By Greg Ross • Jul 23, 2018

Monitor Your Palo Alto Firewall with PRTG

palo-alto-device

You are probably familiar with Palo Alto Networks based in Santa Clara, California, who provide their 45,000+ customers in over 150 countries a "Next-Generation Security Platform" through their firewalls and security management tools. But did you know that PRTG can monitor the critical aspects of a Palo Alto device quickly and easily?

It's great to have an industry-leading security appliance in place, but what if the device or network connected to it has an issue? How do you maintain visibility of your Palo Alto devices along with the rest of your network simultaneously? How can you monitor your Palo Alto devices to ensure they are performing adequately and providing the level of protection you expect?

Data Transfer via SNMP

iSNMP stands for Simple Network Monitoring Protocol. Its usefulness in network administration comes from the fact that it allows information to be collected about network-connected devices in a standardized way across a large variety of hardware and software types. SNMP is a protocol for management information transfer in networks, for use in LANs especially, depending on the chosen version. Read more ...

 

Palo Alto devices are Linux based and support SNMP v2c and v3. Palo Alto also supports syslog messages and SNMP trap forwarding to an SNMP management station or syslog receiver. Along with these monitoring components, the ability to capture Netflow V9 packets for an aggregate view of bandwidth consumption by device, connection and protocol is also included.

SNMP support allows you as the PRTG administrator to capture metrics about the following aspects of your device.

  • CPU Usage
  • Disk Usage
  • Memory Usage
  • Temperature
  • Fan Status
  • Node HA Mode
  • Peer HA Mode
  • Gateway Statistics
  • Session Statistics
  • SSL Proxy Statistics

How Do I Configure SNMP on My Palo Alto?

For details on how to configure SNMPv2 on the Palo Alto Networks firewall, please see this article.

snmp-setup-palo-alto.jpg

SNMP V2c is the industry standard for SNMP communication that does not require encryption or authentication


snmp-trap-server-profile.jpg

PRTG always uses SNMP Read-Only. We do not make any attempts to modify your devices’ configuration.

I Don’t Have Time to Play with MIBs!

We understand, and we’ve done the heavy lifting to make monitoring your Palo Alto painless. Thanks to our wonderful developers and tech support team, we have a growing collection of device templates with all the settings needed for you to monitor your Palo Alto. You can find the detailed instructions for implementing this device template here.

The device template creates available and compatible sensors based on the data available. The sensors implement default alerts whenever possible, but you can still fine-tune most channels by defining additional limits in the sensor channel settings or by modifying the lookups that are included by default. There is no MIB importer, no library sensors, and no trial and error. Along with out-of-the-box sensors for Ping, System Uptime, and Interface Traffic, you can now have a comprehensive view of your Palo Alto device within minutes.

Palo Alto Sensors

In the image below you can find a monitoring overview of Palo Alto sensors.

palo-alto-sensors

How Do I See Bandwidth Consumption?

When you identify spikes and upward trends on your interfaces (SNMP Traffic) you will need Netflow for aggregate bandwidth monitoring. This can be setup quickly and easily on your device and forwarded to PRTG for analysis within a Netflow sensor.

sensor-netflow-v9-palo-alto.jpg

PRTG Supports IPFix, Netflow v9 and v5

REST API Anyone?

One of our PRTG users wrote a PowerShell script for monitoring an IPSec VPN Tunnel via the rest API on a Palo Alto. 

This is just another example of the customization and flexibility of PRTG to capture and monitor devices and services in countless ways. IT professionals need to collect as much data from their environment as possible to ensure everything is working properly.

Helpful Links and Resources

For all those who want more information, here is a list of further resources:

Are you using PRTG to monitor your Palo Alto devices? What other ways have you found to monitor and track security-related issues in your environment? Tell us in the comments section below!