GlobalProtect monitoring

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect monitoring

L1 Bithead

I need to graph GlobalProtect current users + traffic via SNMP. I cannot find anything in SNMPwalk or in the available MIBs.


I looked through some older discussions but it seems there is no immediate answer. Any update?


Thanks

1 accepted solution

Accepted Solutions

L1 Bithead

I finally managed to start monitoring with the API, very simple CLI commands and rrdtool on a linux box.

Simply put:


Polling every 5 mins through cronjob

- wget to poll the API which is fed to grep -c to count the active connections

- output of the above is used to update the RRD

Graphs generated every 5 mins through cronjob representing both our gateways and the total and display of the maximum amount of connections.

Graph looks like this now, will make it sexier as I get the chance

gp-8hours.png

If anyone is interested I'd be glad to share the scripts and commands. RRDtool is not user-friendly for first-timers... at all! 😐

KR

View solution in original post

9 REPLIES 9

Retired Member
Not applicable

Currently there is no OID for tracking GP users via SNMP. However, I would advise to contact your PANW Sales Rep to inquire about roadmap for such a feature.

-Richard

L1 Bithead

Seems PANOS 6 has required SNMP monitoring capabilities but we're waiting on confirmed stability before upgrading production clusters. Anyone inhere that has used it to graph current GP connections and traffic? Not sure if it's possible to monitor status and traffic of individual ipsec tunnels.

L1 Bithead

I finally managed to start monitoring with the API, very simple CLI commands and rrdtool on a linux box.

Simply put:


Polling every 5 mins through cronjob

- wget to poll the API which is fed to grep -c to count the active connections

- output of the above is used to update the RRD

Graphs generated every 5 mins through cronjob representing both our gateways and the total and display of the maximum amount of connections.

Graph looks like this now, will make it sexier as I get the chance

gp-8hours.png

If anyone is interested I'd be glad to share the scripts and commands. RRDtool is not user-friendly for first-timers... at all! 😐

KR

Hi 

I do have the same requirement. I shall validate the max concurrent connected GlobalProtect users in order to plan for additional mobile licenses. I do have a about 50 gateways spread worldwide. It would be of great help for me if you could provide more details about your approach and solution. 

Roland 

Hi there,

can you please share the commands to get the GP user stats using API.

This is great if possible can you please share your scripts.

 

Thank You

 

This is exactly what I am needing. If possible can you please share your scripts.

 

Thank You

 

L1 Bithead

I believe there are now SNMP OIDs for GlobalProtect, as our librenms (linux based) is able to graph the number of GlobalProtect sessions

 

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/globa...

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaSCAS

 

says:

Item Name OID Source MIB Description

System uptimehrSystemUptime.01.3.6.1.2.1.25.1.1.0RFC1514-MIB 
GlobalProtect gateway utilizationpanGPGatewayUtilization1.3.6.1.4.1.25461.2.1.2.5.1PAN-COMMON-MIB 
GlobalProtect gateway % utilizationpanGPGWUtilizationPct.01.3.6.1.4.1.25461.2.1.2.5.1.1PAN-COMMON-MIB 
GlobalProtect gateway max tunnelspanGPGWUtilizationMaxTunnels.01.3.6.1.4.1.25461.2.1.2.5.1.2PAN-COMMON-MIB 
GlobalProtect gateway active tunnelspanGPGWUtilizationActiveTunnels.01.3.6.1.4.1.25461.2.1.2.5.1.3PAN-COMMON-MIB

Could you please share your script. We have the same problem. We have several gateways and would like to count users logged into a specific gateway.

  • 1 accepted solution
  • 12758 Views
  • 9 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!