GlobalProtect monitoring

Reply
Highlighted
L1 Bithead

GlobalProtect monitoring

I need to graph GlobalProtect current users + traffic via SNMP. I cannot find anything in SNMPwalk or in the available MIBs.


I looked through some older discussions but it seems there is no immediate answer. Any update?


Thanks


Accepted Solutions
Highlighted
L1 Bithead

I finally managed to start monitoring with the API, very simple CLI commands and rrdtool on a linux box.

Simply put:


Polling every 5 mins through cronjob

- wget to poll the API which is fed to grep -c to count the active connections

- output of the above is used to update the RRD

Graphs generated every 5 mins through cronjob representing both our gateways and the total and display of the maximum amount of connections.

Graph looks like this now, will make it sexier as I get the chance

gp-8hours.png

If anyone is interested I'd be glad to share the scripts and commands. RRDtool is not user-friendly for first-timers... at all! :-|

KR

View solution in original post


All Replies
Highlighted
L5 Sessionator

Currently there is no OID for tracking GP users via SNMP. However, I would advise to contact your PANW Sales Rep to inquire about roadmap for such a feature.

-Richard

Highlighted
L1 Bithead

Seems PANOS 6 has required SNMP monitoring capabilities but we're waiting on confirmed stability before upgrading production clusters. Anyone inhere that has used it to graph current GP connections and traffic? Not sure if it's possible to monitor status and traffic of individual ipsec tunnels.

Highlighted
L1 Bithead

I finally managed to start monitoring with the API, very simple CLI commands and rrdtool on a linux box.

Simply put:


Polling every 5 mins through cronjob

- wget to poll the API which is fed to grep -c to count the active connections

- output of the above is used to update the RRD

Graphs generated every 5 mins through cronjob representing both our gateways and the total and display of the maximum amount of connections.

Graph looks like this now, will make it sexier as I get the chance

gp-8hours.png

If anyone is interested I'd be glad to share the scripts and commands. RRDtool is not user-friendly for first-timers... at all! :-|

KR

View solution in original post

Highlighted
L0 Member

Hi 

I do have the same requirement. I shall validate the max concurrent connected GlobalProtect users in order to plan for additional mobile licenses. I do have a about 50 gateways spread worldwide. It would be of great help for me if you could provide more details about your approach and solution. 

Roland 

Highlighted
L0 Member

Hi there,

can you please share the commands to get the GP user stats using API.

Highlighted
L0 Member

This is great if possible can you please share your scripts.

 

Thank You

 

Highlighted
L0 Member

This is exactly what I am needing. If possible can you please share your scripts.

 

Thank You

 

Highlighted
L1 Bithead

I believe there are now SNMP OIDs for GlobalProtect, as our librenms (linux based) is able to graph the number of GlobalProtect sessions

 

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/globa...

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaSCAS

 

says:

Item Name OID Source MIB Description

System uptimehrSystemUptime.01.3.6.1.2.1.25.1.1.0RFC1514-MIB 
GlobalProtect gateway utilizationpanGPGatewayUtilization1.3.6.1.4.1.25461.2.1.2.5.1PAN-COMMON-MIB 
GlobalProtect gateway % utilizationpanGPGWUtilizationPct.01.3.6.1.4.1.25461.2.1.2.5.1.1PAN-COMMON-MIB 
GlobalProtect gateway max tunnelspanGPGWUtilizationMaxTunnels.01.3.6.1.4.1.25461.2.1.2.5.1.2PAN-COMMON-MIB 
GlobalProtect gateway active tunnelspanGPGWUtilizationActiveTunnels.01.3.6.1.4.1.25461.2.1.2.5.1.3PAN-COMMON-MIB
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!