Palo Alto application data missing from Netflow
We havebeen able to get Netflow data working for a Palo Alto PA-820 firewall, but we are not seeing the application data show up. Does anyone have any suggestions on next steps we could take? Here is what has been done so far: Netflow profile has been configured on the Palo Alto side and assigned to the interface, including selecting the PAN-OS Field Types to get the App-ID and User-ID (https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/netflow-monitoring/configure-netflow-exports) nbarhas been enabled on the collector: # enable netflow support for NBAR, IPV6 and Multicast fields netflow.nbar.enabled=true # enable netflow support for IPV6 fields netflow.ipv6.enabled=true Collector version is 34.003 We’re seeing everything we expect except the app & systemsdata on the Traffic tab for the device: Any thoughts on what we might be missing? Thank you. :-)88Views6likes1CommentNeed help on PaloAlto_FW_RunningConfigXML API configsource
Currently, the sole option is to collect/view the configuration xml when a change occurs. So,IsthereawayinLMtogenerateareportusingthePaloAlto_FW_RunningConfigXMLAPIconfigsource? or Is it possible to collect the configuration backup at any specific time interval? Thanks in advance :)71Views16likes2CommentsPalo Alto Prisma SD-WAN (formerly CloudGenix)
We have developed new Prisma SD-WAN modules that use the Unified SASE SD-WAN API to monitor ION performance, health, tunnels… We’re looking for customers who already monitor their ION devices via SNMP that would be interested/willing to work with us to verify that that data we’re collecting via Palo Alto’s API matches what we get with SNMP. Two requirements: You are currently monitoring discrete ION devices via SNMP Your CloudGenix portal has been migrated to Prisma Cloud. If you meet these requirements and would like to be considered for pre-release environment verification, please DM me. This pre-release testing would involve LM running some Palo Alto Prisma Unified SASE SD-WAN API calls to compare the results against what we get from SNMP. This does not involve/required adding modules to your portal. However, after this environment verification, we’d be happy to work with you as an early adopter of the new modules.285Views38likes4CommentsGenerally Availability Announcement: Palo Alto Prisma SD-WAN modules
Today, new Palo Alto Prisma SD-WAN (formerly CloudGenix) modules are generally available via LM Exchange. The link to the product documentation is →https://www.logicmonitor.com/support/palo-alto-prisma-sd-wan-monitoring#h-compatibility62Views18likes0CommentsPalo Alto XML Response Help
I am interested in improving some of the Palo Alto monitoring and would like to create a datasource that looks at the chassis led’s for a particular alarm status. Using the XML APIexplorer the command is this: <show><system><state><filter>chassis.leds</filter></state></system></show> The response is below and without using the filter parameter the result body is a giant mess of information. I’ve taken an existing ds, cloned it but my scripting knowledge of xmlslurper, parsetext and such is failing to discover anything. Also the response below is not in the typical format the output of the other PA datasources have with regards to slots etc..so I’m stuck on the output part of my script and it doesn’t discover anything. What I want is an instance named chassis.leds and then data from a couple of the values below. Once I get this working I would likely create another DS that checks the status of the disk RAID configuration. How would you write the output? <responsestatus="success"> <result> <![CDATA[ chassis.leds: { 'alarm': Off, 'fans': Off, 'ha': Off, 'log': Off, 'service': Off, 'status': Green, 'temp': Green, } ]]> </result> </response>Solved221Views3likes13CommentsCan LM Config Monitor and Alert on Palo Firewall Rules Changes ?
Hi ! My customer wants to be able to generatea weekly report on any changes made in the rules of their Palo Alto firewalls (hundreds) whether this is done as part of a template push or a one-off. Is this something that LM Config can provide ? Cheers, Scott H86Views2likes1CommentPalo Alto Improvements
Here are some datasources we added to get better information on Palo Alto firewalls: Certificate Status:KFWLJ9 High Availability Detail:EMXWRR(this one includes a bunch of HA info, including HA link status, compat status and so forth. Many auto properties for reference on the local and peer units. All datapoints currently use the default alert templates, but I am hoping to extend that and leverage the auto properties for those messages) Support Status:3YJJCZ License Status:DXEAP4 All use the XML API, so will require security review (no idea how long that takes).173Views9likes18CommentsPaloAlto 'apikey' PropertySource
Hello! I've created a property source (PS script) that will retrieve/populate automatically the 'paloalto.apikey.pass' property withinPalo Alto firewalls (since a bunch of datasources require that key). This will be easier than retrieving the api key manually & then createthe custom propertyfor each firewall. this will makeuse of the ssh credentials & also requires aLM apikey in order to actually PATCH the device in question. Sharing this with everyone in case it is useful for you guys as well. I've tried to publish it in LM Exchange but I'm retrieving theerror below: I'm new to LM so, excuse me if I'm being noob &missing an obvious thing? Shared the PS script within GitHub ->https://github.com/vitor7santos/LogicMonitor.git Feel free to use it & let me know your comments/suggestions/etc... Regards,98Views0likes4CommentsCollector could not verify/register if using Palo Alto SSL decryption feature
Just in case this helps other customers... SYMPTOMS: The Windows collector installed ok and the two Collector services were running but the collector could not finish the verification/registration step and showing the 'flame alert' on Settings > Collectors screen. After some troubleshooting, we looked in the wrapper.log file on the collector and saw this error message: [MSG] [CRITICAL] [main::controller:main] [AgentHttpService.checkCertificateOrWait2Valid:1029] The santaba server is not trusted, and "EnforceLogicMonitorSSL" is enabled. Wait 1 minute to retry. Please check the network settings, or disable "EnforceLogicMonitorSSL" in agent.conf and restart collector The customer set up a whitelist on their Palo Alto firewall for *.logicmonitor.com and it started working (or list of ~15 IP address ranges). Alternatively you can lowersecurity and changethe agent.conf (config file) fromEnforceLogicMonitorSSL=true to false.17Views0likes1Comment