Skip to content

Commit

Permalink
Update PaloaltoArp documentation
Browse files Browse the repository at this point in the history
  • Loading branch information
jorund1 authored and lunkwill42 committed Dec 6, 2024
1 parent 15e09d0 commit c5ab32e
Show file tree
Hide file tree
Showing 4 changed files with 66 additions and 30 deletions.
31 changes: 31 additions & 0 deletions NOTES.rst
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,37 @@ to be able to upgrade to Python 3.11:
* :mod:`django-crispy-forms`
* :mod:`crispy-forms-foundation`


NAV 5.12
========
Deprecation warnings
--------------------
.. warning:: The ``[paloaltoarp]`` section of :file:`ipdevpoll.conf`, used for
configuring HTTP-based ARP fetching from Palo Alto firewalls, is
deprecated and will be ignored in NAV 5.12 and future versions.
HTTP-based ARP fetching from Palo Alto
firewalls *must* now be configured using management profiles,
analogous to configuration of SNMP-based fetching. :ref:`See below
for more details<5.12-new-http-rest-api-management-profile-type>`.

.. _5.12-new-http-rest-api-management-profile-type:
New way to configure fetching of Palo Alto firewall ARP cache data
------------------------------------------------------------------
.. NOTE:: See
:ref:`management profile reference documentation<http-rest-api-management-profile>`
for instructions on how to reconfigure your Palo Alto firewall
devices in NAV 5.12 to enable support for fetching of their
ARP information.

Starting with NAV 5.12, a new ``HTTP API`` management profile type has been
added to NAV for configuring HTTP API specific parameters used in fetching of
ARP information from Palo Alto firewalls running PAN-OS. Currently, this
management profile type is only used to configure Palo Alto firewall devices. If
support for other devices that similarly can be managed using a HTTP API is
added to NAV in future releases, you can expect to be able to configure API
parameters for these devices by using management profiles as well.


NAV 5.11
========

Expand Down
3 changes: 3 additions & 0 deletions changelog.d/3147.changed.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
The ipdevpoll plugin to fetch ARP cache data from a netbox's Palo Alto firewall
API is now configured through a new management profile type assigned to that
netbox.
29 changes: 0 additions & 29 deletions doc/reference/ipdevpoll.rst
Original file line number Diff line number Diff line change
Expand Up @@ -106,35 +106,6 @@ Section [linkstate]
The value ``any`` will generate alerts for all link state changes, but
**this is not recommended** for performance reasons.

Section [paloaltoarp]
---------------------

This section configures the Palo Alto ARP plugin. Palo Alto firewalls do
support SNMP. They do not, however, support fetching ARP cache data using
SNMP. This plugin enables fetching ARP records from Palo Alto firewalls using
their built-in REST API.

Currently, there is no management profile type for this type of REST APIs, so
credentials to access a Palo Alto firewall's API must be configured in this
section.

If you have a Palo Alto firewall named ``example-fw.example.org``, with an IP
address of ``10.0.42.42`` and a secret API token of
``762e87e0ec051a1c5211a08dd48e7a93720eee63``, you can configure this in this
section by adding::

example-fw.example.org = 762e87e0ec051a1c5211a08dd48e7a93720eee63

Or, alternatively::

10.0.42.42 = 762e87e0ec051a1c5211a08dd48e7a93720eee63


.. warning:: The Palo Alto ARP plugin does not currently verify TLS
certificates when accessing a Palo Alto API. This will be changed
at a later date, but if it worries you, you should not use the
plugin yet.


Job sections
------------
Expand Down
33 changes: 32 additions & 1 deletion doc/reference/management-profiles.rst
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,38 @@ Use keys
Alternate port
If access to the switch is not on the default port (22, in the case of the
JunOS driver), put the alternate port here.


.. _`NAPALM`: https://napalm.readthedocs.io/en/latest/
.. _`NETCONF`: https://en.wikipedia.org/wiki/NETCONF

.. _http-rest-api-management-profile:
HTTP APIs
--------------
As of NAV 5.12, HTTP API profiles are used to configure access to
services of the following devices.

`Palo Alto PAN-OS firewalls`_
A HTTP API profile is needed for NAV to access the firewall's ARP information.

.. warning:: The Palo Alto ARP implementation in NAV does not currently verify TLS
certificates when accessing a Palo Alto API. This will be changed
at a later date, but if it worries you, you should not configure
any netboxes to use the Palo Alto Arp service yet.

.. image:: http-rest-api-profile-example.png

If you have a Palo Alto firewall running on a netbox managed by NAV,
with a secret API key of ``762e87e0ec051a1c5211a08dd48e7a93720eee63``,
you can configure NAV to fetch ARP information from this firewall by
creating a new management profile with

* protocol set to ``HTTP API``,

* API key set to ``762e87e0ec051a1c5211a08dd48e7a93720eee63``,

* service set to ``Palo Alto ARP``,

and then add this management profile to the netbox.

.. _`Palo Alto PAN-OS firewalls`: https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-panorama-api/pan-os-xml-api-request-types/configuration-api/get-active-configuration/use-xpath-to-get-arp-information

0 comments on commit c5ab32e

Please sign in to comment.