Monitor Statistics Using SNMP
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
Monitor Statistics Using SNMP
The statistics that a Simple Network Management
Protocol (SNMP) manager collects from Palo Alto Networks firewalls
can help you gauge the health of your network (systems and connections),
identify resource limitations, and monitor traffic or processing
loads. The statistics include information such as interface states
(up or down), active user sessions, concurrent sessions, session
utilization, temperature, and system uptime.
You can’t
configure an SNMP manager to control Palo Alto Networks firewalls
(using SET messages), only to collect statistics from them (using GET
messages). For details on how SNMP is implemented for Palo Alto
Networks firewalls, see SNMP
Support.
- Configure the SNMP Manager to get statistics from firewalls.The following steps provide an overview of the tasks you perform on the SNMP manager. For the specific steps, refer to the documentation of your SNMP manager.
- To enable the SNMP manager to interpret firewall statistics, load the Supported MIBs for Palo Alto Networks firewalls and, if necessary, compile them.For each firewall that the SNMP manager will monitor, define the connection settings (IP address and port) and authentication settings (SNMPv2c community string or SNMPv3 EngineID/username/password) for the firewall.All Palo Alto Networks firewalls use port 161.The SNMP manager can use the same or different connection and authentication settings for multiple firewalls. The settings must match those you define when you configure SNMP on the firewall (see Step 3). For example, if you use SNMPv2c, the community string you define when configuring the firewall must match the community string you define in the SNMP manager for that firewall.Determine the object identifiers (OIDs) of the statistics you want to monitor. For example, to monitor the session utilization percentage of a firewall, a MIB browser shows that this statistic corresponds to OID 1.3.6.1.4.1.25461.2.1.2.3.1.0 in PAN-COMMON-MIB.my. For details, see Use an SNMP Manager to Explore MIBs and Objects.Configure the SNMP manager to monitor the desired OIDs.Enable SNMP traffic on a firewall interface.This is the interface that will receive statistics requests from the SNMP manager.PAN-OS doesn’t synchronize management (MGT) interface settings for firewalls in a high availability (HA) configuration. You must configure the interface for each HA peer.Perform this step in the firewall web interface.
- To enable SNMP traffic on the MGT interface, select DeviceSetupInterfaces, edit the Management interface, select SNMP, and then click OK and Commit.
- To enable SNMP traffic on any other interface, create an interface management profile for SNMP services and assign the profile to the interface that will receive the SNMP requests. The interface type must be Layer 3 Ethernet.
Configure the firewall to respond to statistics requests from an SNMP manager.PAN-OS doesn’t synchronize SNMP response settings for firewalls in a high availability (HA) configuration. You must configure these settings for each HA peer.- Select DeviceSetupOperations and, in the Miscellaneous section, click SNMP Setup.Select the SNMP Version and configure the authentication values as follows. For version details, see SNMP Support.
- V2c—Enter the SNMP Community String, which identifies a community of SNMP managers and monitored devices, and serves as a password to authenticate the community members to each other.As a best practice, don’t use the default community string public; it’s well known and therefore not secure.
- V3—Create at least one SNMP view group and one user. User accounts and views provide authentication, privacy, and access control when firewalls forward traps and SNMP managers get firewall statistics.
- Views—Each view is a paired OID and bitwise mask: the OID specifies a MIB and the mask (in hexadecimal format) specifies which objects are accessible within (include matching) or outside (exclude matching) that MIB. Click Add in the first list and enter a Name for the group of views. For each view in the group, click Add and configure the view Name, OID, matching Option (include or exclude), and Mask.
- Users—Click Add in the second list, enter a username under Users, select the View group from the drop-down, enter the authentication password (Auth Password) used to authenticate to the SNMP manager, and enter the privacy password (Priv Password) used to encrypt SNMP messages to the SNMP manager.
Click OK and Commit.Monitor the firewall statistics in an SNMP manager.Refer to the documentation of your SNMP manager for details.When monitoring statistics related to firewall interfaces, you must match the interface indexes in the SNMP manager with interface names in the firewall web interface. For details, see Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors.