>
    Strata Copilot
    Use SNMP Network Discovery to Learn about Devices from Switches
    Focus
    Download PDF
    Focus
    1. Home
    2. Device Security
    3. Getting Started
    4. Firewall Deployment for Device Visibility
    5. Use SNMP Network Discovery to Learn about Devices from Switches
    Download PDF
    Device Security

    Use SNMP Network Discovery to Learn about Devices from Switches

    Table of Contents

    Use SNMP Network Discovery to Learn about Devices from Switches

    Configure next-generation firewalls to send SNMP queries to switches and learn about the devices connected to them.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by PAN-OS or Panorama)
    One of the following subscriptions:
    • Device Security subscription for an advanced Device Security product (Enterprise, OT, or Medical)
    • Device Security X subscription
    To identify devices, assess risk, and help next-generation firewalls enforce Security policy rules based on Device-ID, Device Security requires network traffic metadata for analysis. Palo Alto Networks Next-Generation Firewalls (NGFW) extract and log this metadata when they apply Security policy rules that have logging enabled. When the rules also have log forwarding enabled, the firewalls send the logs to the logging service, which then streams the metadata to Device Security.
    Depending on the firewalls' locations, they might not have visibility into all network traffic. Limited visibility can cause device discovery gaps and lower efficacy in device identification, behavior monitoring, and Device-ID rule enforcement. To extend visibility further into the network, Device Security supports several options:
    • Mirror traffic on network switches and use Encapsulated Remote Switched Port Analyzer (ERSPAN) to send mirrored traffic through GRE tunnels to a firewall. The firewall inspects the traffic, logs it, and then forwards the logs to the logging service for Device Security to access.
    • Configure a DHCP server to send its server logs as syslog messages to a firewall. The firewall then forwards the messages as Enhanced Application logs (EALs) with a subtype of dhcp-syslog through the logging service to Device Security.
    • Integrate Device Security with third-party products that provide services such as asset management and network management. Device Security connects to these systems through Cortex XSOAR and retrieves additional device data from them to enhance the metadata learned from next-generation firewalls and optionally from network switches and DHCP servers.
    In environments using DHCP to assign devices with network settings, IP addresses are leased dynamically for limited periods of time. An essential part of monitoring network behaviors to identify devices, assess risk, and enforce Device-ID Security policy rules is the ability to link the dynamically assigned IP address of each device to its unique, unchanging MAC address. NGFWs can do this when they receive traffic containing both IP and MAC addresses. When firewalls don’t receive traffic from all devices or when they do but it contains only IP addresses—possibly because the traffic crossed Layer 2 domains and the device MAC address was changed to that of the forwarding device—they can still gather IP address-to-MAC address bindings by using SNMP to query switches throughout the network.
    When using SNMP to query network switches and other forwarding devices, firewalls first develop a network topography by requesting the Link Layer Discovery Protocol (LLDP) neighbors and Cisco Discovery Protocol (CDP) neighbors of one switch (the entry point switch) and then repeating the request with neighboring switches and child switches one by one throughout the network. After obtaining a list of switches and forwarding devices throughout the network, or within a limited area of the network, the firewall next queries each one for its ARP table as well as other information. The ARP table contains the IP address-to-MAC address binding information for the devices connected through the switch to the network. Other device details for which firewalls query include the physical interfaces or ports on the switch to which devices connect, their VLANs and subnets, and DHCP and DNS server IP addresses. After the firewall receives this information, it creates logs and sends them through the logging service to Device Security.
    For the firewall to collect per-VLAN endpoint data from switches, VLAN context (also called VLAN-aware SNMP) must be enabled on each switch. For SNMPv2c, configure VLAN context on the switch and use the community-string@VLAN-ID format when specifying credentials (for example, public@10). For SNMPv3, enable VLAN context on the switch and use the VLAN context name when querying (for example, vlan-10). Refer to your switch vendor documentation for instructions on enabling VLAN context for SNMP.
    The SNMP network discovery process can’t traverse switches that don’t support CDP or LLDP.
    The following are sample object identifiers (OIDs) that SNMP queries on UDP port 161 for information about LLDP neighbors and CDP neighbors, device IP address-to-MAC address bindings, and interface or port information:
    • OID: 1.0.8802.1.1.2.1.4 lldpRemoteSystemsData (LLDP neighbors)
    • OID: 1.3.6.1.4.1.9.9.23 ciscoCdpMIB (CDP neighbors)
    • OID: 1.3.6.1.2.1.4.22.1.2 ipNetToMediaPhysAddress (IP-to-MAC address bindings from ARP)
    • OID: 1.3.6.1.2.1.4.22.1.1 ipNetToMediaIfIndex (Interface or port information)
    SNMP network discovery is available to NGFWs as part of the free Network Discovery plugin and does not require Cortex XSOAR. Review the Network Discovery compatibility matrix to find the PAN-OS versions supported for each plugin release version. Alternatively, Device Security provides SNMP Network Discovery as part of the Device Security third-party integrations. Both the version using the integration framework and the version with the plugin supports multiple sets of jobs for different networks and network segments per Device Security tenant.
    Strata Cloud Manager does not support plugin management. If you use Strata Cloud Manager to access Device Security, you still need to use Panorama or PAN-OS to manage the Network Discovery plugin.
    The following devices don't support the Network Discovery plugin:
    • PA-410
    • PA-410R
    • PA-410R-5G
    • PA-415
    • PA-415-5G

    2.1.x and Later

    Configure SNMP crawling using the Network Discovery plugin version 2.1.x and later.
    To configure SNMP Network Discovery with the plugin, you need to have a next-generation firewall with an associated Device Security license. Review the Network Discovery Plugin Release Notes to find the PAN-OS versions supported for each plugin release version. From Panorama or PAN-OS, download the Network Discovery plugin following the steps at Install Panorama Plugins. Plugin management isn’t supported in Strata Cloud Manager.
    The following instructions are for the Network Discovery plugin configuration using the PAN-OS web interface on an individual next-generation firewall. To configure the plugin on Panorama, use templates and template stacks and template stack variables for the IP addresses of the address groups, discovery scope, and ports and interfaces as needed.
    1. Enable VLAN context on each switch you plan to query to discover endpoints connected to VLANs.
      For SNMPv2c, configure VLAN context on the switch and use the community-string@VLAN-ID format when specifying credentials in the plugin (for example, public@10). For SNMPv3, enable VLAN context on the switch and use the VLAN context name when querying (for example, vlan-10). Refer to your switch vendor documentation for instructions on enabling VLAN context for SNMP.
    2. Open the SNMP settings for the Network Discovery plugin.
      Select DeviceIoT SecurityNetwork Discovery. In the SNMP Network Discovery section, click Edit (gear icon).
      The SNMP Network Discovery Settings dialog appears with the Schedule Settings tab active. Select Enable SNMP Network Discovery Settings to configure SNMP Network Discovery.
    3. Schedule how often the firewall runs an SNMP crawl job.
      In the Network Discovery Job section, schedule how often the firewall runs a job to learn all the switches and other network forwarding devices that run LLDP and CDP on the network or within a defined scope of the network. The default is once a day, which usually is often enough.
      In addition to when and how often you want to run the SNMP crawl job, you can specify a max duration for how long each job can take, up to 24 hours.
    4. Schedule how often the firewall queries for information about the network and connected devices.
      In the Network Data Refreshment Job section, schedule how often the firewall runs a job to query switches and other forwarding devices for information about the network and devices connected to them. Consider how often DHCP lease times renew and schedule the job to run at half the lease time, which is when DHCP clients start requesting lease renewals and could receive different IP addresses. In environments without DHCP, consider running the network data refreshment job once every hour, which is the default setting.
      In addition to when and how often you want to run the device discovery job, you can specify a max duration for how long each job can take, up to 24 hours. The polling schedule uses the firewall's time zone for the start and end dates and times.
      If you select Site Overwrite, the network data refreshment job will create a site in Device Security from sites it learns from SNMP crawling. If the subnet is already assigned to a site in Device Security, then the subnet's site mapping will be overwritten based on the site assigned to the entry point in the Network Discovery job. Network Discovery won't overwrite any manually configured sites.
    5. Click the Discovery Scope Settings tab and configure the scope of the SNMP crawl.
      1. Set the Maximum Number of Hops.
        Enter the number of switches away from the entry point switch that you want the SNMP crawling job to reach. The default number of hops is 10.
      2. Add up to 10 entry point switches in the Entry Point Switch section.
        You must configure at least one entry point switch. When you click Add, the Entry Point Switch pop-up appears. In the pop-up, enter the following information:
        • Name: Enter a name to use to identify the entry point switch.
        • Entry Point Switch: Enter the IP address of the entry point switch with which to begin the SNMP discovery process.
          A good choice for the entry point switch is a core switch because it would commonly have the broadest access to various distribution-layer and access-layer switches throughout the network.
        • Scope: Enter the prefix for the IP CIDR block to define the scope of the switches and endpoint devices to learn. By default, the scope is set to None, so SNMP will collect network topology for the entire network.
        • Site: Add the name of the site where the SNMP job queries switches for network data.
        When you're done, click OK to save the entry point switch.
      3. Optional Add service routes to the Service Route section.
        If your firewall uses a data interface rather than a management interface to do SNMP network discovery, set a service route specifying that interface and the network segment to query.
        Service routes configured on DeviceSetupServicesService Route Configuration are not applied. SNMP network discovery only uses service routes configured here.
        When you click Add, the Service Route pop-up appears. In the pop-up, enter the following information:
        • Destination: Enter the Destination IP address. An incoming packet with a destination address that matches this address will use as its source the Source Address you specify for this service route.
        • Source Interface: To limit the options for the Source Address, select a Source Interface. By default, the Source Interface is set to Any, which means all IP addresses on all interfaces are available in the Source Address drop-down. Selecting MGT causes the firewall to use the MGT interface for the service route.
        • Source Address: Select the Source Address for the service route. This address will be used for packets returning from the destination. You don't need to enter the subnet for the destination address.
        When you're done, click OK to save the service route.
    6. Click the SNMP Settings tab and configure the SNMP credentials for the job to use.
      1. Set the Retries for the SNMP crawl job.
        Enter the number of times the job should try an SNMP query. If the job has reached the maximum number of retries, then it skips that SNMP query. The number of retries does not include the initial query. The default number of retries is 2.
      2. Set the Timeout (ms) for the SNMP crawl job.
        Enter the amount of time that the job should wait for a response to an SNMP query. The default timeout is 2000 ms.
      3. Add SNMP credentials for the job to use when querying the entry point switches.
        You can add multiple sets of credentials and change their ordering on the list. SNMP crawling tries the credentials in the order they appear in the list. The last successful credential used will be used first when authenticating with the next switch in the crawl.
        When you click Add, the SNMP Credentials pop-up appears. The options presented in the pop-up changes depending on what SNMP Version you select. In the pop-up, enter the following information:
        • Name: Enter a name to use to identify the credentials.
        • SNMP Version: Choose the SNMP version that the credentials can be used for, either V2 (SNMPv2c) or V3. If you choose V2, configure the Community String. If you choose V3, configure the Username and select a Security Level. Depending on the Security Level that you select, you might need to configure authentication and privacy protocols.
        • SNMP V2 Community String: Enter the SNMP community string configured on the switches to permit read-only access. To query per-VLAN data, append @VLAN-ID to the community string (for example, public@10). VLAN context must be enabled on the switch for per-VLAN queries to return data.
        • SNMP V3 Username: Enter a username for an SNMP user account with read-only access. This is the account for the firewall to use when accessing an SNMP server running on a switch.
        • SNMP V3 Security Level: Choose the security level for accessing an SNMP server on a switch.
          • noAuthNoPriv: Choose this to not authenticate and encrypt communications between the SNMP agent on the firewall and an SNMP server on a switch.
          • authNoPriv: Choose this to require authentication based on either MD5 or SHA hashes but not encrypt communications between the firewall and the switches.
          • authPriv: Choose this to require both authentication and encryption.
        • SNMP V3: authNoPriv OR authPriv Authentication Protocol: Choose the algorithm for authenticating communications between the firewall and the switches: MD5 (Message Digest Algorithm 5) or SHA for SHA-1 (Secure Hash Algorithm 1).
        • SNMP V3: authNoPriv OR authPriv Authentication Password: Enter the password used during the authentication process.
        • SNMP V3: authNoPriv OR authPriv Confirm Authentication Password: Confirm the password.
        • SNMP V3: authPriv Privacy Protocol: Choose the algorithm for encrypting communications between the firewall and the switches: DES (Data Encryption Standard) or AES (Advanced Encryption Standard).
        • SNMP V3: authPriv Privacy Password: Enter the password used during the encryption process.
        • SNMP V3: authPriv Confirm Privacy Password: Confirm the password.
        When you're done, click OK to save your SNMP credentials.
    7. Click OK to save your SNMP Network Discovery settings.
      After enabling this feature, the settings are sent to the plugin, which checks the source interface IP address that will send and receive SNMP traffic and schedules the following tasks:
      • Send SNMP queries for Network Discovery using CDP and LLDP OIDs.
      • Send SNMP queries for Network Data Refresh using various OIDs for VLANs, subnets, switch interface or port information, device IP-to-MAC address bindings, and other attributes on a per-device level.
      After the SNMP jobs run, the resulting SNMP data is stored in files and converted to Enhanced Application logs. The firewall then sends the logs to the logging service. The logging service then streams the data to Device Security, which updates its database and displays the SNMP discovery network topology data in the Device Security portal.
    8. Optional - 2.2.3 Using the command line, enable including IP phones during neighbor discovery.
      By default, Network Discovery excludes all IP phones from neighbor discovery but includes them as endpoints. You can include IP phones during neighbor discovery using the following CLI command in root mode: 
      sdb cfg.platform.iot-neighbor-discovery.skip-ip-phones=False

    2.0.x and Earlier

    Configure SNMP crawling when using the Network Discovery plugin version 2.0.x and earlier.
    To configure SNMP Network Discovery with the plugin, you need to have a next-generation firewall with an associated Device Security license. Review the Network Discovery Plugin Release Notes to find the PAN-OS versions supported for each plugin release version. From Panorama or PAN-OS, download the Network Discovery plugin following the steps at Install Panorama Plugins. Plugin management isn’t supported in Strata Cloud Manager.
    The following instructions are for the Network Discovery plugin configuration using the PAN-OS web interface on an individual next-generation firewall. To configure the plugin on Panorama, use templates and template stacks and template stack variables for the IP addresses of the address groups, discovery scope, and ports and interfaces as needed.
    1. Enable VLAN context on each switch you plan to query to discover endpoints connected to VLANs.
      For SNMPv2c, configure VLAN context on the switch and use the community-string@VLAN-ID format when specifying credentials in the plugin (for example, public@10). For SNMPv3, enable VLAN context on the switch and use the VLAN context name when querying (for example, vlan-10). Refer to your switch vendor documentation for instructions on enabling VLAN context for SNMP.
    2. Open the SNMP settings for the Network Discovery plugin.
      Select DeviceIoT SecurityNetwork Discovery. In the SNMP Network Discovery section, click Edit (gear icon).
      The SNMP Network Discovery Settings dialog appears with the Schedule Settings tab active. Select Enable SNMP Network Discovery Settings to configure SNMP Network Discovery.
    3. Schedule how often the firewall runs an SNMP crawl job.
      In the Network Discovery Job section, schedule how often the firewall runs a job to learn all the switches and other network forwarding devices that run LLDP and CDP on the network or within a defined scope of the network. The default is once a day, which usually is often enough.
      In addition to when and how often you want to run the SNMP crawl job, you can specify a max duration for how long each job can take, up to 24 hours.
    4. Schedule how often the firewall queries for information about the network and connected devices.
      In the Network Data Refreshment Job section, schedule how often the firewall runs a job to query switches and other forwarding devices for information about the network and devices connected to them. Consider how often DHCP lease times renew and schedule the job to run at half the lease time, which is when DHCP clients start requesting lease renewals and could receive different IP addresses. In environments without DHCP, consider running the network data refreshment job once every hour, which is the default setting.
      In addition to when and how often you want to run the device discovery job, you can specify a max duration for how long each job can take, up to 24 hours. The polling schedule uses the firewall's time zone for the start and end dates and times.
    5. Click the Discovery Scope Settings tab and configure the scope of the SNMP crawl.
      Entry Point switch: Enter the IP address of the entry point switch with which to begin the SNMP discovery process.
      A good choice for the entry point switch is a core switch because it would commonly have the broadest access to various distribution-layer and access-layer switches throughout the network.
      Device IP Address Scope: Enter the prefix for the IP CIDR block to define the scope of the switches and endpoint devices to learn. Optionally, don’t set a scope by entering None and SNMP will collect network topology for the entire network.
      Maximum Number of Hops: Enter the number of switches away from the entry point switch that you want the SNMP network discovery job to reach. The default number of hops is 10.
      Site: Add the name of the site where the SNMP job queries switches for network data.
      Service Route: If your firewall uses a data interface rather than the management interface to do SNMP network discovery, set a service route specifying that interface and the network segment to query.
      Service routes configured on DeviceSetupServicesService Route Configuration are not applied. SNMP network discovery only uses service routes configured here.
    6. Click the SNMP Settings tab and configure the SNMP credentials for the job to use.
      Set the SNMP version and configure the required settings for the version and options you use.
      SNMP Version: Choose the SNMP version that your switches support, either V2 (SNMPv2c) or V3. If you choose V2, configure the Community String. If you choose V3, configure the Username, Security Level, Authentication Protocol and Password, and Privacy Protocol and Password settings.
      Community String (for SNMP V2): Enter the SNMP community string configured on the switches to permit read-only access. To query per-VLAN data, append @VLAN-ID to the community string (for example, public@10). VLAN context must be enabled on the switch for per-VLAN queries to return data.
      Username (for SNMP V3): Enter a username for an SNMP user account with read-only access. This is the account the firewall uses when accessing an SNMP server running on a switch.
      Security Level (for SNMP V3): Choose the security level for accessing an SNMP server on a switch.
      • noAuthNoPriv: Choose this to not authenticate and encrypt communications between the SNMP agent on the firewall and an SNMP server on a switch.
      • authNoPriv: Choose this to require authentication based on either MD5 or SHA hashes but not encrypt communications between the firewall and the switches.
      • authPriv: Choose this to require both authentication and encryption.
      Authentication Protocol (for SNMP V3): Choose the algorithm for authenticating communications between the firewall and the switches: MD5 (Message Digest Algorithm 5) or SHA for SHA-1 (Secure Hash Algorithm 1).
      Authentication Password (for SNMP V3): Enter the password used during the authentication process.
      Privacy Protocol (for SNMP V3): Choose the algorithm for encrypting communications between the firewall and the switches: DES (Data Encryption Standard) or AES (Advanced Encryption Standard).
      Privacy Password (for SNMP V3): Enter the password used during the encryption process.
      Retries: Enter the number of times the job should try an SNMP query. If the job has reached the maximum number of retries, then it skips that SNMP query. The number of retries does not include the initial query. The default number of retries is 2.
      Timeout (ms): Enter the time that the job should wait for a response to an SNMP query. The default timeout is 2000 ms.
    7. Click OK to save your SNMP Network Discovery settings.
      After enabling this feature, the settings are sent to the plugin, which checks the source interface IP address that will send and receive SNMP traffic and schedules the following tasks:
      • Send SNMP queries for Network Discovery using CDP and LLDP OIDs.
      • Send SNMP queries for Network Data Refresh using various OIDs for VLANs, subnets, switch interface or port information, device IP-to-MAC address bindings, and other attributes on a per-device level.
      After the SNMP jobs are run, the resulting SNMP data is stored in files and converted to Enhanced Application logs. The firewall then sends the logs to the logging service. The logging service then streams the data to Device Security, which updates its database and displays the SNMP discovery network topology data in the Device Security portal.

    © 2026 Palo Alto Networks, Inc. All rights reserved.