- NAMEOFTHEFIREWALL #In this example (PA-200): 2 GB #Values of SNMP * 1024 MaxBytes1[192.168.120.2_mem]: 2637434880 MaxBytes2[192.168.120.2_mem]: 8183808 Options[192.168.120.2_mem]: gauge Colours[192.168.120.2_mem]: Orange#FC7C01, Green#00CC00, Darkred#660000, Darkgreen#006600 UnScaled[192.168.120.2_mem]: dwmy LegendI[192.168.120.2_mem]: Memory: LegendO[192.168.120.2_mem]: Swap: Legend1[192.168.120.2_mem]: Memory Legend2[192.168.120.2_mem]: Swap Legend3[192.168.120.2_mem]: Peak Memory Legend4[192.168.120.2_mem]: Peak Swap routers.cgi*Options[192.168.120.2_mem]: nototal routers.cgi*Mode[192.168.120.2_mem]: memory routers.cgi*ShortDesc[192.168.120.2_mem]: Management Memory routers.cgi*InSummary[192.168.120.2_mem]: yes ################################################################################################################ ############################################ Storage Partitions ################################################ ################################################################################################################ Target[192.168.120.2_config-partition]: 1.3.6.1.2.1.25.2.3.1.6.1040&PseudoZero:COMMUNITY@192.168.120.2:::::2 * 1024 Title[192.168.120.2_config-partition]: Management Config Partition -- NAMEOFTHEFIREWALL MaxBytes[192.168.120.2_config-partition]: 7059755008 Options[192.168.120.2_config-partition]: gauge YLegend[192.168.120.2_config-partition]: Bytes ShortLegend[192.168.120.2_config-partition]: b LegendI[192.168.120.2_config-partition]: used: Legend1[192.168.120.2_config-partition]: Space used Legend3[192.168.120.2_config-partition]: Peak used Unscaled[192.168.120.2_config-partition]: dwmy routers.cgi*Options[192.168.120.2_config-partition]: nototal, noo routers.cgi*Mode[192.168.120.2_config-partition]: general routers.cgi*ShortDesc[192.168.120.2_config-partition]: Config Partition routers.cgi*Icon[192.168.120.2_config-partition]: dir-sm.gif routers.cgi*InSummary[192.168.120.2_config-partition]: yes Target[192.168.120.2_log-partition]: 1.3.6.1.2.1.25.2.3.1.6.1041&PseudoZero:COMMUNITY@192.168.120.2:::::2 * 1024 Title[192.168.120.2_log-partition]: Management Log Partition -- NAMEOFTHEFIREWALL MaxBytes[192.168.120.2_log-partition]: 2533961728 Options[192.168.120.2_log-partition]: gauge YLegend[192.168.120.2_log-partition]: Bytes ShortLegend[192.168.120.2_log-partition]: b LegendI[192.168.120.2_log-partition]: used: Legend1[192.168.120.2_log-partition]: Space used Legend3[192.168.120.2_log-partition]: Peak used Unscaled[192.168.120.2_log-partition]: dwmy routers.cgi*Options[192.168.120.2_log-partition]: nototal, noo routers.cgi*Mode[192.168.120.2_log-partition]: general routers.cgi*ShortDesc[192.168.120.2_log-partition]: Log Partition routers.cgi*Icon[192.168.120.2_log-partition]: dir-sm.gif routers.cgi*InSummary[192.168.120.2_log-partition]: yes Target[192.168.120.2_root-partition]: 1.3.6.1.2.1.25.2.3.1.6.1041&PseudoZero:COMMUNITY@192.168.120.2:::::2 * 1024 Title[192.168.120.2_root-partition]: Management Root Partition -- NAMEOFTHEFIREWALL MaxBytes[192.168.120.2_root-partition]: 2023960576 Options[192.168.120.2_root-partition]: gauge YLegend[192.168.120.2_root-partition]: Bytes ShortLegend[192.168.120.2_root-partition]: b LegendI[192.168.120.2_root-partition]: used: Legend1[192.168.120.2_root-partition]: Space used Legend3[192.168.120.2_root-partition]: Peak used Unscaled[192.168.120.2_root-partition]: dwmy routers.cgi*Options[192.168.120.2_root-partition]: nototal, noo routers.cgi*Mode[192.168.120.2_root-partition]: general routers.cgi*ShortDesc[192.168.120.2_root-partition]: Root Partition routers.cgi*Icon[192.168.120.2_root-partition]: dir-sm.gif routers.cgi*InSummary[192.168.120.2_root-partition]: yes ################################################################################################################ ################################################## Sessions #################################################### ################################################################################################################ Target[192.168.120.2_SessionsActive]: 1.3.6.1.4.1.25461.2.1.2.3.3.0&PseudoZero:COMMUNITY@192.168.120.2:::::2 Title[192.168.120.2_SessionsActive]: Sessions -- NAMEOFTHEFIREWALL #This is the REAL maximum of the Palo Alto Hardware for the PA-200. It MUST be adjusted for other hardware! MaxBytes[192.168.120.2_SessionsActive]: 65532 Options[192.168.120.2_SessionsActive]: gauge Colours[192.168.120.2_SessionsActive]: PURPLE#FF00AA, YELLOW#FFD600, DARK PURPLE#7608AA, ORANGE#FC7C01 YLegend[192.168.120.2_SessionsActive]: Number of Sessions Legend1[192.168.120.2_SessionsActive]: Sessions Legend3[192.168.120.2_SessionsActive]: Peak Sessions LegendI[192.168.120.2_SessionsActive]: Sessions: ShortLegend[192.168.120.2_SessionsActive]: routers.cgi*Options[192.168.120.2_SessionsActive]: fixunit integer noo nototal routers.cgi*Icon[192.168.120.2_SessionsActive]: firewall-sm.gif routers.cgi*ShortDesc[192.168.120.2_SessionsActive]: Sessions All routers.cgi*InSummary[192.168.120.2_SessionsActive]: yes ################################################################################################################ ############################################# Sessions TCP UDP ################################################# ################################################################################################################ Target[192.168.120.2_SessionsTCPUDP]: 1.3.6.1.4.1.25461.2.1.2.3.4.0&1.3.6.1.4.1.25461.2.1.2.3.5.0:COMMUNITY@192.168.120.2:::::2 Title[192.168.120.2_SessionsTCPUDP]: Sessions TCP UDP -- NAMEOFTHEFIREWALL MaxBytes[192.168.120.2_SessionsTCPUDP]: 10000 Options[192.168.120.2_SessionsTCPUDP]: gauge Colours[192.168.120.2_SessionsTCPUDP]: PURPLE#FF00AA, YELLOW#FFD600, DARK PURPLE#7608AA, ORANGE#FC7C01 YLegend[192.168.120.2_SessionsTCPUDP]: Number of Sessions Legend1[192.168.120.2_SessionsTCPUDP]: TCP Sessions Legend2[192.168.120.2_SessionsTCPUDP]: UDP Sessions Legend3[192.168.120.2_SessionsTCPUDP]: Peak TCP Sessions Legend4[192.168.120.2_SessionsTCPUDP]: Peak UDP Sessions LegendI[192.168.120.2_SessionsTCPUDP]: TCP: LegendO[192.168.120.2_SessionsTCPUDP]: UDP: ShortLegend[192.168.120.2_SessionsTCPUDP]: routers.cgi*GraphStyle[192.168.120.2_SessionsTCPUDP]: lines routers.cgi*Options[192.168.120.2_SessionsTCPUDP]: fixunit integer nomax nototal routers.cgi*Icon[192.168.120.2_SessionsTCPUDP]: firewall-sm.gif routers.cgi*ShortDesc[192.168.120.2_SessionsTCPUDP]: Sessions TCP UDP #routers.cgi*InSummary[192.168.120.2_SessionsTCPUDP]: no ################################################################################################################ ############################################# Sessions ICMP SSL ################################################ ################################################################################################################ Target[192.168.120.2_SessionsICMPSSL]: 1.3.6.1.4.1.25461.2.1.2.3.6.0&1.3.6.1.4.1.25461.2.1.2.3.7.0:COMMUNITY@192.168.120.2:::::2 Title[192.168.120.2_SessionsICMPSSL]: Sessions ICMP SSL-Proxy -- NAMEOFTHEFIREWALL MaxBytes[192.168.120.2_SessionsICMPSSL]: 10000 Options[192.168.120.2_SessionsICMPSSL]: gauge Colours[192.168.120.2_SessionsICMPSSL]: PURPLE#FF00AA, YELLOW#FFD600, DARK PURPLE#7608AA, ORANGE#FC7C01 YLegend[192.168.120.2_SessionsICMPSSL]: Number of Sessions Legend1[192.168.120.2_SessionsICMPSSL]: ICMP Sessions Legend2[192.168.120.2_SessionsICMPSSL]: SSL-Proxy Sessions Legend3[192.168.120.2_SessionsICMPSSL]: Peak ICMP Sessions Legend4[192.168.120.2_SessionsICMPSSL]: Peak SSL-Proxy Sessions LegendI[192.168.120.2_SessionsICMPSSL]: ICMP: LegendO[192.168.120.2_SessionsICMPSSL]: SSL: ShortLegend[192.168.120.2_SessionsICMPSSL]: routers.cgi*GraphStyle[192.168.120.2_SessionsICMPSSL]: lines routers.cgi*Options[192.168.120.2_SessionsICMPSSL]: fixunit integer nomax nototal routers.cgi*Icon[192.168.120.2_SessionsICMPSSL]: firewall-sm.gif routers.cgi*ShortDesc[192.168.120.2_SessionsICMPSSL]: Sessions ICMP SSL-Proxy #routers.cgi*InSummary[192.168.120.2_SessionsICMPSSL]: no ################################################################################################################ ############################################## GlobalProtect ################################################### ################################################################################################################ Target[192.168.120.2_GPGW]: 1.3.6.1.4.1.25461.2.1.2.5.1.3.0&PseudoZero:COMMUNITY@192.168.120.2:::::2 Title[192.168.120.2_GPGW]: Maximum GlobalProtect Tunnels -- NAMEOFTHEFIREWALL #Adjust the MaxBytes number according to the capability of the PA firewall #panGPGWUtilizationMaxTunnels = .1.3.6.1.4.1.25461.2.1.2.5.1.2 MaxBytes[192.168.120.2_GPGW]: 25 Options[192.168.120.2_GPGW]: gauge Colours[192.168.120.2_GPGW]: DARK YELLOW#CCCC00, TURQUOISE#00CCCC, ORANGE#E97F02, DARK TURQUOISE#377D77 YLegend[192.168.120.2_GPGW]: Number of Tunnels Legend1[192.168.120.2_GPGW]: GlobalProtect Tunnels Legend3[192.168.120.2_GPGW]: Peak GlobalProtect Tunnels LegendI[192.168.120.2_GPGW]: Tunnels: ShortLegend[192.168.120.2_GPGW]: #This graph shows the MAXIMUM value and not the average! routers.cgi*Options[192.168.120.2_GPGW]: fixunit integer maximum noo nototal routers.cgi*Icon[192.168.120.2_GPGW]: padlock-sm.gif routers.cgi*ShortDesc[192.168.120.2_GPGW]: GlobalProtect routers.cgi*InSummary[192.168.120.2_GPGW]: yes ################################################################################################################ ################################################## Temperature ################################################# ################################################################################################################ Target[192.168.120.2_temperature]: 1.3.6.1.2.1.99.1.1.1.4.3&1.3.6.1.2.1.99.1.1.1.4.4:COMMUNITY@192.168.120.2:::::2 Title[192.168.120.2_temperature]: Temperature -- NAMEOFTHEFIREWALL MaxBytes[192.168.120.2_temperature]: 100 Options[192.168.120.2_temperature]: gauge Colours[192.168.120.2_temperature]: RED#FF0000, DARK RED#800000, BLACK#000000, BLACK#000000 YLegend[192.168.120.2_temperature]: Degree Celsius °C Legend1[192.168.120.2_temperature]: Core Temperature Legend2[192.168.120.2_temperature]: System Temperature LegendI[192.168.120.2_temperature]: Core Temperature: LegendO[192.168.120.2_temperature]: System Temperature: ShortLegend[192.168.120.2_temperature]: °C routers.cgi*Options[192.168.120.2_temperature]: integer maximum nomax nopercent nopercentile nototal routers.cgi*GraphStyle[192.168.120.2_temperature]: lines routers.cgi*ShortDesc[192.168.120.2_temperature]: Temperature routers.cgi*Icon[192.168.120.2_temperature]: temp-sm.gif ################################################################################################################ ################################################## Fan Speed ################################################### ################################################################################################################ Target[192.168.120.2_FanSpeed]: 1.3.6.1.2.1.99.1.1.1.4.2&PseudoZero:COMMUNITY@192.168.120.2:::::2 Title[192.168.120.2_FanSpeed]: Fan Speed -- NAMEOFTHEFIREWALL MaxBytes[192.168.120.2_FanSpeed]: 10000 Options[192.168.120.2_FanSpeed]: gauge Colours[192.168.120.2_FanSpeed]: BROWN#660000, YELLOW#FFD600, BLACK#000000, ORANGE#FC7C01 YLegend[192.168.120.2_FanSpeed]: Fan Speed Legend1[192.168.120.2_FanSpeed]: Fan Speed Legend3[192.168.120.2_FanSpeed]: Peak Fan Speed LegendI[192.168.120.2_FanSpeed]: Fan Speed: ShortLegend[192.168.120.2_FanSpeed]: routers.cgi*Options[192.168.120.2_FanSpeed]: fixunit integer nomax noo nototal routers.cgi*Icon[192.168.120.2_FanSpeed]: cog-sm.gif routers.cgi*ShortDesc[192.168.120.2_FanSpeed]: Fan Speed routers.cgi*InSummary[192.168.120.2_FanSpeed]: yes ### Interface 1 >> Descr: 'mgmt' | Name: 'mgmt' | Ip: 'No Ip' | Eth: 'b4-0c-25-05-8e-00' ### Target[192.168.120.2_mgmt]: #mgmt:COMMUNITY@192.168.120.2:::::2 MaxBytes[192.168.120.2_mgmt]: 12500000 Title[192.168.120.2_mgmt]: Traffic Analysis for mgmt -- NAMEOFTHEFIREWALL ### Interface 3 >> Descr: 'ethernet1/1' | Name: 'ethernet1/1' | Ip: 'No Ip' | Eth: 'b4-0c-25-05-8e-10' ### Target[192.168.120.2_ethernet1_1]: #ethernet1/1:COMMUNITY@192.168.120.2:::::2 MaxBytes[192.168.120.2_ethernet1_1]: 125000000 Title[192.168.120.2_ethernet1_1]: Traffic Analysis for ethernet1/1 -- NAMEOFTHEFIREWALL ### Interface 4 >> Descr: 'ethernet1/2' | Name: 'ethernet1/2' | Ip: 'No Ip' | Eth: 'No Ethernet Id' ### Target[192.168.120.2_ethernet1_2]: #ethernet1/2:COMMUNITY@192.168.120.2:::::2 MaxBytes[192.168.120.2_ethernet1_2]: 125000000 Title[192.168.120.2_ethernet1_2]: Traffic Analysis for ethernet1/2 -- NAMEOFTHEFIREWALL ### Interface 5 >> Descr: 'ethernet1/3' | Name: 'ethernet1/3' | Ip: 'No Ip' | Eth: 'b4-0c-25-05-8e-12' ### Target[192.168.120.2_ethernet1_3]: #ethernet1/3:COMMUNITY@192.168.120.2:::::2 MaxBytes[192.168.120.2_ethernet1_3]: 125000000 Title[192.168.120.2_ethernet1_3]: Traffic Analysis for ethernet1/3 -- NAMEOFTHEFIREWALL ### Interface 6 >> Descr: 'ethernet1/4' | Name: 'ethernet1/4' | Ip: 'No Ip' | Eth: 'b4-0c-25-05-8e-13' ### Target[192.168.120.2_ethernet1_4]: #ethernet1/4:COMMUNITY@192.168.120.2:::::2 MaxBytes[192.168.120.2_ethernet1_4]: 125000000 Title[192.168.120.2_ethernet1_4]: Traffic Analysis for ethernet1/4 -- NAMEOFTHEFIREWALL |
Sample Graphs
This leads to the following graphs (here in the monthly view):
Loaded your template up and it’s not working. I get blank graphs. I checked the PA settings to make sure they were right. I am not sure what I did wrong. I didn’t get the MIB’s as I assumed the template has them built in. That could be where my mistake is.
Can you check from your server whether the PA is answering to your SNMP requests? Try something like “snmpwalk -v 2c -c PASSWORD IPADDRESS .1.3.6”. The output should show all SNMP OIDs accessible from the Palo Alto. If nothing is shown, you have an SNMP problem. If there are outputs that look like counters, etc., the template might be wrong… What PA hardware are you using?
I checked and it is answering. I have ommited the password and IP. I am going to check a bit further. I am betting 10 bucks on it being a find/replace fail, as the test OID is one from the file given.
snmpwalk -Os -c ###### -v 2c #.#.#.# ‘1.3.6.1.2.1.25.3.3.1.2.2’
hrProcessorLoad.2 = INTEGER: 1
I found the issue. It’s with the memory Target. The OID’s should not have the 10 at the end. In the file it reads:
Target[192.168.120.2_mem]: 1.3.6.1.2.1.25.2.3.1.6.1020&1.3.6.1.2.1.25.2.3.1.6.1030:COMMUNITY@192.168.120.2:::::2 * 1024
It should Read:
Target[192.168.120.2_mem]: 1.3.6.1.2.1.25.2.3.1.6.20&1.3.6.1.2.1.25.2.3.1.6.30:COMMUNITY@192.168.120.2:::::2 * 1024
After that all is working well. Thanks again for your post, your template really helped me understand the configuration well.
Have you done this for Palo Alto with MRTG and SNMPv3?
my config file looks like:
/usr/bin/cfgmaker \
–enablesnmpv3 \
–global “Workdir: /home/mrtg/pa” \
–global “Options[_]: bits, growright” \
–output /home/mrtg/cfg/pa.cfg \
–ifdesc=name \
–ifref=name \
–username=jsmith \
–contextengineid=80001f888099a87c5038864b5600000000 \
–authpassword=’pass123′ \
–authprotocol=sha \
–privpassword=’pass456′ \
–privprotocol=aes128 \
–snmp-options=:::::3 \
192.168.1.1
This runs ok but I get graphs with no data, for ethernet1/2, 1/2, 1/3, 1/4 and mgmt.
Hi Roger,
are you getting other data rather than the interface stats? If so, your OIDs for the interfaces are probably incorrect.
I have worked with SNMPv3 and Palo Alto, but with a different NMS at the customers site. I have NOT yet worked with SNMPv3 and MRTG.
Cheers.
Hi,
Might be a dummy question but I’m lost when you say “For all specific Palo Alto OIDs, use the following template and copy the contents into the just generated cfg file” which file and directory should this template go to, what should we name the file..?
Much appreciated in advance!
Hey cyBaba.
Of course you need a working MRTG/Routers2 setup. Note that MTRG/Routers2 is NOT recommended nowadays anymore, because it is really old. If you are new to MRTG/Routers2, then DO NOT use my template at all but look for a more modern monitoring system such as Zabbix.
If you have a MRTG/Routers2, then you should use the *.cfg file in the same way as all your others. ;)
Cheers, Johannes
Thanks foe getting back to me, so for my curiosity back to my question, should name the file say test.cfg and which directory should the file be saved, is it under /etc/mrtg?
;)
You can name the file whatever you like. I am naming them according to my firewall names such as “paloalto.cfg” or “fw01.cfg”.
Yes, in *my* MRTG/Routers2 installation, I am storing these files under /etc/mrtg/. But this depends on *your* installation of MRTG. If you are interested in MRTG/Routers2, have a look at my tutorial: https://weberblog.net/mrtg-with-rrdtool-and-routers2-installation-from-scratch/
(But again, if you’re new to it -> search for a more modern monitoring system. ;))
Thanks again greatly appreciated it..
One more question and I rest my case, how about rdd files, do we need them to displays the graph, if so and I’m sure we do how come I don’t see or can find them under /etc/mrtg, do we have to make them manually.. again thanks in advance and please be patient with me as this are all new to me and I will do read the suggested link
Hey Cy. Please read the blogpost first before asking simple questions: https://weberblog.net/mrtg-with-rrdtool-and-routers2-installation-from-scratch/
“I decided to store the configs under the /etc folder while the rrd files under the /var folder: […]”
So basically: The rrd files are stored somewhere else while they are created automatically by MRTG. The graphs itself are rendered in real-time while visiting the HTTP server of Routers2.
Thank you, much appreciated it and I will
Hi Johannes,
Gone through the doc and link you have provided, now it seems everything works except that the graph does not display correctly , it display only for an hour, when click 6 hours, and if click daily nothing will be displayed!