Get reachable (not management) IP address of devices from Panorama API

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
L2 Linker

Get reachable (not management) IP address of devices from Panorama API

Firstly, apologies if this has been asked before. I couldn't find it with a search, but if it has been asked I'll review that answer

 

I'm writing a 'Health Check' script in Python, that connects to managed firewalls for all of our customers (we're an MSSP) and scrapes important data, then submits it to a central server for generating reports. Given an IP address with an appropriate managemenbt profile for any firewall, I can extract the data easily.

 

Most of our larger customers use Panorama, and I was hoping that I could write the script in such a way that it would only need to be given an IP address for Panorama, and could pull the list of (connected) devices from Panorama, and then connect to them one-by-one automatically using the IP address they are communicating to Panorama from.

 

Unfortunately I cannot find a command in Panorama (either via API or CLI), to give me a list of devices that includes the IP Address they are CONNECTING TO PANORAMA from. I can easily get a list of devices with 'show devices connected', but that shows only the Management IP (along with hostname, serial, etc). In many cases, due to the nature of the customers deployment they do not use the Management interface (especially for lots of small branches with 200's or 220's). In this case the call to 'show devices connected' returns 192.168.1.1 for these devices, but I know they are connecting to Panorama using dataplane interfaces with RFC1918 addressing.

 

Does anyone know of a command, or a way using API calls, to extract the IP address that devices are using to communicate to Panorama? 

Tags (2)

Accepted Solutions
Highlighted
L3 Networker

Hello @sam_miller 

 

You could connect (send an API call) to a node using an API call with panorama (target=<serial number>).

This is not exactly what you ask, Calling the remote nodes via panorama is much faster, compared with calling the nodes direct.

View solution in original post

Tags (1)

All Replies
Highlighted
L3 Networker

Hello @sam_miller 

 

You could connect (send an API call) to a node using an API call with panorama (target=<serial number>).

This is not exactly what you ask, Calling the remote nodes via panorama is much faster, compared with calling the nodes direct.

View solution in original post

Tags (1)
Highlighted
L2 Linker

Hi @JoergSchuetter 

 

That sounds like a good idea, as then the script wouldn't be reliant on the same username/password or API key being present on each firewall

 

I'll investigate this option, thanks

 

Tags (1)
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!