cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 9

NCM Real Time Change Notice on Palo's seem to be one update behind.

Jump to solution

So I've used and supported SolarWinds in a Cisco environment for years.

I just recently added some Palo Alto Firewalls to NCM.

I created two new Syslog viewer alerts for Palo, one sends login notice e-mail's and works fine.

The other alert looks only at messages from my Palo IP's with the message pattern " *Config*,*commit* ", and executes: "C:\Program Files (x86)\SolarWinds\Orion\SolarWinds.NCM.RTNForwarder.exe ${IP_Address},RealtimeNotification,${DateTime},${Message}"
It downloads the config before the Palo has truly completed the update process ( commit not completed yet).

The issue is the change notice e-mail is literally a comparison of the prior version to the version before that, not the current running config.

For example if I create a new object Test1, on the firewall and commit the change at 1200, RTN does its stuff.

At 1230 I create a new object Test2 and commit the change, when I get the change E-mail from SolarWinds, it shows the Test1 object was created, not the Test2 object.

I update the firewall the next day, and do a commit, the e-mail shows the Test2 object was created ( which was done the day prior)

Is there any way to slow down the processing of the real time change actions for my Palo's?
I'm assuming someone has seen this, but didn't see any posts about it.


Labels (1)
0 Kudos
1 Solution
Level 9

So found the fix.

So Palo has 4 sections under logging (System, Configuration, User-ID, HIP Match).

On the Palo Alto, instead of sending the configuration messages to Syslog, and setting the alert to look for messages with Commit, I had to create a new System log filter to look for (description contains 'Commit job succeeded') and send those to the Syslog server.

On the SolarWinds server, I changed the Alerts / Filter Rules; I changed the message to *"Commit job succeeded. Completion time*, and it is now working properly.
See screen shot for additional info you run into this problem.


pastedImage_1.png

View solution in original post

0 Kudos
3 Replies
Level 9

So found the fix.

So Palo has 4 sections under logging (System, Configuration, User-ID, HIP Match).

On the Palo Alto, instead of sending the configuration messages to Syslog, and setting the alert to look for messages with Commit, I had to create a new System log filter to look for (description contains 'Commit job succeeded') and send those to the Syslog server.

On the SolarWinds server, I changed the Alerts / Filter Rules; I changed the message to *"Commit job succeeded. Completion time*, and it is now working properly.
See screen shot for additional info you run into this problem.


pastedImage_1.png

View solution in original post

0 Kudos
Level 7

What NCM version are you using?  I believe I had the same problem and upgrading to 8.0 address it but now puts the html version of notifications into XML tag format.

Level 9

Thanks jhosee​.
I found the fix, I could not rely on the Palo Alto Configuration messages, I had to create a System level filter,and update the alert.

0 Kudos