https://live.paloaltonetworks.com/t5/general-topics/certificates-not-appearing-in-xml-running-configuration/m-p/544123#M111377 <P>Dear colleagues,</P> <P>&nbsp;</P> <P data-unlink="true">I am having trouble with the custom Nagios plugin <A href="https://nagios-check-paloalto.readthedocs.io/en/latest/readme.html" target="_self">check_paloalto</A>, specifically with the "certificates" check.</P> <P data-unlink="true">The rest of the checks are working fine.</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true">Basically, the "certificates" check leverages the API calls and parse the XML running configuration file to find the certificates. The issue is that my firewalls (which are managed by Panorama, which in turn pushes the certificates from a template) do not present the certificate part in the XML configuration file. I verified it by calling the same API in the browser.</P> <P data-unlink="true">My goal is having a Nagios check that is triggered when a certificate is near the expiration date, since we are using them for SSL Inspection and other reasons.</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true">Panorama and firewalls are running PAN-OS 10.1.10, and Nagios is running version 5.9.3.</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true">Is there any reason why this happens?</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true">Many thanks!</P> Wed, 31 May 2023 08:30:08 GMT GGarolla 2023-05-31T08:30:08Z https://live.paloaltonetworks.com/t5/general-topics/certificates-not-appearing-in-xml-running-configuration/m-p/544123#M111377 <P>Dear colleagues,</P> <P>&nbsp;</P> <P data-unlink="true">I am having trouble with the custom Nagios plugin <A href="https://nagios-check-paloalto.readthedocs.io/en/latest/readme.html" target="_self">check_paloalto</A>, specifically with the "certificates" check.</P> <P data-unlink="true">The rest of the checks are working fine.</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true">Basically, the "certificates" check leverages the API calls and parse the XML running configuration file to find the certificates. The issue is that my firewalls (which are managed by Panorama, which in turn pushes the certificates from a template) do not present the certificate part in the XML configuration file. I verified it by calling the same API in the browser.</P> <P data-unlink="true">My goal is having a Nagios check that is triggered when a certificate is near the expiration date, since we are using them for SSL Inspection and other reasons.</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true">Panorama and firewalls are running PAN-OS 10.1.10, and Nagios is running version 5.9.3.</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true">Is there any reason why this happens?</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true">Many thanks!</P> Wed, 31 May 2023 08:30:08 GMT https://live.paloaltonetworks.com/t5/general-topics/certificates-not-appearing-in-xml-running-configuration/m-p/544123#M111377 GGarolla 2023-05-31T08:30:08Z https://live.paloaltonetworks.com/t5/general-topics/certificates-not-appearing-in-xml-running-configuration/m-p/544158#M111384 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/215584">@GGarolla</a> ,</P> <P>What you are experiance is by design. Configuration pushed by Panorama is not stored in firewall local configuration, but it is stored separately as "panorama pushed" config. </P> <P>&nbsp;</P> <P>I don't have access to FW right now, but there are CLI operation commands that allow you to list/view the panorama pushed config, I am sure there should be XML API call for those as well.</P> <P>&nbsp;</P> <P>However in the link you shared is mentioned that&nbsp; Nagios is using the Rest API (note that PAN FWs supprot XML and REST, but they are different). REST was introduced fairly recently and it has its limitations, some commands/actions are available only under XML API.</P> Wed, 31 May 2023 12:38:35 GMT https://live.paloaltonetworks.com/t5/general-topics/certificates-not-appearing-in-xml-running-configuration/m-p/544158#M111384 aleksandar.astardzhiev 2023-05-31T12:38:35Z https://live.paloaltonetworks.com/t5/general-topics/certificates-not-appearing-in-xml-running-configuration/m-p/544749#M111461 <P>Thanks for your response, Aleksandar.</P> <P>I will investigate the REST API and maybe I will try to customize the check in order to check if I can use the XML API to review the Panorama pushed configuration</P> Mon, 05 Jun 2023 07:22:50 GMT https://live.paloaltonetworks.com/t5/general-topics/certificates-not-appearing-in-xml-running-configuration/m-p/544749#M111461 GGarolla 2023-06-05T07:22:50Z