Configuration and Discovery

Overview Configuration and Discovery

Download this manual as a PDF file

The following sections describe how to configure and discover Palo Alto firewalls for monitoring by SL1 using the Palo Alto Base Pack PowerPack:

Prerequisites for Monitoring Palo Alto Firewalls

Before you can monitor Palo Alto firewalls in SL1 using the Palo Alto Base Pack PowerPack, you must have the following information:

  • SNMP community strings for the devices you want to monitor
  • IP addresses for each device you want to monitor
  • Username and password for a user with access to the devices you want to monitor

The monitored firewalls must be running PAN-OS version 8.0 or later to ensure the proper collection of tunnel performance data.

Creating Credentials for Palo Alto

To configure SL1 to monitor Palo Alto firewalls, you must create the SNMP and Basic/Snippet (or SOAP/XML) credentials that enable SL1 to connect with those firewalls.

The Palo Alto Base Pack PowerPack currently supports only basic authentication for discovery; it does not support the use of an API key.

Creating an SNMP Credential

Some of the Dynamic Applications in the Palo Alto Base Pack PowerPack use SNMP to collect information about Palo Alto firewalls. To use these Dynamic Applications, you must first define an SNMP credential that enables SL1 to communicate with the firewalls.

To configure an SNMP credential:

  1. Go to the Credentials page (Manage > Credentials).
  2. Click Create Newand then click Create SNMP Credential.

  1. Supply values in the following fields:
  • Name. Name of the credential. Can be any combination of alphanumeric characters, up to 64 characters.

  • All Organizations. Toggle on (blue) to align the credential to all organizations, or toggle off (gray) and then select one or more specific organizations from the What organization manages this service? drop-down field to align the credential with those specific organizations.

  • Timeout (ms). Time, in milliseconds, after which SL1 will stop trying to communicate with the device from which you want to retrieve data.
  • SNMP Version.
    • Select SNMP V2 (default)
    • Select SNMP V3 for enhanced security
  • SNMP Community (Read Only). Type the community string for the Palo Alto firewalls you want to monitor.
  • Port. Use the default setting.
  1. Click Save & Close.

Creating a Basic/Snippet Credential

To configure SL1 to monitor Palo Alto devices, you must also create a Basic/Snippet credential. This credential enables some of the Dynamic Applications in the Palo Alto Base Pack PowerPack to connect with those devices.

To create a Basic/Snippet credential for Palo Alto devices:

  1. Go to the Credentials page (Manage > Credentials).
  2. Locate the "Palo Alto REST API Example" sample credential and click its Action icon (). Then, select Duplicate and a copy of the credential called "Palo Alto REST API Example copy" appears.

  1. Supply values in the following fields:
  • Name. Type a name for the credential.
  • All Organizations. Toggle on (blue) to align the credential to all organizations, or toggle off (gray) and then select one or more specific organizations from the What organization manages this service? drop-down field to align the credential with those specific organizations.
  • Timeout (ms). Time, in milliseconds, after which the platform will stop trying to communicate with the authenticating server.
  • Hostname/IP. Hostname or IP address of the device from which you want to retrieve data. Leave the default "https://%D".
  • Port. Type the port number associated with the data you want to retrieve.
  • Username. Type the username for a user account with access to the Palo Alto firewalls.
  • Password. Type the password for the Palo Alto user account.
  1. Click Save & Close.

Creating a SOAP/XML Credential

To configure SL1 to monitor Palo Altodevices, you can create a SOAP/XML credential instead of a Basic/Snippet credential. This credential enables some of the Dynamic Applications in the Palo Alto Base Pack PowerPack to connect with those devices. This credential allows you to disable the SSL configuration.

To create a SOAP/XML credential:

  1. Go to the Credentials page (Manage > Credentials).
  2. Locate the "Palo Alto SSL Off REST API Example" credential and click its Action icon (). Then, select Duplicate and a copy of the credential called "Palo Alto SSL Off REST API Example copy" appears.
  3. Click the Action icon () for the "Palo Alto SSL Off REST API Example copy" credential and select Edit. The Edit Credential modal appears.

An image of the SOAP/XML SSL OFF Create Credential page.

  1. Supply values in the following fields:
  • Name. Type a new name for the credential.
  • All Organizations. Toggle on (blue) to align the credential to all organizations, or toggle off (gray) and then select one or more specific organizations from the What organization manages this service? drop-down field to align the credential with those specific organizations.
  • URL. Leave the default http://%D.
  • HTTP Auth User. Type the username of the user account with access to the Palo Alto firewalls.
  • HTTP Auth Password. Type the password of the Palo Alto user account.
  • Proxy Port. (Required) Type the port number associated with the data you want to retrieve.
  • CURL Options. Leave the default value of SSLVERIFYPEER=0 so that the SSL configuration is disabled.
  1. Click Save.

Creating a SOAP/XML Credential for an SSL Certificate

To configure SL1 to monitor Palo Alto devices, you can create a SOAP/XML credential instead of Basic/Snippet credential. This credential enables some of the Dynamic Applications in the Palo Alto Base Pack PowerPack to connect with those devices. This credential also allows enables the SSL configuration.

To create a SOAP/XML credential:

  1. Go to the Credentials page (Manage > Credentials).
  2. Locate the "Palo Alto SSL On REST API Example" credential and click its Action icon (). Then, select Duplicate and a copy of the credential called "Palo Alto SSL On REST API Example copy" appears.
  3. Click the Action icon () for the "Palo Alto SSL On REST API Example copy" credential and select Edit. The Edit Credential modal appears.
  4. An image of the SOAP/XML Create Credential page.

  1. Update the values in the following fields:
  • Name. Type a new name for the credential.
  • All Organizations. Toggle on (blue) to align the credential to all organizations, or toggle off (gray) and then select one or more specific organizations from the What organization manages this service? drop-down field to align the credential with those specific organizations.
  • URL. Leave the default http://%D.
  • HTTP Auth User. Type the username of the user account with access to the Palo Alto firewalls.
  • HTTP Auth Password. Type the password of the Palo Alto user account.
  • Proxy Port. (Required) Type the port number associated with the data you want to retrieve.
  • CURL Options. Edit the following fields in this section:
    • SSLCERT. Type the certificate path for your SSL certificate.
    • SSLVERIFYPEER=1. Enables the SSL configuration.
  1. Click Save.

If you would like to test your credential using the Credential Tester panel, click Save & Test. For detailed instructions on using the Credential Tester panel, see the Using the Credential Tester Panel section.

Creating an SNMP Credential in the SL1 Classic User Interface

Some of the Dynamic Applications in the Palo Alto Base Pack PowerPack use SNMP to collect information about Palo Alto firewalls. To use these Dynamic Applications, you must first define an SNMP credential that enables SL1 to communicate with the firewalls.

To configure an SNMP credential:

  1. Go to the Credential Management page (System > Manage > Credentials).

  1. Click the Actions button and then select Create SNMP Credential. The Credential Editor page appears.

  1. Complete the following fields:
  • Profile Name. Type a name for the credential.

  • SNMP Version. Select the version of the SNMP you wish to use.
  • SNMP Community (Read Only). Type the community string for the Palo Alto firewalls you want to monitor.
  1. Supply values in the other fields on this page as needed. In most cases, you can accept the default values for the other fields.
  2. Click the Save button.

Creating a Basic/Snippet Credential in the SL1 Classic User Interface

To configure SL1 to monitor Palo Alto devices, you must also create a Basic/Snippet credential. This credential enables some of the Dynamic Applications in the Palo Alto Base Pack PowerPack to connect with those devices.

To create a Basic/Snippet credential for Palo Alto devices:

  1. Go to the Credential Management page (System > Manage > Credentials).
  2. Locate the “Palo Alto REST API Example” credential and click its wrench icon ( ). The Credential Editor modal page appears.

  1. Supply the values in the following fields:
  • Credential Name. Type a name for the credential.
  • Timeout (ms). Time, in milliseconds, after which the platform will stop trying to communicate with the authenticating server.
  • Hostname/IP. Hostname or IP address of the device from which you want to retrieve data. Leave the default "http://%D".
  • Port. Type the port number associated with the data you want to retrieve.
  • Username. Type the username for a user account with access to the Palo Alto firewalls.
  • Password. Type the password for the Palo Alto user account.
  1. Click Save As button and then click OK.

Creating a SOAP/XML Credential in the SL1 Classic User Interface

To configure SL1 to monitor Palo Alto devices, you can also create a SOAP/XML credential. This credential enables some of the Dynamic Applications in the Palo Alto Base Pack PowerPack to connect with those devices. This credential disables the SSL configuration.

To create a SOAP/XML credential for Palo Alto devices:

  1. Go to the Credential Management page (System > Manage > Credentials).
  2. Locate the "Palo Alto SSL Off REST API Example" credential and click its wrench icon ( ). The Credential Editor modal page appears.

  1. Supply the values in the following fields:

  • Profile Name. Type a name for the credential.
  • URL. Leave the default value of http://%D.
  • HTTP Auth User. Type the username for a user account with access to the Palo Alto firewalls.
  • HTTP Auth Password. Type the password for the Palo Alto user account.
  • Timeout (seconds). Time, in seconds, after which the platform will stop trying to communicate with the authenticating server.
  • Proxy Settings
    • Port. Type the port number associated with the data you want to retrieve.
  • CURL Options.
    • SSLVERIFYPEER. Leave the default value “0” so that the SSL configuration is disabled.
  1. Click Save As button and then click OK.

Creating a SOAP/XML Credential for an SSL Certificate in the SL1 Classic User Interface

To configure SL1 to monitor Palo Alto devices, you can also create a SOAP/XML credential. This credential enables some of the Dynamic Applications in the Palo Alto Base Pack PowerPack to connect with those devices. This credential allows you to enable the SSL configuration.

To create a SOAP/XML credential for Palo Alto devices:

  1. Go to the Credential Management page (System > Manage > Credentials).
  2. Locate the "Palo Alto SSL On REST API Example" credential and click its wrench icon ( ). The Credential Editor modal page appears.

  1. Supply the values in the following fields:
  • Profile Name. Type a name for the credential.
  • URL. Leave the default value of https://%D.
  • HTTP Auth User. Type the username for a user account with access to the Palo Alto firewalls.
  • HTTP Password. Type the password for the Palo Alto user account.
  • Timeout (seconds). Time, in seconds, after which the platform will stop trying to communicate with the authenticating server.
  • Proxy Settings.
    • Port. Type the port number associated with the data you want to retrieve.
  • CURL Options.
    • SSLCERT. Type the certificate path for your SSL certificate.
    • SSLVERIFYPEER. Leave the default value “1” so that the SSL configuration is enabled.

  1. Click Save As button and then click OK.

Discovering Palo Alto Devices

After you have created the necessary credentials, you can discover the Palo Alto devices that you want to monitor. Several minutes after the discovery session has completed, the Dynamic Applications in the Palo Alto Base Pack PowerPack will automatically align to the devices, enabling you to view configuration and performance data about the devices.

This PowerPack discovers virtual Palo Alto devices that respond to SNMP. However, if they are provisioned, SL1 will not model them. SL1 will model the devices if they exist when the next discovery session is run.

To discover the Palo Alto devices that you want to monitor:

  1. On the Devices page () or the Discovery Sessions page (Devices > Discovery Sessions), click the Add Devices button. The Select page appears:

Image of the Add Devices wizard, page 1

  1. Click the Unguided Network discovery workflow button. Additional information about the requirements for discovery appears in the General Information pane to the right.
  1. Click Select. The Add Devices page appears:
  2. Complete the following fields:
  • Name. Type a unique name for this discovery session. This name is displayed in the list of discovery sessions on the Discovery Sessions tab.
  • Description. Optional. Type a short description of the discovery session. You can use the text in this description to search for the discovery session on the Discovery Sessions tab.
  • Select the organization to add discovered devices to. Select the name of the organization to which you want to add the discovered devices.

  1. Click Next. The Credentials page of the Add Devices wizard appears:

Image of the Add Devices wizard, page 2

  1. On the Credentials page, locate and select the SNMP credential and the Basic/Snippet credential or the SOAP/XML credential you created.
  1. Click Next. The Discovery Session Details page of the Add Devices wizard appears:

Image of the Add Devices wizard, page 2

  1. Complete the following fields:
  • List of IPs/Hostnames. Type the IP address for the Palo Alto device.

  • Which collector will monitor these devices?. Select an existing collector to monitor the discovered devices. Required.
  • Run after save. Select this option to run this discovery session as soon as you click Save and Close.

In the Advanced options section, click the down arrow icon () to complete the following fields:

  • Model Devices. Enable this setting.

  1. Click Save and Close to save the discovery session. The Discovery Sessions page (Devices > Discovery Sessions) displays the new discovery session.
  2. If you selected the Run after save option on this page, the discovery session runs, and the Discovery Logs page displays any relevant log messages. If the discovery session locates and adds any devices, the Discovery Logs page includes a link to the Device Investigator page for the discovered device.

Discovering Palo Alto Devices in the SL1 Classic User Interface

After you have created the necessary credentials, you can discover the Palo Alto devices that you want to monitor. Several minutes after the discovery session has completed, the Dynamic Applications in the Palo Alto Base Pack PowerPack will automatically align to the devices, enabling you to view configuration and performance data about the devices.

This PowerPack discovers virtual Palo Alto devices that respond to SNMP. However, if they are provisioned, SL1 will not model them. SL1 will model the devices if they exist when the next discovery session is run.

To discover the Palo Alto devices that you want to monitor:

  1. Go to the Discovery Control Panel page (System > Manage > Classic Discovery).

  1. In the Discovery Control Panel, click the Create button.

  1. The Discovery Session Editor page appears. In the Discovery Session Editor page, complete the following fields:
  • IP Address/Hostname Discovery List. Type the IP address or addresses for the Palo Alto devices that you want to discover.

  • SNMP Credentials. Select the SNMP credential you created for the Palo Alto devices.
  • Other Credentials. Select the Basic/Snippet or SOAP/XML credentials you created for the Palo Alto devices.
  • Model Devices. Select this checkbox.
  1. Optionally, you can enter values in the other fields on this page. For more information about the other fields on this page, see the Discovery & Credentials section.
  2. Click the Save button to save the discovery session, and then close the Discovery Session Editor window.
  3. The discovery session you created appears at the top of the Discovery Control Panel page. Click its lightning-bolt icon () to run the discovery session.
  4. The Discovery Session window appears. When the device(s) are discovered, click the device icon () to view the Device Properties page for each device.