SNMP Counter Monitoring

by on ‎06-06-2016 05:42 AM - edited on ‎10-04-2016 07:15 PM by (17,444 Views)

We rely on global counters to solve many of the problems we see.  Customers also have come to rely on global counters to debug some of the issues they might encounter.  In fact, some of our customers have asked us if it is possible to monitor these counters so they know something is going on and they can act on it right away!

 

 

Pre PAN-OS 7.0, this was only possible using the CLI and via scripts that run the 'show counter global' command, then parse the output and look for a certain value.

 

Since PAN-OS 7.0, we are able to monitor a limited set of these counters via SNMP.  Note that not all of the global counters are available with this feature, that would be too many, but as of PAN-OS 7.0, 56 global counters can be monitored via SNMP.

 

These 56 counters are divided into 4 different categories:

 

  • DoS-related counters
  • IP fragmentation counters
  • TCP state-related counters
  • All relevant packet-drop counters

 

All these counters are covered under the MIB called panGlobalCounters (.1.3.6.1.4.1.25461.2.1.2.1.19).  Also notice the 4 subfolders for each of the categories mentioned above :

 

2016-06-06_13-43-46.pngpanGlobalCounters MIBDetails of the 4 subcategories:

 

  • panGlobalCountersDOSCounters - DoS-related counters (.1.3.6.1.4.1.25461.2.1.2.1.19.8)

2016-06-06_13-48-23.pngpanGlobalCountersDOSCounters MIB

 

Using snmpwalk, you can find all the OIDs related to this category:

 

AMSMACG7EVG8WN:~ kwens$ snmpwalk -v 2c -c public 10.192.16.170 .1.3.6.1.4.1.25461.2.1.2.1.19.8
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.1.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.2.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.3.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.4.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.5.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.6.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.7.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.8.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.9.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.10.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.11.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.12.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.13.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.14.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.15.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.16.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.17.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.18.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.19.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.20.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.21.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.22.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.23.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.24.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.25.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.26.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.27.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.28.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.29.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.30.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.31.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.32.0 = Counter64: 0

 

  • panGlobalCountersDropCounters - All relevant packet-drop counters (1.3.6.1.4.1.25461.2.1.2.1.19.9)

2016-06-06_13-49-13.pngpanGlobalCountersDropCounters MIB

 

Using snmpwalk, you can find all the OIDs related to this category:

 

AMSMACG7EVG8WN:~ kwens$ snmpwalk -v 2c -c public 10.192.16.170 .1.3.6.1.4.1.25461.2.1.2.1.19.9
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.9.1.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.9.2.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.9.3.0 = Counter64: 2328
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.9.4.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.9.5.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.9.6.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.9.7.0 = Counter64: 0

 

  • panGlobalCountersIPFragmentationCounters - IP fragmentation counters (1.3.6.1.4.1.25461.2.1.2.1.19.10)

2016-06-06_13-49-39.pngpanGlobalCountersIPFragmentationCounters MIB

 

Using snmpwalk, you can find all the OIDs related to this category:

 

AMSMACG7EVG8WN:~ kwens$ snmpwalk -v 2c -c public 10.192.16.170 .1.3.6.1.4.1.25461.2.1.2.1.19.10
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.10.1.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.10.2.0 = Counter64: 0

 

  • panGlobalCountersTCPState - TCP state-related counters (1.3.6.1.4.1.25461.2.1.2.1.19.11)

2016-06-06_13-50-14.pngpanGlobalCountersTCPState MIB

 

Using snmpwalk, you can find all the OIDs related to this category:

 

AMSMACG7EVG8WN:~ kwens$ snmpwalk -v 2c -c public 10.192.16.170 .1.3.6.1.4.1.25461.2.1.2.1.19.11
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.11.1.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.11.2.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.11.3.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.11.4.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.11.5.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.11.6.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.11.7.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.11.8.0 = Counter64: 0

 

Note that the counters reset every time you restart the dataplane or reboot the device!

 

The same SNMP configuration applies, as always.  The following articles describe how to set up SNMP:

 

How-to-Verify-SNMP-Functionality

How-to-Configure-SNMPv2-on-the-Palo-Alto-Networks-Firewall

How-to-Configure-Sending-SNMPv3-Traps-on-PAN-OS-5-0-x-and-above

 

Troubleshooting is also done the way it was done before:

 

  • Via snmpd.log
>less mp-log snmpd.log

 

  • Via tcpdump if SNMP is managed through the management interface
> tcpdump snaplen 1500 filter "udp port 161"
Press Ctrl-C to stop capturing
 
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
^C468 packets captured
936 packets received by filter
0 packets dropped by kernel
> view-pcap no-dns-lookup yes hex-ascii yes mgmt-pcap mgmt.pcap 21:50:08.148539 IP 10.192.7.40.61459 > 10.192.16.170.snmp:  GetNextRequest(34)  .1.3.6.1.4.1.25461.2.1.2.1.19.11         0x0000:  4560 004d 0ffa 0000 3f11 3df5 0ac0 0728  E`.M....?.=....(         0x0010:  0ac0 10aa f013 00a1 0039 4897 302f 0201  .........9H.0/..         0x0020:  0104 0670 7562 6c69 63a1 2202 042a 9727  ...public."..*.'         0x0030:  1702 0100 0201 0030 1430 1206 0e2b 0601  .......0.0...+..         0x0040:  0401 81c6 7502 0102 0113 0b05 00         ....u........ 21:50:08.153053 IP 10.192.16.170.snmp > 10.192.7.40.61459:  GetResponse(37)  .1.3.6.1.4.1.25461.2.1.2.1.19.11.1.0=0         0x0000:  4500 0050 0000 4000 4011 0d4c 0ac0 10aa  E..P..@.@..L....         0x0010:  0ac0 0728 00a1 f013 003c 2d9f 3032 0201  ...(.....<-.02..         0x0020:  0104 0670 7562 6c69 63a2 2502 042a 9727  ...public.%..*.'         0x0030:  1702 0100 0201 0030 1730 1506 102b 0601  .......0.0...+..         0x0040:  0401 81c6 7502 0102 0113 0b01 0046 0100  ....u........F..

 

  • Via packet-diag capture of SNMP through a dataplane port

Getting-Started-Packet-Capture

 

You can download the Enterprise SNMP MIB files here:

 

SNMP MIBS

 

I hope this article has helped you understand this feature.

 

As always, we welcome all feedback, comments and questions in the comment section below.

 

Kim

(KiWi)

Comments
by AkosD
on ‎06-23-2016 06:01 AM

This is good but what is the purpose if the counters are nowhere officialy documented. Some can be understood from their name and from description that you can reach with 'show counter global name ?' but this is weak...

I have already setup a monitoring for that, see link:

https://itsecworks.com/2014/08/30/custom-monitoring-of-palo-alto-with-perl-and-cacti/

since there are about 1200 counters I tried to create a summary table where i tried to group them to specific features and services from the firewall:

https://itsecworks.files.wordpress.com/2014/08/pa_counter_table.xlsx

but i had no luck. This is something that palo alto should do. without usable documentation on the uniqe counters it is useless to analyse them or monitor them... the palo alto support has definetly an internal knowledge article for that, internal...

and the fact that from about 1200 counters you can monitor only 56 with snmp is another shortcomings.

by
on ‎07-01-2016 05:23 AM

 

Note that a lot of 1200+ global counters are meant for development only and wouldn't be useful for users.  Adding all of them would not be feasible.  The set of 56 is a selection based on interest and customer demand to add the ability to monitor a specific set of global counters.

 

Aside from having been given a somewhat meaningful name they are categorized into 1 of 4 categories and the description does clarify it's usage as you mentioned.  If you are still not certain about the meaning of a specific counter you can always ask in the forum or TAC.

by ms.jzam
on ‎04-12-2018 03:59 PM

@kiwi what are those 4 categories, where can the documentation explaining counters, and details like that be found?

by
on ‎04-13-2018 12:45 AM

Hi @ms.jzam,

 

The 4 categories are listed in the article above ... they are :

 

 

  • DoS-related counters
  • IP fragmentation counters
  • TCP state-related counters
  • All relevant packet-drop counters

As for explaining all the different counters in detail, there is no such list as far a I know.  In most cases the counters have a meaningful name kinda revealing/clarifying it's use.  If a specific counter is still not clear then I'd recommend reaching out to TAC or asking the Live Community for more information about the specific counter.

 

Cheers !

-Kiwi

 

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community
Contributors