2.1.8 Palo Alto Networks
We always recommend a system administrator defer to the vendor’s official documentation on credential creation. Please follow the vendor’s instructions for configuring the device for access with an ssh key, and then use the Indeni WebGUI to store the Private key in the relevant Credential Profile.
Indeni connects to Palo Alto Network Devices (Log Collector excepted) via PAN-OS XML API/HTTPS, SSH and SNMP. We recommend assigning the Dynamic role of Superuser or Device Administrator to the Indeni user, with standard session timeouts configured. This leverages Palo Alto Networks’ fixed privileges and is a scalable option for future automation scripts to be successfully utilized by the Indeni system.
In the event that a Custom role needs to be defined, it is preferred to include privileges that allow for flexibility and growth when Indeni’s Knowledge scripts expand to include more enhanced functionality. However, the following are minimum access requirements and must be enabled within the profile.
If you need assistance creating a user on your Palo Alto Networks device, please refer to Palo Alto’s website.
Indeni recommends that credentials set for Palo Alto Network devices are left with the default privilege of Superuser, and dynamic-based control. Indeni is read-only and does not make any changes to the device’s configurations or policies. However it does need administrator access to run commands like debug device-server show or debug log-receiver statistics.
The reason we recommend the above role configuration for the user is because as the product continues to expand its knowledge base, the Indeni credentials will need enough flexibility to facilitate any new scripts that may require access to API and SSH commands; which are otherwise strictly defined with custom roles.
Configuring Custom Roles
Should internal policies require that Indeni utilize the minimum available privileges required to collect and analyze data from the devices, we recommend to follow the guidance below in terms of creating custom credentials:
The enabled/disabled options should be set as follows:
Web UI – Disable All
XML API – Operational Requests
Command Line: “deviceadmin”
Enable SNMP Monitoring
Palo Alto Network Configuration (Panorama | Firewall)
Using the Graphical User Interface:
- Step 1: Select Device > Setup > Interfaces > Management.
- Ensure SNMP is enabled on the Management interface.
- Also be sure the IP address of the Indeni server is in the Permitted IP Addresses list.
- Step 2: If you are using an Interface other than “Management” for management of the firewall you will need to perform steps to enable the SNMP service on the interface management profile.
- If so select Network > Interfaces
- Select the Interface you use for Management
- Select Advanced > Other Info
- Select a management profile with SNMP enabled or create a new profile.
- Step 3: Select Device > Setup > Operations
- Step 4: It is recommended to enable SNMPv3 instead of v2c. If your Indeni Server is running 7.0 or higher, SNMPv3 is supported
- Step 5: Click SNMP Setup
- Step 6: Optional: Specify the physical location of the firewall
- Step 7: Optional: Enter the name of the person or group responsible for maintaining the firewall
- Step 8: Version: If SNMP v2c is already enabled, we recommend you change to SNMPv3 if your Indeni Server is running 7.0 or newer
- Step 9: Click Add, and enter a name of the view group
- Step 10: Click Add, and specify a name of the view
- Step 11: OID: Specify the OID of the MIB.
- Step 12: Option: Select the matching logic
- Step 13: Mask: Specify the Mask in hexadecimal format
- If you want to provide access to all management information, you can use OID 22.214.171.124 and set the Mask to 0xf0
- For more information see Palo Alto Networks documentation.
- Step 14: In the Users section, click Add to create a new user
- Step 15: Users: Specify a username to identify the SNMP user account.
- Step 16: View: Assign the group of views (Step #9) to the user.
- Step 17: Auth Password: Specify the authentication password of the user. The firewall uses Secure Hash Algorithm (SHA-1 160) to encrypt the password.
- Step 18: Priv Password: Specify the privacy password of the user. The firewall uses the password and Advanced Encryption Standard (AES-128) to encrypt SNMP traps and responses to statistics requests.
- Step 19: Click OK
- Step 20: Click OK and then Commit your changes
Using the Command Line Interface:
- Step 21: Run the following commands:
set deviceconfig system service disable-snmp no
set deviceconfig system snmp-setting access-setting version v3 views $VIEW_GROUP_NAME view $view_name oid 126.96.36.199
set deviceconfig system snmp-setting access-setting version v3 views $VIEW_GROUP_NAME view $view_name option include
set deviceconfig system snmp-setting access-setting version v3 views $VIEW_GROUP_NAME view $view_name mask 0xf0
set deviceconfig system snmp-setting access-setting version v3 users $USER_NAME authpwd $AUTH_PASSWORD
set deviceconfig system snmp-setting access-setting version v3 users $USER_NAME privpwd $PRIV_PASSWORD
set deviceconfig system snmp-setting access-setting version v3 users $USER_NAME view $VIEW_GROUP_NAME
set deviceconfig system snmp-setting snmp-system location $LOCATION
set deviceconfig system snmp-setting snmp-system contact $CONTACT_NAME
Indeni Server Configuration:
- Step 22: Click on Devices icon on the side-panel to the left-hand side of the screen
- Step 23: Select Credential Sets, and create a new/modify an existing credential set
- Step 24: Select SNMPv3
- Step 25: Security Name: Enter the username from the SNMP setup in PAN-OS “Users” step.
- Step 26: Select Authentication and privacy
- Step 27: Select SHA
- Step 28: Select AES128
- Step 29: Enter the Privacy Passphrase from the SNMP setup in PAN-OS add “Priv. Password” step.
- Step 30: Enter the Authentication Passphrase from the SNMP setup in PAN-OS add “Auth. Password” step.
- Step 31: Click Add
- Step 32: Click on Analysis icon on the side-panel to the left-hand side of the screen
- Step 33: Select Query > Add New Graph
- Step 34: Select one of the managed Palo Alto Networks devices
- Domain: OS
- Metric: CPU
- Step 35: Verify we are able to receive Management-Plane CPU utilization from PAN device