OpenConfig Telemetry on PAN-OS

Basics of Telemetry using the OpenConfig plugin on PAN-OS.
The PAN-OS OpenConfig plugin supports telemetry streaming with the gNMI Subscribe request. The Subscribe request support the following modes:
  • Once.
  • Poll.
  • Stream.
The streaming mode supports 3 different subtypes.
  • On-Change
  • Target Defined
  • Sample
The time difference in the examples displays how you can expect each of the subscription types to react to your requests.

Once

Similar to a Get request, a Once subscription returns a singular response. The request creates a single channel to submit and receive the relevant updates then closes the RPC channel.
PAN-OS OpenConfig Model Support shows which models currently support telemetry streaming.
gnmic -u username -p password --tls-ca $CA-CERT --tls-cert $CIENT_CERT --tls-key $ CIENT_KEY -a 10.1.1.1:9339 sub --path "/interfaces/interface[name=*]"/state/oper-status --mode once -e JSON_IETF
An example response shows a one-time snapshot of the interface using the Once type of subscribe request:
{ "source": "10.1.1.1:9339", "subscription-name": "default", "time": "1969-12-31T16:00:01.614649807-08:00", "timestamp": 1614649807, "updates": [ { "Path": "interfaces/interface[name=ethernet1/1]/state/oper-status", "values": { "interfaces/interface/state/oper-status": "UP" } }, { "Path": "interfaces/interface[name=ethernet1/2]/state/oper-status", "values": { "interfaces/interface/state/oper-status": "DOWN" } }, { "Path": "interfaces/interface[name=ethernet1/3]/state/oper-status", "values": { "interfaces/interface/state/oper-status": "DOWN" } } ] }

Poll

Poll methods create a long-lived RPC connection that can subscribe to a number of paths. Once you send a poll message. The response returns the data requested. While the connection is still alive, the client can send periodic poll requests to retrieve relevant data.
gnmic -u username -p password --tls-ca $CA-CERT --tls-cert $CIENT_CERT --tls-key $ CIENT_KEY -a 10.1.1.1:9339 sub --path "/interfaces/interface[name=*]"/state/oper-status --mode poll -e JSON_IETF
The response shows two responses in a non-standard interval time setting based on when the empty poll message is sent.
{ "time": "1969-12-31T16:00:01.614648989-08:00", "timestamp": 1614648989, "updates": [ { "Path": "interfaces/interface[name=ethernet1/1]/state/oper-status", "values": { "interfaces/interface/state/oper-status": "UP" } }, { "Path": "interfaces/interface[name=ethernet1/2]/state/oper-status", "values": { "interfaces/interface/state/oper-status": "DOWN" } }, { "Path": "interfaces/interface[name=ethernet1/3]/state/oper-status", "values": { "interfaces/interface/state/oper-status": "DOWN" } } ] }
Both of these responses above and below happen using the same request. The response also includes a
received sync response 'true' from '10.1.1.1:9339'
to acknowledge the subscription is still alive.
{ "time": "1969-12-31T16:00:01.614649617-08:00", "timestamp": 1614649617, "updates": [ { "Path": "interfaces/interface[name=ethernet1/3]/state/oper-status", "values": { "interfaces/interface/state/oper-status": "DOWN" } }, { "Path": "interfaces/interface[name=ethernet1/1]/state/oper-status", "values": { "interfaces/interface/state/oper-status": "DOWN" } }, { "Path": "interfaces/interface[name=ethernet1/2]/state/oper-status", "values": { "interfaces/interface/state/oper-status": "DOWN" } } ] }

Stream

The streaming subtypes provide a continuous flow of telemetry data based on the specified subtype. Review each of the sections for the subtypes to familiarize yourself with the various streaming types.

Sample and Target Defined

The Sample method must include the
--sample-interval
along with the interval in seconds. Alternatively, you can use
--target_defined
. The lowest accepted interval is 5 seconds.
gnmic -u username -p password --tls-ca $CA-CERT --tls-cert $CIENT_CERT --tls-key $ CIENT_KEY -a 10.1.1.1:9339 sub --path "/interfaces/interface[name=*]"/state/oper-status --mode stream --stream-mode sample --sample-interval 10s -e JSON_IETF
The responses:
{ "source": "10.1.1.1:9339", "subscription-name": "default", "time": "1969-12-31T16:00:01.6146501-08:00", "timestamp": 1614650100, "updates": [ { "Path": "interfaces/interface[name=ethernet1/1]/state/oper-status", "values": { "interfaces/interface/state/oper-status": "DOWN" } } ] } { "source": "10.1.1.1:9339", "subscription-name": "default", "time": "1969-12-31T16:00:01.61465011-08:00", "timestamp": 1614650110, "updates": [ { "Path": "interfaces/interface[name=ethernet1/1]/state/oper-status", "values": { "interfaces/interface/state/oper-status": "DOWN" } } ] } { "source": "10.1.1.1:9339", "subscription-name": "default", "time": "1969-12-31T16:00:01.61465012-08:00", "timestamp": 1614650120, "updates": [ { "Path": "interfaces/interface[name=ethernet1/1]/state/oper-status", "values": { "interfaces/interface/state/oper-status": "UP" } } ] }

On Change

On change updates are only sent upon the update of data for a specified path.
gnmic -u username -p password --tls-ca $CA-CERT --tls-cert $CIENT_CERT --tls-key $ CIENT_KEY -a 10.1.1.1:9339 sub --path "/interfaces/interface[name=*]"/state/description --mode stream --stream-mode on_change -e JSON_IETF
The firewall responds when the oper-status changes to down:
{ "source": "10.1.1.1:9339", "subscription-name": "default", "timestamp": 1614650238, "time": "1969-12-31T16:00:01.614650238-08:00", "updates": [ { "Path": "interfaces/interface[name=ethernet1/1]/state/oper-status", "values": { "interfaces/interface/state/oper-status": "UP" } } ] } { "source": "10.1.1.1:9339", "subscription-name": "default", "timestamp": 1614650294, "time": "1969-12-31T16:00:01.614650294-08:00", "updates": [ { "Path": "interfaces/interface[name=ethernet1/1]/state/oper-status", "values": { "interfaces/interface/state/oper-status": "DOWN" } } ] }

Recommended For You