15 Replies Latest reply on Oct 5, 2016 4:41 PM by justinakajuice

    Palo Alto with SNMP V3

    oldguard

      Does anyone know how to set up a Palo Alto firewall to use SNMP V3 with NPM. V2 was easy to set up. I can't figure out V3.

        • Re: Palo Alto with SNMP V3
          mharvey

          If you go to page 35 and 36, the guide below should aide you in configuring your firewall.

           

          http://digitalscepter.com/wp-content/uploads/PAN-Guides/Palo-Alto-4.1_Administrators_Guide.pdf

            • Re: Palo Alto with SNMP V3
              oldguard

              We have seen it... It doesn't help us. We configured an SNMP user and name, but in the name section we don't understand how to write the mask. We are also unsure what MIB to enter. I put in 1.3.6.1 and left the mast blank. That MIB was readable when we were using V2. I also tried putting in a mask of 0xf0 and 0xffffffff... I have also tried changing the option from include to exclude. Non of it has helped. We have not been able to figure out from the Palo Alto side where the problem is because we see nothing in the logs. We also don't see a way to trouble shoot it from the Solarwinds side. I know it isn't working, but we have no indication why... May try a network capture, but since it should be encrypted, I will only be able to see if the session connects.

                • Re: Palo Alto with SNMP V3
                  mharvey

                  You can decipher it using WireShark.  You can go into the settings and into the SNMP area and enter the user, authentication, privacy, and the passwords to see the packets.  As far as what MIB to unlock, I'd recommend mib-2.  It opens things up a bit, but will make sure Orion can see the RFC MIBs it needs.  There shouldn't be a mask needed as Orion NPM doesn't require one.  It should all depend on the view that's setup, the user, the authentication, and privacy that's setup.

                  • Re: Palo Alto with SNMP V3
                    oldguard

                    So I have opened a case with PaloAlto and Solarwinds. Neither was helpful. PaloAlto doesn't seem to know anything about SNMPv3 and Solarwinds didn't have any more information on it. We have established that the problem is a PaloAlto issue, but you can't really troubleshoot the issue with WireShark since most of the communication is encrypted (PaloAlto does not do unencrypted SNMPv3). We are pretty sure we authenticate OK, but we can't make the OIDs accessible. The way PaloAlto does the filters for the MIBs is unlike anything anyone else does. Since they can't explain what they want, we remain stuck on SNMPv2 (which works flawlessly, but makes my security people unhappy).

                     

                    Just thought I would update the post in case anyone had new ideas.

                • Re: Palo Alto with SNMP V3
                  oklier@urban-ls.com

                  For the 2050, here is what I had to do:

                   

                  Under Device->Setup-Operations, click on SNMP setup

                  Enter the physical location field, contact, change from v2 to v3

                  Add a new View; name=Solarwinds View=EnginID OID=1.3.6.1.6, option=Include mask=0x80 (per PAN tech support)

                  Add new user; use the SNMP v3 username, passphrase and Priv, view should be the one created in the previous step

                  Run the following from a linux box to get the firewalls engine ID; snmpget -v 3 -u [username] -l authPriv -a SHA -A [auth password] -x AES -X [priv password] [IP address] 1.3.6.1.6.3.10.2.1.1.0

                  Copy the engine ID

                  On the firewall, add a new snmp trap

                  Name=SolarwindsV3

                  Server=coftpmon1

                  Manager=10.210.32.53

                  User= snmpv3 username

                  Engine ID = 0x80 (hex string with no spaces from the snmpget output)

                  Auth= snmpv3 auth

                  Priv= snmpv3 priv

                  • Re: Palo Alto with SNMP V3
                    solarwindsnwsupport

                    I see this is several years ago if dates are correct.  Was this ever resolved?  I am having issues with Solarwinds and PA-500, PAN-OS 6.1.4, SNMPv3.  I believe the mask should be 0x80.

                    Unsure what Palo Alto means by "View".

                    I have been successful with establishing:

                    A) SSH2 session between Solarwinds and PA-500;

                    B) ICMP between Solarwinds and PA-500.

                      • Re: Palo Alto with SNMP V3
                        dsp

                        It doesn't appear to have been answered, and I'd like someone to explain how to set up v3 period.

                        We've been using v2c and now we have devices that won't do anything but v3 and I have yet to find any documentation that explains what you need to do and why.

                        There are plenty of pages of paragraphs and diagrams and flow charts on authentication that I really don't care about.  I just want to know what to put where and why and if that comes from somewhere else.  For instance, the checklist below is extremely helpful (I stole it from linevty.com Cisco IOS, SNMPv3 and SolarWinds NPM - The correct way!), but it doesn't explain WHERE these usernames and passwords come from.  Are they ones you just make up for SolarWinds Orion and consistently use?  Or is there some configuration that has to happen on the SolarWinds Orion server to set this up?  I've posted quite a few things to the community and have yet to get any response on them.  I don't know if I'm being considered a noob and therefore my questions are stupid, or if no one really knows how to help.  If it's the noob thing, **** it up and give me some information that's not condescending.  If it's because you genuinely don't know how to explain it... I'm not even going to complete that sentence.

                        So tell me where I get the bold items from:

                         

                        When configuring Solarwinds NPM to add your SNMPv3 credential, follow these steps;

                        1. Add your node’s IP address
                        2. Select SNMP and ICMP Monitoring
                        3. Choose SNMPv3 from the ‘SNMP Version’ drop down menu
                        4. Enter your SNMPv3 Username in the ‘SNMPv3 Credentials’ section
                        5. Select ‘SHA1’ as the ‘Method’ from the ‘SNMPv3 Authentication’ section
                        6. Select ‘AES256’ as the ‘Method’ from the ‘SNMPv3 Privacy / Encryption’ section
                        7. Enter your ‘auth’ password in the ‘SNMPv3 Authentication’ section
                        8. Enter your SNMPv3 Username again in the ‘Read / Write SNMPv3 Credentials’ section
                        9. Again, Select ‘SHA1’ as the ‘Method’ from the ‘SNMPv3 Authentication’ section
                        10. Again, Select ‘AES256’ as the ‘Method’ from the ‘SNMPv3 Privacy / Encryption’ section

                        And now you can press ‘Test’, and this should come up with ‘Test Successful”

                          • Re: Palo Alto with SNMP V3
                            justinakajuice

                            We were recently able to get SNMPv3 working on a Palo firewall. Ran into a lot of issues, most of which being me not knowing about SNMP.

                             

                            Step 1 absolutely has to be getting SNMPv3 working with SNMPWalk. It is a waste of time to configure it in Solarwinds without it actually working in SNMPWalk. Everything I was doing on the server side looked right, and probably was, but without the SNMP connection, it kept failing. I worked with my network engineer to get SNMPWalk working.

                             

                            SnmpWalk is located in C:\Program Files (x86)\SolarWinds\Orion\SnmpWalk.exe

                             

                            1. Open SnmpWalk and fill in the following information:

                            Agent Address or DNS name: 10.0.0.123 (Your Palo IP)

                            Port: 161 (default setting)

                            SNMP Timeout [ms]: 2500 (I started changing this to 500 so I didn't have to wait so long)

                            Select 'Version 3' from the dropdown

                            Root OID: 1.3.6.1.4.1.25461.2.3.XX (replace the XX with the correct OID of whatever model you have)

                            Username: create a user on the Palo and use the username here (case sensitive).

                            Context:    (leave this blank)

                            Select Authentication and Privacy

                            Authentication Algorithm: SHA

                            Authentication Password: from the account created on your Palo

                            Privacy Algorithm: AES128

                            Privacy Password: from the account created on your Palo. I used the same password to make things easier during setup. You can always change this after you get it working. Keep things simple.

                            Do NOT check Password is a key box on either.

                            Hit the Scan button

                             

                            Mine found 11 OIDs at this level and deleting the numbers back to the Palo identifier (25461) raised the found OIDs to 2-300 and going to 1.3.6.1 produced about 3000 OIDs. If you can't find anything or it says it is timing out, you Palo settings are off. Leave SnmpWalk as is so you can hit Scan when you want to test.

                             

                            As for the Palo configuration, I am not the NA so I will try to do what I can to explain what I can remember. It started by printing off the pages mentioned above from the admin guide. I gave that to my NA and had him put that information in there. The important take away from that was the different locations that have to be changed for SNMP. Follow along with the tab selections and values.

                             

                            What we had done prior to this:

                            • installed WireShark on the SolarWinds server
                            • created an allow Any/Any to the entire network device subnet (unnecessary)
                            • monitored traffic between the Palo and SW server, added rules for everything being blocked and the list of ports that are listed in the SolarWinds Administrator manual

                             

                            What we saw that had us scratching our heads:

                            • 161 was hitting the Palo, with a good sized payload. Sent traffic back on 162, but it never made it to the server. This must have been a setting on the Palo because the NA resolved after some time.
                            • 162 finally started hitting the server, but was not delivering traps. This was resolved when SnmpWalk was successful. Spent lots of time on troubleshooting it. No clue why that happened.
                            • DB would blow up. Logging on the Palo. It was set to send traps of the network traffic, including informational and lows. I think it blew up my SQL instance within three hours. Kept having to truncate the trapsvarbinds table. To get it back to normal levels, I had to open the Orion DB Manager and execute a query: truncate table TrapVarbinds  This would allow me to shrink my SolarWinds db instance, which I did from SQL Server Manager (Right-click SolarWinds db instance, Tasks, Shrink, Database).

                             

                            After SnmpWalk is successful, add a node in SolarWinds with the same settings as used by SnmpWalk.

                             

                            I'm still not 100% on my installation/configuration. I will try to add some more information and details on the Palo side when I get some free time.

                             

                            Good luck, this kicked my **** and I still don't have everything configured. Hope this helps someone at least a little bit.

                            1 of 1 people found this helpful