What are you using to implement SNMPv3?

TLineberry · ‎11-01-2018

I'm taking on the task of setting up SNMPv3 on a firewall but will be starting from scratch with no tools, programs, scripts, etc. in place so I have a lot of flexibility (and also a lot of work ahead). I won't be doing traps but mostly looking at CPU and interface traffic. I would like to know what programs, etc. others are using so I can get an idea of what works well with Palo and where to begin. Thanks!

Remo · ‎11-01-2018

@TLineberry

Ok, that's a reason.

Back to what you were asking, as also other software will need more ressources with v3, I think you should give PRTG a try: this software is able to do really a lot more than simple snmp queries (in case you need it sometime), nice design, easy overview over all your sensors, good reporting features, Map feature that allows you to create custom views for an even better overview (for example with your existing network layouts as interactive Map that shows you statusvalies of your devices and it's cheap compared to others.

Of course there are also good opensource software out there that you can get for free, but here others can maybe tell you more ... theres just one software that I remember that really does a great job in this category but does not look as ugly as most of the others ... ~~and I hope I can remeber the name again ...~~ --> https://github.com/netdata/netdata

View solution in original post

JW6224 · ‎11-02-2018

Solarwinds Orion monitors with SNMPv3 just fine. Depending on the PANOS version, the current versions use SHA-1 for Auth, and AES-128 for Privilege authentication.

root@Expedition:~# apt-get install snmp
After this operation, 4,792 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
root@Expedition:~# which snmpwalk
/usr/bin/snmpwalk
root@Expedition:~# exit
logout
expedition@Expedition:~$ snmpwalk -v 3 -u snmpuser -l authPriv -a SHA -A AuthPassword -x AES -X PrivPassword 10.10.10.100

I haven't restricted much with OID/Mask views. If anyone has good resources on what constitutes a good SNMPv3 View on a PA...I'd sure be interested in your recipe.

View solution in original post

OtakarKlier · ‎11-01-2018

Hello,

I would say anything that can use SNMv3 woukd be compatible. That said I have used PRTG and Solarwinds with snmpv3.

Regards,

Remo · ‎11-01-2018

Question heading in this direction: What are reasons to use SNMPv3 instead of v2 to monitor a Paloalto firewall (read only access, strictly controlled sources that are allowed to send queries, controlled network that make spoofing attacks almost impossible,...)?

Specially PRTG consumes a lot more ressources with v3 instead of v2 when there are thousands of sensors...

TLineberry · ‎11-01-2018

Thank you both for the input! I have to use v3 to follow a baseline so I don’t have the option of v2 (unfortunately).

Remo · ‎11-01-2018

@TLineberry

Ok, that's a reason.

Back to what you were asking, as also other software will need more ressources with v3, I think you should give PRTG a try: this software is able to do really a lot more than simple snmp queries (in case you need it sometime), nice design, easy overview over all your sensors, good reporting features, Map feature that allows you to create custom views for an even better overview (for example with your existing network layouts as interactive Map that shows you statusvalies of your devices and it's cheap compared to others.

Of course there are also good opensource software out there that you can get for free, but here others can maybe tell you more ... theres just one software that I remember that really does a great job in this category but does not look as ugly as most of the others ... ~~and I hope I can remeber the name again ...~~ --> https://github.com/netdata/netdata

JW6224 · ‎11-02-2018

Solarwinds Orion monitors with SNMPv3 just fine. Depending on the PANOS version, the current versions use SHA-1 for Auth, and AES-128 for Privilege authentication.

root@Expedition:~# apt-get install snmp
After this operation, 4,792 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
root@Expedition:~# which snmpwalk
/usr/bin/snmpwalk
root@Expedition:~# exit
logout
expedition@Expedition:~$ snmpwalk -v 3 -u snmpuser -l authPriv -a SHA -A AuthPassword -x AES -X PrivPassword 10.10.10.100

I haven't restricted much with OID/Mask views. If anyone has good resources on what constitutes a good SNMPv3 View on a PA...I'd sure be interested in your recipe.

TLineberry · ‎11-06-2018

Thank you both (I tried to accept them both as solutions). This has been very helpful!

SShnap · ‎11-06-2018

Hi @JW6224

I'm trying to fix SNMPv3 between PA3020 PANOS 8.1.1 and solarwinds orion without success.

once I change the netflow defult route it works for 10 minutes and stops, when I change back to default it do the same, works for 10 minutes and stops.

also for the orion side I see limtied information can't drill to more details by clicking on the IP address.

which PANOS you are using? and can you share the configuration or articles you were using?

thank you.

OtakarKlier · ‎11-06-2018

Hello,

Sounds like you might have two issues going on maybe.

SNMP v3: To provide access to all management information, use the top-level OID 1.3.6.1, set the Mask to 0xf0, and set the matching Option to include.

https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-setup-oper...

Then in Solarwinds, you need to 'List Resources' for the PAN node and do a 'Force Refresh'. This should list everything for the PAN.

NETFLOW: Make sure you have the correct destination IP and port. Then in the 'service route configuration' make sure its going out the correct interface (management port by default) allong with any security policies to allow the traffic.

Hope that helps.

SShnap · ‎11-07-2018

Hi @OtakarKlier

I changed according to your reply and there was a little chnage.

There are still time gaps in the netflow data and it’s still not showing me end node talker data.

do you familiar with it?

Thank you.

SShnap · ‎12-21-2018

I still have problem using solarwinds orion with palo alto, I can see limited information.

can't drill down to top conversation which show me: Data is not available.

I also use this article and added all the choices:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaSCAS

thank you for the help.

OtakarKlier · ‎12-21-2018

Hello,

Are you sending you netflow data from the PAN to SolarWinds? Is it getting sourced from your management interface are there any drops or denies listed in the logs?

Regards,

SShnap · ‎12-21-2018

@OtakarKlier

Yes I'm trying to send netflow data to solarwinds orion.

I'm using Default service route configuration, when I change the default route or revert beack to default setting it suddly work for few minutes and stop again.

On logs I don't see traffic from palo alto to solarwinds IP I guess because it's using mgmt interface.

thank you.

OtakarKlier · ‎12-21-2018

Hmm, sounds like it could be on the SW side of this. If you open a case with them they will want to see pcaps from the server verifying you are getting the flow from the PAN.

What protocol and port si the PAN using to send the netflow? By default, SW uses udp port 2055.

https://support.solarwinds.com/Success_Center/Netflow_Traffic_Analyzer_(NTA)/Knowledgebase_Articles/...

Check out the link and see if the flow is making it to the SW server.

SShnap · ‎12-21-2018

@OtakarKlier

SW is receiving the traffic from palo alto but is limited, I can’t drill down in the information.

I see 1-2 levels of information, when I want to get more details on the traffic and endpoints it show me the error.

Unlock your full community experience!

What are you using to implement SNMPv3?

What are you using to implement SNMPv3?

Show your appreciation!