PaloAlto Monitor IPSEC S2S tunnels

amaizenshtein · 8 September 2017 07:27

Hi Guys,

I was wondering to know whether in librenms we can have the option of checking what IPsec tunnels are up/down the same way as we have for BGP sessions?

amaizenshtein · 8 September 2017 08:29

How can I add the page in the Overview TAB for IPSEC Tunnels

FTBZ · 8 September 2017 08:43

Need some research because PAN OS has limited SNMP support. I’m interested too by the question.

FTBZ · 8 September 2017 08:45

This is old but interesting:

The Palo Alto Networks firewall currently doesn’t have SNMP OIDs to monitor IPSec tunnel status, so network management systems cannot rely on SNMP protocol to receive notifications when the IPSec tunnel on the Palo Alto Networks firewall changes it’s status.

amaizenshtein · 8 September 2017 09:34

By The way, it’s not only this, BGP also isn’t showing in the bgp session tab

laf · 8 September 2017 18:00

Do they provide their own BGP MIB?

amaizenshtein · 8 September 2017 18:21

Yep, I found their MIB Tables on their site

FTBZ · 9 September 2017 11:52

Let me check Monday but didn’t find in my Friday search.

laf · 9 September 2017 18:43

Specifically for BGP data?

amaizenshtein · 9 September 2017 19:23

Please advise if we can monitor bgp sessisons and IPSEC tunnel
For ipsec tunnels it would be nice to have seperate tab as we have for bgp sessions

laf · 10 September 2017 19:37

Is the mib specifically for BGP?

amaizenshtein · 11 September 2017 06:58

Actually I didn’t try to set it, I just saw the MIB on Palo-Alto side, was wondering to know if anyone set it

FTBZ · 11 September 2017 07:39

I checked this morning the BGP is only available with SNMP traps. So at this time it’s not possible to use it with LibreNMS.

IPSEC is available in the MIB under panGlobalCountersTunnelInspect, not sure but should appears like other interface?

amaizenshtein · 25 October 2017 11:40

Is there possibility to add tunnel tab as we have BGP tab on the upper pannel

CJloHuK · 21 October 2018 14:38

Hey guys, any changes to have bgp monitored in palo or still no MID for that?

amaizenshtein · 21 October 2018 16:47

Hi Guys,

I’ve asked Palo Engineering to have this request, still waiting on the ETA
In the meantime PAN-TRAPS MIB has a number of BGP peer traps that can be sent to LibreNMS and you can use these to build alert rules on LibreNMS. The traps are:

panROUTINGRoutedBGPPeerEnterEstablishedTrap
panROUTINGRoutedBGPPeerLeftEstablishedTrap
panROUTINGRoutedBGPPeerFailedTrap
panROUTINGRoutedBGPPeerRestartedTrap
panROUTINGRoutedBGPPeerRestartFailedTrap

To generate these traps from the firewall, you have to setup the Device/Log Settings/System Logs to filter for the BGP logs and specify the SNMP Trap Receiver (LibreNMS). To filter the logs, specify Type=Routing and Event equal to one of the types below. You can check your system logs for BGP events to validate these are correct.

Event Types:

routed-BGP-peer-enter-established
routed-BGP-peer-left-established
routed-BGP-peer-mp-extension-negotiate
routed-BGP-peer-failed
routed-BGP-peer-restarted
routed-BGP-peer-restart-failed

Jim_Araujo · 12 November 2021 18:14

Hello all, any movement on this? Or is the ability to get VPN counts not possible via SNMP?