Palo Alto Firewall (Version 10)¶
The purpose of this document is to detail the installation and configuration of a Lantronix Local Manager (LM) to manage and facilitate remote connectivity, back up configurations, and monitor system resources of a Palo Alto firewall.
Features¶
Supports Palo Alto firewalls running PAN-OS version 10.0.1 with Lantronix Local Managers and enables:
- Remote access to the Palo Alto’s web interface
- Backup and restoration of the Palo Alto’s configuration
- Monitoring the Palo Alto for
- High Availability Status errors
- Active Sessions
- Interface errors
- Disk, CPU and Memory utilization
- Automatic collection of the Palo Alto’s
- Hostname
- Model
- OS Version
- Serial Number
- Management IP
Further automation can be achieved using the Lantronix Rules and Rulesets. Contact your FAE or Level Support for assistance.
Physical Connection¶
Connect a free serial port on the Local Manager to the Palo Alto's RS-232 console management port with a standard Cat-5 cable.
If no serial port is available, such as with a virtual Palo Alto, the Local Manager’s Virtual Port feature can be used to connect to the Palo Alto via SSH.
Recommended Configuration¶
For proactive monitoring of the Palo Alto's status, and to ensure the availability of backup configurations, it is recommended that:
- the Local Manager serial port connected to the Palo Alto is configured via the config init command.
- automatic backup of the configuration is scheduled.
- the below listed rules are scheduled in a chassis monitor.
Preparing the Palo Alto¶
To set the Palo Alto’s CLI parameters, terminal into the Palo Alto and run the following commands:
- set cli terminal height 500
- set cli terminal width 500
- set cli scripting-mode on
Configuring the Port¶
To configure the Local Manager for connection to a Palo Alto firewall, navigate to the port that the Palo Alto is connected to, run the command config init, and follow the prompts as below (substituting your Palo Alto's IP address for 203.0.113.16, and entering user credentials with console access to the Palo Alto):
[admin@LantronixLM (port1/4)]# config init
--- Enter New Values ---
description: Palo Alto firewall
make [native]: enhanced
management IP: 203.0.113.16
Configure dedicated ethernet port? (y/n) [n]:
command prompt [[#>]]:
login prompt [(?<![lL]ast\s)(?<![sS]uccessful\s)(?:[lL]ogin|[uU]sername):\s]:
password prompt [ssword:\s]: Password:\s
logout command [exit\r]:
wakeup command [\r]:
console username []: admin
console password []: ********
confirm password []: ********
Serial Bit Rate [9600]:
Serial Data Bit [8]:
Serial Parity [none]:
Serial Stop Bit [1]:
Serial Flow Control [none]:
Do you want to commit these changes? (y/n): y
Testing login will take a few moments...
Login successful; credentials are valid.
Scheduling default jobs
Testing job rulesMonitor
Job rulesMonitor was successful
Job rulesMonitor was scheduled
Troubleshooting - If the login test fails, use the show buffer command to examine the record of the interactions on the console port, or use terminal shadow in another SSH session to watch the interactions as they happen. Verify that the credentials work by using terminal to connect to the console and entering them manually.
The default console settings for the Palo Alto firewall are 9600 bit rate, 8 serial data bit, no serial parity, serial stop bit 1, and no flow control.
Connecting to the Palo Alto's Web Interface¶
Protocol Forwarding¶
The Lantronix Local Manager can facilitate connections to the Palo Alto’s web interface using the Protocol Forwarding feature.
First, make sure the port’s Management IP is set using show info and config info.
Then run configure protocol forward on the port the Palo Alto is connected to and add an entry as below:
[admin@LantronixLM (port1/4)]# config protocol forward
[forward]# management 443 https
[forward]# exit
Users may now connect to the web interface through an SSH tunnel using port forwarding feature. In the Lantronix Terminal App, click Terminal and then Forward.
Clicking the button with the Palo Alto’s IP address will now open the default web browser and connect to the tunnel.
The Apply button allows a user to specify which local TCP port to use. Otherwise a random available local TCP port will be selected.
Managing Configurations¶
Back up Configuration¶
The Lantronix Local Manager can save up to twenty backup images on its file system for use in restoring a configuration or pushing a configuration to a new Palo Alto. The file can be transferred to the LM via TFTP or SCP.
To save the Palo Alto's configuration to the LM, navigate to the port that the Palo Alto is connected to and run the either of the following commands:
pull sftp -file running-config.xml "scp export configuration from running-config.xml to ${user}@${ip}:${path}" running-config current
pull tftp "tftp export configuration to ${ip} from running-config.xml" running-config.xml running-config current
Example:
[admin@LantronixLM]# port 1/4
Palo Alto firewall
[admin@LantronixLM (port1/4)]# pull tftp "tftp export configuration to ${ip} from running-config.xml" running-config.xml running-config current
These files can also be transferred manually during a terminal session by pressing ~f, ~g, or ~t to activate the Local Manager’s file servers.
Automatic Configuration Backup¶
To configure the Local Manager to back up the running-config of a Palo Alto firewall every three hours, use one of the following commands:
config schedule pullSftp "scp export configuration from running-config.xml to ${user}@${ip}:${path}" running-config current -d 10800
config schedule pullTftp "tftp export configuration to ${ip} from running-config.xml" running-config.xml running-config current -d 10800
Restore Configuration¶
There are multiple steps to restore a backup configuration to a Palo Alto firewall. The file may be transferred via SCP or TFTP.
First, navigate to the port the Palo Alto is connected to and stage the file to be restored as a candidate configuration:
Next, run one of the following commands:
push sftp -file running-config.xml "scp import configuration ${user}@${ip}:${path} \r configure \r load config from running-config.xml \r commit \r exit" running-config candidate
push tftp "tftp import configuration ${ip}/running-config.xml \r configure \r load config from running-config.xml \r commit \r exit" running-config.xml running-config candidate
Upon entering one of those commands, the LM will connect to the Palo Alto's CLI, transfer the candidate configuration, and apply the configuration.
These files can also be transferred manually during a terminal session by pressing ~f, ~g, or ~t to activate the Local Manager’s file servers.
Monitoring Palo Alto Status¶
Palo Alto Device Info Ruleset¶
The Lantronix LM can be configured to collect the following information from the Palo Alto’s console CLI using the PaloAltoDeviceInfo Rule Set:
- Hostname
- Model
- OS Version
- Serial Number
- Management IP
The information gathered is searchable in the Control Center and is displayed on the device detail page, and is also available on the LM CLI at the port level with the show info command.
To load the PaloAltoDeviceInfo Rules and Ruleset into a LM, copy and paste the below rules into the LM at the system level. Once loaded into one LM, the Rules and Rulesets can be Promoted to the rest of the LMs in the Control Center.
Note
Rules may need to be copied into a text editor to remove line breaks from the longer actions.
config rule no PaloAltoHostname
config rule PaloAltoHostname
action execute -pattern "hostname:\s(.+)" -command "set cli scripting-mode on\r show system info | match hostname\r " -raw -multiline -setValue monitor PaloAltoHostname $1
action setDevice monitor PaloAltoHostname hostname
conditions
true
exit
exit
config rule no PaloAltoSerialNumber
config rule PaloAltoSerialNumber
action execute -pattern "serial:\s(.+)" -command "set cli scripting-mode on\r show system info | match serial\r" -raw -multiline -setValue monitor PaloAltoSerialNumber $1
action setDevice monitor PaloAltoSerialNumber serialNumber
conditions
true
exit
exit
config rule no PaloAltoSerialNumber
config rule PaloAltoSerialNumber
action execute -pattern "serial:\s(.+)" -command "set cli scripting-mode on\r show system info | match serial\r" -raw -multiline -setValue monitor PaloAltoSerialNumber $1
action setDevice monitor PaloAltoSerialNumber serialNumber
conditions
true
exit
exit
config rule no PaloAltoVersion
config rule PaloAltoVersion
action execute -pattern "sw-version:\s(.+)" -command "set cli scripting-mode on\r show system info | match version\r" -raw -multiline -setValue monitor PaloAltoVersion $1
action setDevice monitor PaloAltoVersion osVersion
conditions
true
exit
exit
rule PaloAltoManagementIP
action execute -pattern "ip-address:\s(.+)" -command "show system info | match ip-address\r" -multiline -raw -setValue monitor PaloAltoManagementIP $1
action setDevice monitor PaloAltoManagementIP managementIp
conditions
true
exit
exit
To create a ruleset to contain the above rules, paste the following into the LM CLI at the system level:
config no ruleset PaloAltoDeviceInfo
config ruleset PaloAltoDeviceInfo
rules
PaloAltoHostname | PaloAltoSerialNumber | PaloAltoModel | PaloAltoVersion | PaloAltoManagementIP
exit
exit
To schedule the PaloAltoDeviceInfo Rules on a local manager, run the below command:
The Rulesets can be combined using another ruleset, or by using the | (pipe) character between Rulesets, for example this command combines all the Rulesets in this document:
config monitor chassis PaloAltoHACheck | PaloAltoChassisRules | PaloAltoActiveSessions | PaloAltoDeviceInfo | PaloAltoInterfaceMonitors
This command creates a Ruleset that includes all the Rulesets in this document:
config ruleset no PaloAltoRules
config ruleset PaloAltoRules
rules
PaloAltoHACheck | PaloAltoChassisRules | PaloAltoActiveSessions | PaloAltoDeviceInfo | PaloAltoInterfaceMonitors
exit
exit
To schedule that Ruleset of Rulesets on a port with a PaloAlto, run:
Palo Alto High Availability Check Ruleset¶
The Lantronix LM can be configured to monitor the status of a managed Palo Alto’s High Availability (HA) status using the PaloAltoChassisHACheck Ruleset. The LM will check the Palo Alto for the status of the HA relationship and will trigger an alarm in the LM when HA is anything other than active or passive. The Ruleset will also log when a Palo Alto changes from active to passive or passive to active.
To load the PaloAltoHACheck Ruleset on the LM, copy and paste the following into the LM at the system level:
config rule no PaloAltoHACheck001
config rule PaloAltoHACheck001
action setValue monitor haStage active
conditions
NOT has-value monitor haStage AND
compare-value monitor haState = active
exit
exit
config rule no PaloAltoHACheck002
config rule PaloAltoHACheck002
action setValue monitor haStage passive
conditions
NOT has-value monitor haStage AND
compare-value monitor haState = passive
exit
exit
config rule no PaloAltoHACheck0
config rule PaloAltoHACheck0
action execute -pattern "(active|passive|suspended|non-functional|not)" -command "set cli scripting-mode on\r show high-availability state\r" -raw -setValue monitor haState $1
conditions
true
exit
exit
config rule no PaloAltoHACheck1
config rule PaloAltoHACheck1
action writeStatus HA-ACTIVE
conditions
compare-value monitor haState = active
exit
exit
config rule no PaloAltoHACheck2
config rule PaloAltoHACheck2
action writeStatus HA-PASSIVE
conditions
compare-value monitor haState = passive
exit
exit
config rule no PaloAltoHACheck3
config rule PaloAltoHACheck3
action alarm GENERIC -a "HA suspended"
action writeStatus HA-SUSPENDED
conditions
compare-value monitor haState = suspended
exit
exit
config rule no PaloAltoHACheck4
config rule PaloAltoHACheck4
action alarm GENERIC -a "Palo Alto shows NON-FUNCTIONAL status"
action writeStatus NON-FUNCTIONAL
conditions
compare-value monitor haState = non-functional
exit
exit
config rule no PaloAltoHACheck5
config rule PaloAltoHACheck5
action alarm GENERIC -a "Palo Alto HA not enabled"
action writeStatus HA NOT ENABLED
conditions
compare-value monitor haState = not
exit
exit
config rule no PaloAltoHACheck6
config rule PaloAltoHACheck6
action setValue monitor haStage passive
action alarm GENERIC -a "HA changed to passive"
conditions
compare-value monitor haState = passive AND
compare-value monitor haStage = active
exit
exit
config rule no PaloAltoHACheck7
config rule PaloAltoHACheck7
action setValue monitor haStage active
action alarm GENERIC -a "HA changed to active"
action event GENERIC -a "HA changed to active"
conditions
compare-value monitor haState = passive AND
compare-value monitor haStage = active
exit
exit
To create a Ruleset with the above rules, use the following commands:
config no ruleset PaloAltoHACheck
config ruleset PaloAltoHACheck
rules
PaloAltoHACheck001 | PaloAltoHACheck002 | PaloAltoHACheck0 | PaloAltoHACheck1 | PaloAltoHACheck2 | PaloAltoHACheck3 | PaloAltoHACheck4 | PaloAltoHACheck5 | PaloAltoHACheck6 | PaloAltoHACheck7
exit
exit
Palo Alto Active Sessions Ruleset¶
The Lantronix LM can be configured to monitor a managed Palo Alto’s active sessions using the PaloAltoActiveSessions Ruleset. Active sessions below a user-defined threshold will trigger an alarm in the LM.
The below rules create an alarm when there are no active sessions on the Palo Alto. Modify the conditions and alarms in the below rules to appropriate values as needed.
To load the PaloAltoChassisRules Ruleset on the LM, copy and paste the following into the LM at the system level:
config rule no PaloAltoActiveSessions0
config rule PaloAltoActiveSessions0
description a rule to check for active sessions on a Palo Alto FW
action execute -pattern "(\d+)" -multiline -command "show session info | match allocated" -setValue monitor PASessionResponse $1
conditions
true
exit
exit
config rule no PaloAltoActiveSessions1
config rule PaloAltoActiveSessions1
action alarm GENERIC -a "No Active Sessions"
action writeStatus NO SESSIONS
conditions
compare-value monitor PASessionResponse <= 10
exit
exit
To configure a ruleset with the above rules, paste the following into the LM CLI:
config ruleset no PaloAltoActiveSessions config ruleset PaloAltoActiveSessions description A ruleset to check a Palo Alto for active sessions and alarm if they are below a user-defined threshold rules PaloAltoActiveSessions0 | PaloAltoActiveSessions1 exit exit
Palo Alto Chassis Status Ruleset¶
The Lantronix LM can be configured to monitor the status of a managed Palo Alto using the PaloAltoChassisRules rule set. The LM will check the Palo Alto for high CPU, memory, and disk usage. High system resource usage will trigger an alarm in the LM.
Modify the conditions and alarms in the below rules to appropriate values as needed.
To load the PaloAltoChassisRules Ruleset on the LM, copy and paste the following into the LM at the system level:
config rule no PaloAltoCPUCheck0
config rule PaloAltoCPUCheck0
action execute -pattern "(\d?\d\.\d?)%id" -command "set cli scripting-mode on\rshow system resources\r" -raw -multiline -setValue monitor CPUidle $1
conditions
true
exit
exit
config rule no PaloAltoCPUCheck1
config rule PaloAltoCPUCheck1
description a rule to send an alarm when CPU idle is below a certain number - adjust target as appropriate
action alarm GENERIC -a "CPU usage above 80%"
conditions
compare-value monitor CPUidle <= 20
exit
exit
config rule no PaloAltoMemoryCheck0
config rule PaloAltoMemoryCheck0
action execute -pattern "(\d*)k free" -command "set cli scripting-mode on\rshow system resources\r" -raw -multiline -setValue monitor MemoryFree $1
conditions
true
exit
exit
config rule no PaloAltoMemoryCheck1
config rule PaloAltoMemoryCheck1
description a rule to send an alarm when free memory is below a certain number - adjust target as appropriate
action alarm GENERIC -a "free memory below 100000"
conditions
compare-value monitor MemoryFree <= 100000
exit
exit
config rule no PaloAltoDiskCheck0
config rule PaloAltoDiskCheck0
action execute -pattern "(\d?\d?\d)%" -command "show system disk-space" -setValue monitor disk1usage $1 -setValue monitor disk2usage $2 -setValue monitor disk3usage $3 -setValue monitor disk4usage $4 -setValue monitor disk5usage $5
conditions
true
exit
exit
config rule no PaloAltoDiskCheck1
config rule PaloAltoDiskCheck1
description a rule to send an alarm when disk usage is above a certain number - adjust target percentage as appropriate
action alarm GENERIC -a "disk usage over 80%"
action writeStatus DISK USAGE HIGH
conditions
compare-value monitor disk1usage >= 80 OR
compare-value monitor disk2usage >= 80 OR
compare-value monitor disk3usage >= 80 OR
compare-value monitor disk4usage >= 80 OR
compare-value monitor disk5usage >= 80
exit
exit
config ruleset no PaloAltoChassisRules
config ruleset PaloAltoChassisRules
rules
PaloAltoCPUCheck0 | PaloAltoCPUCheck1 | PaloAltoMemoryCheck0 | PaloAltoMemoryCheck1 | PaloAltoDiskCheck0 | PaloAltoDiskCheck1
exit
exit
To configure the Lantronix LM to use the PaloAltoChassisRules rule set to monitor a Palo Alto firewall, navigate to the port that the Palo Alto is connected to and run the following command: