The statistics that a Simple Network Management
Protocol (SNMP) manager collects from Palo Alto Networks firewalls
can help you gauge the health of your network (systems and connections),
identify resource limitations, and monitor traffic or processing
loads. The statistics include information such as interface states
(up or down), active user sessions, concurrent sessions, session
utilization, temperature, and system uptime.
configure an SNMP manager to control Palo Alto Networks firewalls
(using SET messages), only to collect statistics from them (using GET
messages). For details on how SNMP is implemented for Palo Alto
Networks firewalls, see SNMP
Configure the SNMP Manager to get statistics from
The following steps provide an overview of the tasks you
perform on the SNMP manager. For the specific steps, refer to the
documentation of your SNMP manager.
To enable the SNMP manager to interpret
firewall statistics, load the Supported
MIBs for Palo Alto Networks firewalls and, if necessary,
For each firewall that the SNMP manager will monitor,
define the connection settings (IP address and port) and authentication
settings (SNMPv2c community string or SNMPv3 EngineID/username/password)
for the firewall.
All Palo Alto Networks firewalls use port 161.
SNMP manager can use the same or different connection and authentication
settings for multiple firewalls. The settings must match those you
define when you configure SNMP on the firewall (see Step 3). For example, if you
use SNMPv2c, the community string you define when configuring the
firewall must match the community string you define in the SNMP manager
for that firewall.
Determine the object identifiers (OIDs) of the statistics
you want to monitor. For example, to monitor the session utilization
percentage of a firewall, a MIB browser shows that this statistic
corresponds to OID 126.96.36.199.4.1.254188.8.131.52.3.1.0 in PAN-COMMON-MIB.my.
For details, see Use
an SNMP Manager to Explore MIBs and Objects.
Configure the SNMP manager to monitor the desired OIDs.
Enable SNMP traffic on a firewall interface.
This is the interface that will receive statistics requests
from the SNMP manager.
synchronize management (MGT) interface settings for firewalls in
a high availability (HA) configuration. You must configure the interface
for each HA peer.
Perform this step in the firewall
To enable SNMP traffic on the MGT interface,
, edit the
, and then click
To enable SNMP traffic on any other
interface, create an interface management profile for SNMP
services and assign the profile to the interface that will receive
the SNMP requests. The interface type must be Layer 3 Ethernet.
the firewall to respond to statistics requests from an SNMP manager.
PAN-OS doesn’t synchronize SNMP
response settings for firewalls in a high availability (HA) configuration.
You must configure these settings for each HA peer.
in the Miscellaneous section, click
Select the SNMP
configure the authentication values as follows. For version details,
, which identifies a community of SNMP
managers and monitored devices, and serves as a password to authenticate
the community members to each other.
a best practice, don’t use the default community string
it’s well known and therefore not secure.
—Create at least one SNMP view group and
one user. User accounts and views provide authentication, privacy,
and access control when firewalls forward traps and SNMP managers
get firewall statistics.
—Each view is
a paired OID and bitwise mask: the OID specifies a MIB and the mask
(in hexadecimal format) specifies which objects are accessible within
(include matching) or outside (exclude matching) that MIB. Click
the first list and enter a
for the group
of views. For each view in the group, click
configure the view
in the second list,
enter a username under
, select the
from the drop-down, enter the authentication password (
) used to authenticate to the SNMP manager,
and enter the privacy password (
used to encrypt SNMP messages to the SNMP manager.
Monitor the firewall statistics in an SNMP manager.
Refer to the documentation of your SNMP manager for details.