MRTG/Routers2: Template Palo Alto

Here is my MRTG/Routers2 configuration for a Palo Alto Networks PA-200 firewall. It uses all available OIDs from the PAN-MIB. With a few search-and-replace runs, this template can be used in many other scenarios.

SNMP Tests

In my testbed, I am using a PA-200 with PAN-OS 6.1.1. That is, I used the Enterprise SNMP MIB 6.1 from Palo Alto. This is relevant to know since Palo Alto changed a few OIDs from PAN-OS version 5.0.x to 6.0.x.

Note that the following template must be adjusted if it is used with other Palo Alto firewalls, e.g., when more than CPU or multiple VSYS are used.

Unfortunately, the PA firewall is very limited when it comes to monitoring it via SNMP. Is has only a single MIB with a few values. Furthermore, the interfaces cannot be monitored as known from other firewall vendors. For example, there are no counters for subinterfaces or for VLAN interfaces. This is really bad! Furthermore, no site-to-site VPN statistics can be read out, and so on. However, at least the speed of the fan can be requested.

The following values are accessible via SNMP:

CPU of the data- and management-plane
Disk space of all partitions
Fan speed
GlobalProtect tunnels
Sessions: ICMP, SSL, TCP, UDP
Temperature
Memory: real and swap
Interfaces: all data ports + management port

My MRTG/Routers2 Configuration

At first, I ran the cfgmaker to get the interfaces. I am also using two global options: one for the icon and one for the “mirror” graph style:

cfgmaker --snmp-options=:::::2 --show-op-down --zero-speed=1000000000 --global "routers.cgi*Icon: firewall3-sm.gif" --global "routers.cgi*GraphStyle[_]: mirror" --output=NAMEOFTHEFIREWALL.cfg COMMUNITY@192.168.120.2

Then, as always, I deleted the Global Config Options except the two ones that were added through the global options with cfgmaker. Furthermore, the “noHC[…]: yes” lines (if present) can be deleted.

For all specific Palo Alto OIDs, use the following template and copy the contents into the just generated cfg file. Of course, the targets for the interfaces should not be copied. Read the first lines of that file to know which values must be adjusted.