The following sections describe resolutions to some issues you might encounter when monitoring Palo Alto firewalls:
Troubleshooting Palo Alto API Requests
If you are experiencing an issue in SL1, you can verify whether it is an issue with SL1 or Palo Alto's API.
ScienceLogic suggests using an API tool, like Postman or cURL, to try to reproduce the issue in your Palo Alto system. When running the API testing tool, if you receive a message that the tool is not able to send a request or if the tool does not receive a response from the API, an issue is occurring in your Palo Alto system. For the examples below, ScienceLogic uses Postman.
Common Palo Alto API Issues and Resolutions
-
If the API testing tool cannot send a request, you might be experiencing network connectivity issues. Check your connection by attempting to open a page in your web browser.
-
Some firewalls might be configured to block non-browser connections. If this is the case, you will need to contact your Palo Alto administrator before running the API testing tool.
-
Your API server might require client certificates. You can try adding a client certificate in the API testing tool settings.
-
If you are including variables or path parameters with your API request, check that the final address is structured correctly. Unresolved request variables can result in an invalid server address.
-
Check that the URL is correct and uses http:// or https://.
-
For a full list of Palo Alto API code errors, see Palo Alto's documentation on PAN-OS XML API Error Codes.
Troubleshooting Commands
If your Dynamic Applications are failing, you can use SSH to access each Data Collector and then run the following commands. These commands verify the API endpoints that are used by the Dynamic Applications in the Palo Alto Base Pack PowerPack. If the command fails, you have identified which Dynamic Application is failing.
-
To test the Discovery Snippet Code that is used for Dynamic Applications that use the API, run the following command:
curl -u USERNAME:PASSWORD -k "https://DEVICE_IP/api/?type=report&async=yes&reporttype=predefined&reportname=top-application-categories"
-
To test the "Palo Alto: Traffic to Country Destination" Dynamic Application, run the following command:
curl -u USERNAME:PASSWORD -k "https://DEVICE_IP/api/?type=report&async=nos&reporttype=predefined&reportname=top-destination-countries"
-
To test the "Palo Alto: Environmental Performance" Dynamic Application, run the following command:
curl -u USERNAME:PASSWORD -k "https://DEVICE_IP/api/?type=op&cmd=<show><system><environmentals></environmentals></system></show>"
-
To test the "Palo Alto: License Configuration" Dynamic Application, run the following command:
curl -u USERNAME:PASSWORD -k "https://DEVICE_IP/api/?type=op&cmd=<request><license><info></info></license></request>"
-
To test the "Palo Alto: GlobalProtect Configuration" Dynamic Application, run the following command:
curl -u USERNAME:PASSWORD -k "https://DEVICE_IP/api/?type=op&cmd=<show><system><info/></system></show>"
-
To get the Palo Alto version, run the following command:
curl -u USERNAME:PASSWORD -k "https://DEVICE_IP/api/?type=version"
Troubleshooting Dynamic Applications
There are additional common issues when using the Dynamic Applications included in the Palo Alto Base Pack PowerPack. Use the following steps to identify and troubleshoot issues.
SNMP Devices and Dynamic Applications
If your Dynamic Applications are not collecting data from an SNMP device, review your SNMP device credential to ensure the Data Collector can communicate with your SNMP device. If your credential is correct, perform a SNMP request to verify that the object IDs (OIDs) that are used by the Dynamic Applications are available in the SNMP device.
NOTE: The SNMP Walker will only return information from SNMP v2 devices.
To verify that the OIDs are available to a Dynamic Application, perform an SNMP walk:
- Go to the Device Manager page (Devices > Device Manager, or Registry > Devices > Device Manager in the classic SL1user interface).
- In the Device Manager page, select the wrench icon (
) for a device on which you want to perform an SNMP walk. - In the Device Properties page, select the tab. Select the SNMP Walker icon in the Device Toolbox pane.
- The SNMP Walker modal appears. In the drop-down menu in the upper left, select the OID for the Dynamic Application you would like to verify.
- Click the button.
- Verify that the OID returns a response. If an OID does not return a response, there may be an issue with your device.
Automatically Aligned Dynamic Applications
If your Dynamic Application is not collecting data, it is possible that the Dynamic Application is not automatically aligned to a component. To manually verify that a Dynamic Application is aligned, you can perform an SNMP walk.
To identify the Discovery OID available on a Dynamic Application and perform an SNMP walk:
- Go to the Dynamic Applications Manager page (System > Manage > Dynamic Applications, or System > Manage > Applications in the classic SL1 user interface).
- Find the Dynamic Application that you would like to verify and select the wrench icon ().
- In the Dynamic Applications Properties Editor page, select the tab.
- In the Collection Object Registry pane (at the bottom of the page), find the Object Name 'Discovery' and make note of the SNMP OID. You will need it to perform an SNMP walk.
- Go to the Device Manager page (Devices > Device Manager, or Registry > Devices > Device Manager in the classic SL1 user interface).
- In the Device Manager page, select the wrench icon () for a device on which you want to perform an SNMP walk.
- In the Device Properties page, select the tab. Select the SNMP Walker icon in the Device Toolbox pane.
- The SNMP Walker modal appears. Next to the drop-down menu in the upper left, select the plus icon to manually enter an OID.
- Enter the SNMP OID value from the 'Discovery' Object Name. Click the button.
- Verify that the OID returns a response. If the OID does not return a response, the Dynamic Application may not be automatically aligned.