Configuration and Discovery

Overview Configuration and Discovery

Download this manual as a PDF file

The following sections describe how to configure and discover Palo Alto firewalls for monitoring by SL1 using the Palo Alto Base Pack PowerPack:

Prerequisites for Monitoring Palo Alto Firewalls

Before you can monitor Palo Alto firewalls in SL1 using the Palo Alto Base Pack PowerPack, you must have the following information:

  • SNMP community strings for the devices you want to monitor
  • IP addresses for each device you want to monitor
  • Username and password for a user with access to the devices you want to monitor

The monitored firewalls must be running PAN-OS version 8.0 or later to ensure the proper collection of tunnel performance data.

Creating Credentials for Palo Alto

To configure SL1 to monitor Palo Alto firewalls, you must create the SNMP and Basic/Snippet credentials that enable SL1 to connect with those firewalls.

The Palo Alto Base Pack PowerPack currently supports only basic authentication for discovery; it does not support the use of an API key.

Creating an SNMP Credential

Some of the Dynamic Applications in the Palo Alto Base Pack PowerPack use SNMP to collect information about Palo Alto firewalls. To use these Dynamic Applications, you must first define an SNMP credential that enables SL1 to communicate with the firewalls.

To configure an SNMP credential:

  1. Go to the Credentials page (Manage > Credentials).
  2. Click Create Newand then click Create SNMP Credential.

  1. Supply values in the following fields:

  • Name. Name of the credential. Can be any combination of alphanumeric characters, up to 64 characters.

  • All Organizations. Toggle on (blue) to align the credential to all organizations, or toggle off (gray) and then select one or more specific organizations from the What organization manages this service? drop-down field to align the credential with those specific organizations.

  • Timeout (ms). Time, in milliseconds, after which SL1 will stop trying to communicate with the device from which you want to retrieve data.
  • SNMP Version.
    • Select SNMP V2 (default)
    • Select SNMP V3 for enhanced security
  • SNMP Community (Read Only). Type the community string for the Palo Alto firewalls you want to monitor.
  • Port. Use the default setting.
  1. Click Save & Close.

Creating a Basic/Snippet Credential

To configure SL1 to monitor Palo Alto devices, you must also create a Basic/Snippet credential. This credential enables some of the Dynamic Applications in the Palo Alto Base Pack PowerPack to connect with those devices.

To create a Basic/Snippet credential for Palo Alto devices:

  1. Go to the Credentials page (Manage > Credentials).
  2. Click Create New and then click Create Basic/Snippet Credential.

  1. Supply values in the following fields:

  • Name. Type a name for the credential.

  • All Organizations. Toggle on (blue) to align the credential to all organizations, or toggle off (gray) and then select one or more specific organizations from the What organization manages this service? drop-down field to align the credential with those specific organizations.

  • Timeout (ms). Type "30000".
  • Hostname/IP. Type "https://%D".
  • Port. Type "443".
  • Username. Type the username for a user account with access to the Palo Alto firewalls.
  • Password. Type the password for the Palo Alto user account.
  1. Click Save & Close.

Creating an SNMP Credential in the SL1 Classic User Interface

Some of the Dynamic Applications in the Palo Alto Base Pack PowerPack use SNMP to collect information about Palo Alto firewalls. To use these Dynamic Applications, you must first define an SNMP credential that enables SL1 to communicate with the firewalls.

To configure an SNMP credential:

  1. Go to the Credential Management page (System > Manage > Credentials).

  1. Click the Actions button and then select Create SNMP Credential. The Credential Editor page appears.

  1. Complete the following fields:
  • Profile Name. Type a name for the credential.

  • SNMP Version. Select the version of the SNMP you wish to use.
  • SNMP Community (Read Only). Type the community string for the Palo Alto firewalls you want to monitor.
  1. Supply values in the other fields on this page as needed. In most cases, you can accept the default values for the other fields.
  2. Click the Save button.

Creating a Basic/Snippet Credential in the SL1 Classic User Interface

To configure SL1 to monitor Palo Alto devices, you must also create a Basic/Snippet credential. This credential enables some of the Dynamic Applications in the Palo Alto Base Pack PowerPack to connect with those devices.

To create a Basic/Snippet credential for Palo Alto devices:

  1. Go to the Credential Management page (System > Manage > Credentials).
  2. Click the Actions button and then select Create Basic/Snippet Credential. The Credential Editor page appears.

  1. Complete the following fields:
  • Credential Name. Type a name for the credential.

  • Hostname/IP. Type "https://%D".
  • Port. Type "443".
  • Timeout. Type "30000".
  • Username. Type the username for a user account with access to the Palo Alto firewalls.
  • Password. Type the password for the Palo Alto user account.
  1. Click the Save button.
  2. When the confirmation message appears, click OK.

Discovering Palo Alto Devices

After you have created the necessary credentials, you can discover the Palo Alto devices that you want to monitor. Several minutes after the discovery session has completed, the Dynamic Applications in the Palo Alto Base Pack PowerPack will automatically align to the devices, enabling you to view configuration and performance data about the devices.

This PowerPack discovers virtual Palo Alto devices that respond to SNMP. However, if they are provisioned, SL1 will not model them. SL1 will model the devices if they exist when the next discovery session is run.

To discover the Palo Alto devices that you want to monitor:

  1. On the Devices page () or the Discovery Sessions page (Devices > Discovery Sessions), click the Add Devices button. The Select page appears:

Image of the Add Devices wizard, page 1

  1. Click the Unguided Network Discovery button. Additional information about the requirements for discovery appears in the General Information pane to the right.
  1. Click Select. The Add Devices page appears:
  2. Complete the following fields:
  • Name. Type a unique name for this discovery session. This name is displayed in the list of discovery sessions on the Discovery Sessions tab.
  • Description. Optional. Type a short description of the discovery session. You can use the text in this description to search for the discovery session on the Discovery Sessions tab.
  • Select the organization to add discovered devices to. Select the name of the organization to which you want to add the discovered devices.

  1. Click Next. The Credentials page of the Add Devices wizard appears:

Image of the Add Devices wizard, page 2

  1. On the Credentials page, locate and select the SNMP credential and the Basic/Snippet credential you created.
  1. Click Next. The Discovery Session Details page of the Add Devices wizard appears:

Image of the Add Devices wizard, page 2

  1. Complete the following fields:
  • List of IPs/Hostnames. Type the IP address for the Palo Alto device.

  • Which collector will monitor these devices?. Select an existing collector to monitor the discovered devices. Required.
  • Run after save. Select this option to run this discovery session as soon as you click Save and Close.

In the Advanced options section, click the down arrow icon () to complete the following fields:

  • Model Devices. Enable this setting.

  1. Click Save and Close to save the discovery session. The Discovery Sessions page (Devices > Discovery Sessions) displays the new discovery session.
  2. If you selected the Run after save option on this page, the discovery session runs, and the Discovery Logs page displays any relevant log messages. If the discovery session locates and adds any devices, the Discovery Logs page includes a link to the Device Investigator page for the discovered device.

Discovering Palo Alto Devices in the SL1 Classic User Interface

After you have created the necessary credentials, you can discover the Palo Alto devices that you want to monitor. Several minutes after the discovery session has completed, the Dynamic Applications in the Palo Alto Base Pack PowerPack will automatically align to the devices, enabling you to view configuration and performance data about the devices.

This PowerPack discovers virtual Palo Alto devices that respond to SNMP. However, if they are provisioned, SL1 will not model them. SL1 will model the devices if they exist when the next discovery session is run.

To discover the Palo Alto devices that you want to monitor:

  1. Go to the Discovery Control Panel page (System > Manage > Classic Discovery).

  1. In the Discovery Control Panel, click the Create button.

  1. The Discovery Session Editor page appears. In the Discovery Session Editor page, complete the following fields:
  • IP Address/Hostname Discovery List. Type the IP address or addresses for the Palo Alto devices that you want to discover.

  • SNMP Credentials. Select the SNMP credential you created for the Palo Alto devices.
  • Other Credentials. Select the Basic/Snippet credentials you created for the Palo Alto devices.
  • Model Devices. Select this checkbox.
  1. Optionally, you can enter values in the other fields on this page. For more information about the other fields on this page, see the Discovery & Credentials section.
  2. Click the Save button to save the discovery session, and then close the Discovery Session Editor window.
  3. The discovery session you created appears at the top of the Discovery Control Panel page. Click its lightning-bolt icon () to run the discovery session.
  4. The Discovery Session window appears. When the device(s) are discovered, click the device icon () to view the Device Properties page for each device.