Configuring SNMPv3 on Palo Alto
SNMP is very useful for network engineers when we use Network Management Systems like PRTG and Solarwinds etc. Most likely it is must to have when we have hundreds or thousands of devices. SNMP v3 have authentication and encryption mechanism so it’s more secure than v2. SNMP v2 and v3 also have views to narrow reaching all OID’s. With views, we can specify reachability of OID’s by using include or exclude methods.
Let’s say, we have a inventory system wants to reach the our devices but needs to read only some OID’s. So we can use SNMP view. Also we should use SNMP v3 to use views on Palo Alto firewalls.
For Palo Alto firewalls, here are some OID’s with their usage;
1.3.6.1.2.1.31.1.1.1.1 # interface names
1.3.6.1.2.1.31.1.1.1.18 # interface aliases
1.3.6.1.2.1.2.2.1.8 # interface statuses
1.3.6.1.2.1.1 # device brand and model info
1.3.6.1.2.1.47.1.1.1 # hardware info and and serial numbers
On Palo Alto SNMP Views page, we can write OID’s above on the appropriate colums which here we have include option. Also there is a mask column. Here is a page about SNMP v3 mask. As mentioned there, for every digit we write “1” as binary, and convert it hexedecimal.
After defining SNMP view, we create a user associated with the view. User definition also needs encriyption and authentication parameters. We have two users for our environment as you see below.
SNMP v3 definitions are ready but there is one more under Interface settings.
As you see up, We are reaching the device using management IP address, so we need to permit our IP address can access using SNMP service.
Complete CLI set configuration is as follows..
set deviceconfig system snmp-setting access-setting version v3 views OUR_VIEW view interface_name oid 1.3.6.1.2.1.31.1.1.1.1
set deviceconfig system snmp-setting access-setting version v3 views OUR_VIEW view interface_name option include
set deviceconfig system snmp-setting access-setting version v3 views OUR_VIEW view interface_name mask 0x7FF
set deviceconfig system snmp-setting access-setting version v3 views OUR_VIEW view interface_alias oid 1.3.6.1.2.1.31.1.1.1.18
set deviceconfig system snmp-setting access-setting version v3 views OUR_VIEW view interface_alias option include
set deviceconfig system snmp-setting access-setting version v3 views OUR_VIEW view interface_alias mask 0x7FF
set deviceconfig system snmp-setting access-setting version v3 views OUR_VIEW view interface_status oid 1.3.6.1.2.1.2.2.1.8
set deviceconfig system snmp-setting access-setting version v3 views OUR_VIEW view interface_status option include
set deviceconfig system snmp-setting access-setting version v3 views OUR_VIEW view interface_status mask 0x3FF
set deviceconfig system snmp-setting access-setting version v3 views OUR_VIEW view device_info oid 1.3.6.1.2.1.1
set deviceconfig system snmp-setting access-setting version v3 views OUR_VIEW view device_info option include
set deviceconfig system snmp-setting access-setting version v3 views OUR_VIEW view device_info mask 0x7F
set deviceconfig system snmp-setting access-setting version v3 views OUR_VIEW view hardware_info oid 1.3.6.1.2.1.47.1.1.1
set deviceconfig system snmp-setting access-setting version v3 views OUR_VIEW view hardware_info option include
set deviceconfig system snmp-setting access-setting version v3 views OUR_VIEW view hardware_info mask 0x3FF
set deviceconfig system snmp-setting access-setting version v3 users OUR_USER authpwd -AQ==iY+S6Wf/1234567890wOZueB9+w==
set deviceconfig system snmp-setting access-setting version v3 users OUR_USER privpwd -AQ==iY+S6Wf/1234567890wOZueB9+w==
set deviceconfig system snmp-setting access-setting version v3 users OUR_USER view OUR_VIEW
set deviceconfig system snmp-setting access-setting version v3 users OUR_USER authproto SHA
set deviceconfig system snmp-setting access-setting version v3 users OUR_USER privproto AES
set deviceconfig system permitted-ip 10.14.14.10/32 description OUR_IP
How to create an SNMP V3 mask for Palo Alto Networks OID
HOW TO CONFIGURE SNMPV3 ON THE PALO ALTO NETWORKS FIREWALL
List of some useful SNMP OIDs to monitor Palo Alto Networks firewalls