Skip to main content

Palo Alto firewall API

Connector dependencies​

The following monitoring connectors will be installed when you install the Palo Alto firewall API connector through the Configuration > Connectors > Monitoring Connectors menu:

Pack assets​

Templates​

The Monitoring Connector Palo Alto firewall API brings a host template:

  • Net-PaloAlto-Standard-Api-custom

The connector brings the following service templates (sorted by the host template they are attached to):

Service AliasService TemplateService Description
EnvironmentNet-PaloAlto-Standard-Environment-Api-customCheck components
HaNet-PaloAlto-Standard-Ha-Api-customCheck high-availability
IpsecNet-PaloAlto-Standard-Ipsec-Api-customCheck the status of IPSec VPN tunnels
LicensesNet-PaloAlto-Standard-Licenses-Api-customCheck features licensing
SystemNet-PaloAlto-Standard-System-Api-customCheck system

The services listed above are created automatically when the Net-PaloAlto-Standard-Api-custom host template is used.

Collected metrics & status​

Here is the list of services for this connector, detailing all metrics and statuses linked to each service.

NameUnit
hardware.temperature.countcount
temperature statusN/A
hardware.fan.countcount
fan statusN/A
hardware.voltage.countcount
voltage statusN/A
hardware.psu.countcount
psu statusN/A

Prerequisites​

This connector allows you to monitor Palo Alto Networks devices via the XML API. Please refer to the official documentation for more information on accessing this API.

Installing the monitoring connector​

Pack​

The installation procedures for monitoring connectors are slightly different depending on whether your license is offline or online.

  1. If the platform uses an online license, you can skip the package installation instruction below as it is not required to have the connector displayed within the Configuration > Connectors > Monitoring Connectors menu. If the platform uses an offline license, install the package on the central server with the command corresponding to the operating system's package manager:
dnf install centreon-pack-network-firewalls-paloalto-standard-api
  1. Whatever the license type (online or offline), install the Palo Alto firewall API connector through the Configuration > Connectors > Monitoring Connectors menu.

Plugin​

Since Centreon 22.04, you can benefit from the 'Automatic plugin installation' feature. When this feature is enabled, you can skip the installation part below.

You still have to manually install the plugin on the poller(s) when:

  • Automatic plugin installation is turned off
  • You want to run a discovery job from a poller that doesn't monitor any resource of this kind yet

More information in the Installing the plugin section.

Use the commands below according to your operating system's package manager:

dnf install centreon-plugin-Network-Firewalls-Paloalto-Standard-Api

Using the monitoring connector​

Using a host template provided by the connector​

  1. Log into Centreon and add a new host through Configuration > Hosts.
  2. Fill in the Name, Alias & IP Address/DNS fields according to your resource's settings.
  3. Apply the Net-PaloAlto-Standard-Api-custom template to the host. A list of macros appears. Macros allow you to define how the connector will connect to the resource, and to customize the connector's behavior.
  4. Fill in the macros you want. Some macros are mandatory.
MacroDescriptionDefault valueMandatory
USERNAMEUsername. Required with --auth-type=basic. Also used with --auth-type=api-key to auto-generate or regenerate the API key
PASSWORDPassword
PROTOProtocol to use: http or httpshttps
PORTPort used443
API_KEYPAN-OS API key (sent as X-PAN-KEY header). Used with --auth-type=api-key. If omitted, the key is auto-generated from --username/--password via the keygen API and cached locally. A 401 or 403 response also triggers automatic key regeneration
AUTH_TYPEAuthentication type: api-key (default) or basicapi-key
TIMEOUTHTTP request timeout in seconds30
EXTRA_OPTIONSAny extra option you may want to add to every command (a --verbose flag for example). All options are listed here.
  1. Deploy the configuration. The host appears in the list of hosts, and on the Resources Status page. The command that is sent by the connector is displayed in the details panel of the host: it shows the values of the macros.

Using a service template provided by the connector​

  1. If you have used a host template and checked Create Services linked to the Template too, the services linked to the template have been created automatically, using the corresponding service templates. Otherwise, create manually the services you want and apply a service template to them.
  2. Fill in the macros you want (e.g. to change the thresholds for the alerts). Some macros are mandatory (see the table below).
MacroDescriptionDefault valueMandatory
COMPONENTWhich component to check. Can be: 'psu', 'temperature', 'fan', 'voltage'.*
WARNINGSet warning threshold for 'temperature', 'fan', 'voltage' (syntax: type,regexp,threshold) Example: --warning='temperature,.,50' --warning='fan,.,2500'
CRITICALSet critical threshold for 'temperature', 'fan', 'voltage' (syntax: type,regexp,threshold) Example: --critical='temperature,.,70' --critical='fan,.,1000'
EXTRA_OPTIONSAny extra option you may want to add to the command (a --verbose flag for example). All options are listed here.--verbose
  1. Deploy the configuration. The service appears in the list of services, and on the Resources Status page. The command that is sent by the connector is displayed in the details panel of the service: it shows the values of the macros.

How to check in the CLI that the configuration is OK and what are the main options for?​

Once the plugin is installed, log into your Centreon poller's CLI using the centreon-engine user account (su - centreon-engine). Test that the connector is able to monitor a resource using a command like this one (replace the sample values by yours):

/usr/lib/centreon/plugins/centreon_paloalto_api.pl \
	--plugin=network::paloalto::api::plugin \
	--mode=system \
	--hostname='10.0.0.1' \
	--port='443' \
	--proto='https' \
	--timeout='30' \
	--auth-type='api-key' \
	--api-key='' \
	--username='username' \
	--password='password'  \
	--warning-uptime='' \
	--critical-uptime='' \
	--warning-certificate-status='' \
	--critical-certificate-status='%\{cert\_status\} !~ /Valid/i' \
	--warning-operational-mode='' \
	--critical-operational-mode='' \
	--warning-software-version='' \
	--critical-software-version='' \
	--warning-wildfire-mode='' \
	--critical-wildfire-mode=''

The expected command output is shown below:

OK: uptime: 90973 seconds | 'system.uptime.seconds'=90973s;;;0;

Troubleshooting​

Please find the troubleshooting documentation for the API-based plugins in this chapter.

Available modes​

In most cases, a mode corresponds to a service template. The mode appears in the execution command for the connector. In the Centreon interface, you don't need to specify a mode explicitly: its use is implied when you apply a service template. However, you will need to specify the correct mode for the template if you want to test the execution command for the connector in your terminal.

All available modes can be displayed by adding the --list-mode parameter to the command:

/usr/lib/centreon/plugins/centreon_paloalto_api.pl \
	--plugin=network::paloalto::api::plugin \
	--list-mode

The plugin brings the following modes:

ModeLinked service template
environment [code]Net-PaloAlto-Standard-Environment-Api-custom
ha [code]Net-PaloAlto-Standard-Ha-Api-custom
ipsec [code]Net-PaloAlto-Standard-Ipsec-Api-custom
licenses [code]Net-PaloAlto-Standard-Licenses-Api-custom
system [code]Net-PaloAlto-Standard-System-Api-custom

Available options​

Generic options​

All generic options are listed here:

OptionDescription
--modeDefine the mode in which you want the plugin to be executed (see --list-mode).
--dyn-modeSpecify a mode with the module's path (advanced).
--list-modeList all available modes.
--mode-versionCheck minimal version of mode. If not, unknown error.
--versionReturn the version of the plugin.
--custommodeWhen a plugin offers several ways (CLI, library, etc.) to get information the desired one must be defined with this option.
--list-custommodeList all available custom modes.
--multipleMultiple custom mode objects. This may be required by some specific modes (advanced).
--pass-managerDefine the password manager you want to use. Supported managers are: environment, file, keepass, hashicorpvault and teampass.
--verboseDisplay extended status information (long output).
--debugDisplay debug messages.
--filter-perfdataFilter perfdata that match the regexp. Example: adding --filter-perfdata='avg' will remove all metrics that do not contain 'avg' from performance data.
--filter-perfdata-advFilter perfdata based on a "if" condition using the following variables: label, value, unit, warning, critical, min, max. Variables must be written either %{variable} or %(variable). Example: adding --filter-perfdata-adv='not (%(value) == 0 and %(max) eq "")' will remove all metrics whose value equals 0 and that don't have a maximum value.
--explode-perfdata-maxCreate a new metric for each metric that comes with a maximum limit. The new metric will be named identically with a '_max' suffix. Example: it will split 'used_prct'=26.93%;0:80;0:90;0;100 into 'used_prct'=26.93%;0:80;0:90;0;100 'used_prct_max'=100%;;;;
--change-perfdata --extend-perfdataChange or extend perfdata. Syntax: --extend-perfdata=searchlabel,newlabel,target[,[<new-unit-of-mesure>],[min],[max]] Common examples: onvert storage free perfdata into used: --change-perfdata='free,used,invert()' Convert storage free perfdata into used: --change-perfdata='used,free,invert()' Scale traffic values automatically: --change-perfdata='traffic,,scale(auto)' Scale traffic values in Mbps: --change-perfdata='traffic_in,,scale(Mbps),mbps' Change traffic values in percent: --change-perfdata='traffic_in,,percent()'
--change-perfdataChange or extend perfdata. Syntax: --extend-perfdata=searchlabel,newlabel,target[,[<new-unit-of-mesure>],[min],[max]] Common examples: onvert storage free perfdata into used: --change-perfdata='free,used,invert()' Convert storage free perfdata into used: --change-perfdata='used,free,invert()' Scale traffic values automatically: --change-perfdata='traffic,,scale(auto)' Scale traffic values in Mbps: --change-perfdata='traffic_in,,scale(Mbps),mbps' Change traffic values in percent: --change-perfdata='traffic_in,,percent()'
--extend-perfdataChange or extend perfdata. Syntax: --extend-perfdata=searchlabel,newlabel,target[,[<new-unit-of-mesure>],[min],[max]] Common examples: onvert storage free perfdata into used: --change-perfdata='free,used,invert()' Convert storage free perfdata into used: --change-perfdata='used,free,invert()' Scale traffic values automatically: --change-perfdata='traffic,,scale(auto)' Scale traffic values in Mbps: --change-perfdata='traffic_in,,scale(Mbps),mbps' Change traffic values in percent: --change-perfdata='traffic_in,,percent()'
--extend-perfdata-groupAdd new aggregated metrics (min, max, average or sum) for groups of metrics defined by a regex match on the metrics' names. Syntax: --extend-perfdata-group=regex,<names-of-new-metrics>,calculation[,[<new-unit-of-mesure>],[min],[max]] regex: regular expression <names-of-new-metrics>: how the new metrics' names are composed (can use $1, $2... for groups defined by () in regex). calculation: how the values of the new metrics should be calculated <new-unit-of-mesure> (optional): unit of measure for the new metrics min (optional): lowest value the metrics can reach max (optional): highest value the metrics can reach Common examples: um wrong packets from all interfaces (with interface need --units-errors=absolute): --extend-perfdata-group=',packets_wrong,sum(packets_(discard|error)_(in|out))' Sum traffic by interface: --extend-perfdata-group='traffic_in_(.*),traffic_$1,sum(traffic_(in|out)_$1)'
--change-short-output --change-long-outputModify the short/long output that is returned by the plugin. Syntax: --change-short-output=patternreplacementmodifier Most commonly used modifiers are i (case insensitive) and g (replace all occurrences). Example: adding --change-short-output='OKUpgi' will replace all occurrences of 'OK', 'ok', 'Ok' or 'oK' with 'Up'
--change-short-outputModify the short/long output that is returned by the plugin. Syntax: --change-short-output=patternreplacementmodifier Most commonly used modifiers are i (case insensitive) and g (replace all occurrences). Example: adding --change-short-output='OKUpgi' will replace all occurrences of 'OK', 'ok', 'Ok' or 'oK' with 'Up'
--change-long-outputModify the short/long output that is returned by the plugin. Syntax: --change-short-output=patternreplacementmodifier Most commonly used modifiers are i (case insensitive) and g (replace all occurrences). Example: adding --change-short-output='OKUpgi' will replace all occurrences of 'OK', 'ok', 'Ok' or 'oK' with 'Up'
--change-exitReplace an exit code with one of your choice. Example: adding --change-exit=unknown=critical will result in a CRITICAL state instead of an UNKNOWN state.
--change-output-advReplace short output and exit code based on a "if" condition using the following variables: short_output, exit_code. Variables must be written either %{variable} or %(variable). Example: adding --change-output-adv='%(short_ouput) =~ /UNKNOWN: No daemon/,OK: No daemon,OK' will change the following specific UNKNOWN result to an OK result.
--range-perfdataRewrite the ranges displayed in the perfdata. Accepted values: 0: nothing is changed. 1: if the lower value of the range is equal to 0, it is removed. 2: remove the thresholds from the perfdata.
--filter-uomMask the units when they don't match the given regular expression.
--opt-exitReplace the exit code in case of an execution error (i.e. wrong option provided, SSH connection refused, timeout, etc). Default: unknown.
--output-ignore-perfdataRemove all the metrics from the service. The service will still have a status and an output.
--output-ignore-labelRemove the status label ("OK:", "WARNING:", "UNKNOWN:", CRITICAL:") from the beginning of the output. Example: 'OK: Ram Total:...' will become 'Ram Total:...'
--output-xmlReturn the output in XML format (to send to an XML API).
--output-jsonReturn the output in JSON format (to send to a JSON API).
--output-openmetricsReturn the output in OpenMetrics format (to send to a tool expecting this format).
--output-fileWrite output in file (can be combined with JSON, XML and OpenMetrics options). Example: --output-file=/tmp/output.txt will write the output in /tmp/output.txt.
--disco-formatApplies only to modes beginning with 'list-'. Returns the list of available macros to configure a service discovery rule (formatted in XML).
--disco-showApplies only to modes beginning with 'list-'. Returns the list of discovered objects (formatted in XML) for service discovery.
--float-precisionDefine the float precision for thresholds (default: 8).
--source-encodingDefine the character encoding of the response sent by the monitored resource Default: 'UTF-8'. <output>.
--http-peer-addrSet the address you want to connect to. Useful if hostname is only a vhost, to avoid IP resolution.
--proxyurlProxy URL. Example: http://my.proxy:3128
--proxypacProxy PAC file (can be a URL or a local file).
--insecureAccept insecure SSL connections.
--http-backendPerl library to use for HTTP transactions. Possible values are: lwp (default) and curl.
--memcachedMemcached server to use (only one server).
--redis-serverRedis server to use (only one server). Syntax: address[:port]
--redis-attributeSet Redis Options (--redis-attribute="cnx_timeout=5").
--redis-dbSet Redis database index.
--failback-fileFall back on a local file if Redis connection fails.
--memexpirationTime to keep data in seconds (default: 86400).
--statefile-dirDefine the cache directory (default: '/var/lib/centreon/centplugins').
--statefile-suffixDefine a suffix to customize the statefile name (default: '').
--statefile-concat-cwdIf used with the '--statefile-dir' option, the latter's value will be used as a sub-directory of the current working directory. Useful on Windows when the plugin is compiled, as the file system and permissions are different from Linux.
--statefile-formatDefine the format used to store the cache. Available formats: 'dumper', 'storable', 'json' (default).
--statefile-keyDefine the key to encrypt/decrypt the cache.
--statefile-cipherDefine the cipher algorithm to encrypt the cache (default: 'AES').
--hostnameHostname or IP address of the Palo Alto device.
--portPort used (default: 443).
--protoProtocol to use: http or https (default: https).
--auth-typeAuthentication type: api-key (default) or basic.
--api-keyPAN-OS API key (sent as X-PAN-KEY header). Used with --auth-type=api-key. If omitted, the key is auto-generated from --username/--password via the keygen API and cached locally. A 401 or 403 response also triggers automatic key regeneration.
--usernameUsername. Required with --auth-type=basic. Also used with --auth-type=api-key to auto-generate or regenerate the API key.
--passwordPassword.
--timeoutHTTP request timeout in seconds (default: 30).
--unknown-http-statusThreshold for unknown HTTP status (default: '%{http_code} < 200 or %{http_code} >= 300').
--warning-http-statusThreshold for warning HTTP status.
--critical-http-statusThreshold for critical HTTP status.

Modes options​

All available options for each service template are listed below:

OptionDescription
--componentWhich component to check (default: '.*'). Can be: 'psu', 'temperature', 'fan', 'voltage'.
--filterExclude the items given as a comma-separated list (example: --filter=temperature). You can also exclude items from specific instances: --filter=temperature,Temperature CPLD
--absent-problemReturn an error if a component is not 'present' (default is skipping). It can be set globally or for a specific instance: --absent-problem='component_name' or --absent-problem='component_name,instance_value'.
--no-componentDefine the expected status if no components are found (default: critical).
--threshold-overloadUse this option to override the status returned by the plugin when the status label matches a regular expression (syntax: section,[instance,]status,regexp). Example: --threshold-overload='psu,ok,true'
--warningSet warning threshold for 'temperature', 'fan', 'voltage' (syntax: type,regexp,threshold) Example: --warning='temperature,.,50' --warning='fan,.,2500'
--criticalSet critical threshold for 'temperature', 'fan', 'voltage' (syntax: type,regexp,threshold) Example: --critical='temperature,.,70' --critical='fan,.,1000'
--warning-count-*Define the warning threshold for the number of components of one type (replace '*' with the component type).
--critical-count-*Define the critical threshold for the number of components of one type (replace '*' with the component type).

All available options for a given mode can be displayed by adding the --help parameter to the command:

/usr/lib/centreon/plugins/centreon_paloalto_api.pl \
	--plugin=network::paloalto::api::plugin \
	--mode=system \
	--help