Does anyone know how to set up a Palo Alto firewall to use SNMP V3 with NPM. V2 was easy to set up. I can't figure out V3.
If you go to page 35 and 36, the guide below should aide you in configuring your firewall.
http://digitalscepter.com/wp-content/uploads/PAN-Guides/Palo-Alto-4.1_Administrators_Guide.pdf
We have seen it... It doesn't help us. We configured an SNMP user and name, but in the name section we don't understand how to write the mask. We are also unsure what MIB to enter. I put in 1.3.6.1 and left the mast blank. That MIB was readable when we were using V2. I also tried putting in a mask of 0xf0 and 0xffffffff... I have also tried changing the option from include to exclude. Non of it has helped. We have not been able to figure out from the Palo Alto side where the problem is because we see nothing in the logs. We also don't see a way to trouble shoot it from the Solarwinds side. I know it isn't working, but we have no indication why... May try a network capture, but since it should be encrypted, I will only be able to see if the session connects.
You can decipher it using WireShark. You can go into the settings and into the SNMP area and enter the user, authentication, privacy, and the passwords to see the packets. As far as what MIB to unlock, I'd recommend mib-2. It opens things up a bit, but will make sure Orion can see the RFC MIBs it needs. There shouldn't be a mask needed as Orion NPM doesn't require one. It should all depend on the view that's setup, the user, the authentication, and privacy that's setup.
So I have opened a case with PaloAlto and Solarwinds. Neither was helpful. PaloAlto doesn't seem to know anything about SNMPv3 and Solarwinds didn't have any more information on it. We have established that the problem is a PaloAlto issue, but you can't really troubleshoot the issue with WireShark since most of the communication is encrypted (PaloAlto does not do unencrypted SNMPv3). We are pretty sure we authenticate OK, but we can't make the OIDs accessible. The way PaloAlto does the filters for the MIBs is unlike anything anyone else does. Since they can't explain what they want, we remain stuck on SNMPv2 (which works flawlessly, but makes my security people unhappy).
Just thought I would update the post in case anyone had new ideas.
I'm having the same problems with Solarwinds not being able to accept SNMP v3 traps for my Cisco devices. They claim the issue will be fixed in the next release, which they also told me before the current release, so I'll believe it when I see it.
Here is how is done:
For the 2050, here is what I had to do:
Under Device->Setup-Operations, click on SNMP setup
Enter the physical location field, contact, change from v2 to v3
Add a new View; name=Solarwinds View=EnginID OID=1.3.6.1.6, option=Include mask=0x80 (per PAN tech support)
Add new user; use the SNMP v3 username, passphrase and Priv, view should be the one created in the previous step
Run the following from a linux box to get the firewalls engine ID; snmpget -v 3 -u [username] -l authPriv -a SHA -A [auth password] -x AES -X [priv password] [IP address] 1.3.6.1.6.3.10.2.1.1.0
Copy the engine ID
On the firewall, add a new snmp trap
Name=SolarwindsV3
Server=coftpmon1
Manager=10.210.32.53
User= snmpv3 username
Engine ID = 0x80 (hex string with no spaces from the snmpget output)
Auth= snmpv3 auth
Priv= snmpv3 priv
I see this is several years ago if dates are correct. Was this ever resolved? I am having issues with Solarwinds and PA-500, PAN-OS 6.1.4, SNMPv3. I believe the mask should be 0x80.
Unsure what Palo Alto means by "View".
I have been successful with establishing:
A) SSH2 session between Solarwinds and PA-500;
ICMP between Solarwinds and PA-500.
Will try your suggestions for PA-500. Unfortunately we are in an environment where one cannot connect other devices such as a Linux/Unix laptop.
For PA-500, changed OID to 1.3.6.1.4.1.25461.2.3.6, per Palo Alto Networks latest MIBs.
It doesn't appear to have been answered, and I'd like someone to explain how to set up v3 period.
We've been using v2c and now we have devices that won't do anything but v3 and I have yet to find any documentation that explains what you need to do and why.
There are plenty of pages of paragraphs and diagrams and flow charts on authentication that I really don't care about. I just want to know what to put where and why and if that comes from somewhere else. For instance, the checklist below is extremely helpful (I stole it from linevty.com Cisco IOS, SNMPv3 and SolarWinds NPM - The correct way!), but it doesn't explain WHERE these usernames and passwords come from. Are they ones you just make up for SolarWinds Orion and consistently use? Or is there some configuration that has to happen on the SolarWinds Orion server to set this up? I've posted quite a few things to the community and have yet to get any response on them. I don't know if I'm being considered a noob and therefore my questions are stupid, or if no one really knows how to help. If it's the noob thing, suck it up and give me some information that's not condescending. If it's because you genuinely don't know how to explain it... I'm not even going to complete that sentence.
So tell me where I get the bold items from:
When configuring Solarwinds NPM to add your SNMPv3 credential, follow these steps;
And now you can press ‘Test’, and this should come up with ‘Test Successful”
We were recently able to get SNMPv3 working on a Palo firewall. Ran into a lot of issues, most of which being me not knowing about SNMP.
Step 1 absolutely has to be getting SNMPv3 working with SNMPWalk. It is a waste of time to configure it in Solarwinds without it actually working in SNMPWalk. Everything I was doing on the server side looked right, and probably was, but without the SNMP connection, it kept failing. I worked with my network engineer to get SNMPWalk working.
SnmpWalk is located in C:\Program Files (x86)\SolarWinds\Orion\SnmpWalk.exe
1. Open SnmpWalk and fill in the following information:
Agent Address or DNS name: 10.0.0.123 (Your Palo IP)
Port: 161 (default setting)
SNMP Timeout [ms]: 2500 (I started changing this to 500 so I didn't have to wait so long)
Select 'Version 3' from the dropdown
Root OID: 1.3.6.1.4.1.25461.2.3.XX (replace the XX with the correct OID of whatever model you have)
Username: create a user on the Palo and use the username here (case sensitive).
Context: (leave this blank)
Select Authentication and Privacy
Authentication Algorithm: SHA
Authentication Password: from the account created on your Palo
Privacy Algorithm: AES128
Privacy Password: from the account created on your Palo. I used the same password to make things easier during setup. You can always change this after you get it working. Keep things simple.
Do NOT check Password is a key box on either.
Hit the Scan button
Mine found 11 OIDs at this level and deleting the numbers back to the Palo identifier (25461) raised the found OIDs to 2-300 and going to 1.3.6.1 produced about 3000 OIDs. If you can't find anything or it says it is timing out, you Palo settings are off. Leave SnmpWalk as is so you can hit Scan when you want to test.
As for the Palo configuration, I am not the NA so I will try to do what I can to explain what I can remember. It started by printing off the pages mentioned above from the admin guide. I gave that to my NA and had him put that information in there. The important take away from that was the different locations that have to be changed for SNMP. Follow along with the tab selections and values.
What we had done prior to this:
What we saw that had us scratching our heads:
After SnmpWalk is successful, add a node in SolarWinds with the same settings as used by SnmpWalk.
I'm still not 100% on my installation/configuration. I will try to add some more information and details on the Palo side when I get some free time.
Good luck, this kicked my butt and I still don't have everything configured. Hope this helps someone at least a little bit.
I had to go through the same steps to get snmp polling for Checkpoint Firewalls. I also had to create a custom poller to get the OS Version and Vendor and Machine Type. If your interested here is my notes on it: How to monitor check point firewall using NPM
Just to answer dsp's question (bit late I know) the username and password you make up yourself. Create it on the routers/switches similar to how you would a local user account, and then put those same credentials into Orion's web interface when adding the node.
This is the command for an IOS router to create the user on the device;
snmp-server user SolarWinds SNMP-AUTH v3 auth sha 4uthPassw0rd priv aes 256 Pr1vPass0rd
You could use a different combination on every router, but it's much easier to use the same throughout, and then use NCM or other config manager to change the password every few weeks/months.based on your security requirements.