Monitor Your Palo Alto Firewall with PRTG

You are probably familiar with Palo Alto Networks based in Santa Clara, California, who provide their 45,000+ customers in over 150 countries a "Next-Generation Security Platform" through their firewalls and security management tools. But did you know that Paessler PRTG can monitor the critical aspects of a Palo Alto device quickly and easily?

It's great to have an industry-leading security appliance in place, but what if the device or network connected to it has an issue? How do you maintain visibility of your Palo Alto devices along with the rest of your network simultaneously? How can you monitor your Palo Alto devices to ensure they are performing adequately and providing the level of protection you expect?

Data Transfer via SNMP

Palo Alto devices are Linux based and support SNMP v2c and v3 (find out more about SNMP monitoring with PRTG here). Palo Alto also supports syslog messages and SNMP trap forwarding to an SNMP management station or syslog receiver. Along with these monitoring components, the ability to capture Netflow V9 packets for an aggregate view of bandwidth consumption by device, connection and protocol is also included.

SNMP support allows you as the PRTG administrator to capture metrics about the following aspects of your device.

• CPU Usage
• Disk Usage
• Memory Usage
• Temperature
• Fan Status
• Node HA Mode
• Peer HA Mode
• Gateway Statistics
• Session Statistics
• SSL Proxy Statistics

How Do I Configure SNMP on My Palo Alto?

For details on how to configure SNMPv2 on the Palo Alto Networks firewall, please see this article.

I Don’t Have Time to Play with MIBs!

We understand, and we’ve done the heavy lifting to make monitoring your Palo Alto painless. Thanks to our wonderful developers and tech support team, we have a growing collection of device templates with all the settings needed for you to monitor your Palo Alto. You can find the detailed instructions for implementing this device template here.

The device template creates available and compatible sensors based on the data available. The sensors implement default alerts whenever possible, but you can still fine-tune most channels by defining additional limits in the sensor channel settings or by modifying the lookups that are included by default. There is no MIB importer, no library sensors, and no trial and error. Along with out-of-the-box sensors for Ping, System Uptime, and Interface Traffic, you can now have a comprehensive view of your Palo Alto device within minutes.

Palo Alto Sensors

In the image below you can find a monitoring overview of Palo Alto sensors.

How Do I See Bandwidth Consumption?

When you identify spikes and upward trends on your interfaces (SNMP Traffic) you will need Netflow for aggregate bandwidth monitoring. This can be setup quickly and easily on your device and forwarded to PRTG for analysis within a Netflow sensor.

REST API Anyone?

One of our PRTG users wrote a PowerShell script for monitoring an IPSec VPN Tunnel via the rest API on a Palo Alto. 

This is just another example of the customization and flexibility of PRTG to capture and monitor devices and services in countless ways. IT professionals need to collect as much data from their environment as possible to ensure everything is working properly.

Helpful Links and Resources

For all those who want more information, here is a list of further resources:

• How to Configure SNMPv2 on the Palo Alto Networks Firewall
• PRTG Device Templates on GitLab
• Palo Alto Device Templates on GitLab
• Paessler Knowledge Base - How can I monitor Palo Alto firewalls with PRTG?
• How to setup NetFlow on Palo Alto firewalls
• Hospitable IT - Monitoring an IPSec Tunnel on a Palo Alto Firewall Using PRTG

Are you using PRTG to monitor your Palo Alto devices? What other ways have you found to monitor and track security-related issues in your environment? Tell us in the comments section below!