Monitoring

Palo Alto Firewalls

Palo Alto firewalls expose a small amount of data by SNMP, but in order to get comprehensive monitoring it is necessary to also use the Palo Alto API. Therefore, you should ensure that SNMP is enabled and configured correctly on your device, and additionally follow the instructions below to set your Palo Alto API key as a device property in LogicMonitor.

To use the API requires that you set up an API key.  Instructions for doing so are availble in Palo Alto XML API manual, but the short version is:

  • Use the URL below, replacing hostname, username, and password with the appropriate values. Any special characters in the password must be URL encoded (your browser will most likely do this for you.)

http(s)://hostname/api/?type=keygen&user=username&password=password 

  • The result will be an XML block that contains the key. It should look like the following: 

gJlQWE56987nBxIqyfa62s23RtYuIo2BgzEA9UOnlZBhU

Copy the value from the Key field, and use it as the value for a property paloalto.apikey.pass

Ensure this property is set on all Palo Alto devices, including the Panorama management server.  (It is easiest to set this property at the root level of your LogicMonitor account.) This allows the datasources to connect via the API.

 

Troubleshooting Note

In some cases, Palo Alto Firewalls allow SNMP requests from a Collector to a device, but block the response from the device back to the Collector.  This is evidenced by a discard session on the firewall for the response packet (that is, discard UDP from device:snmp port -> collector:highport). This discard session would then block ALL subsequent snmp responses from the device back to the Collector that are using the same port on the Collector, until a Collector restart or other event allows the discard session to expire (after no traffic for 30-60 seconds).  This could potentially result in SNMP data collection issues where traffic from a Collector to its monitored devices flows across a Palo Alto Firewall.

Possible workarounds:

  1. Increase the Palo Alto UDP session timeout from 10 seconds to 30 seconds.
  2. Open bidirectional firewall policies, such as: 1. allow collector:highports -> device:snmp AND 2. allow device:snmp -> collector:highports