VIDEO
Since PAN-OS 7.0, we are able to monitor a limited set of these counters via SNMP. Note that not all of the global counters are available with this feature, that would be too many, but as of PAN-OS 7.0, 56 global counters can be monitored via SNMP.
These 56 counters are divided into 4 different categories:
DoS-related counters IP fragmentation counters TCP state-related counters All relevant packet-drop counters
All these counters are covered under the MIB called panGlobalCounters (.1.3.6.1.4.1.25461.2.1.2.1.19). Also notice the 4 subfolders for each of the categories mentioned above:
panGlobalCounters MIB Details of the 4 subcategories:
panGlobalCountersDOSCounters - DoS-related counters (.1.3.6.1.4.1.25461.2.1.2.1.19.8 )
panGlobalCountersDOSCounters MIB
Using snmpwalk, you can find all the OIDs related to this category:
AMSMACG7EVG8WN:~ kwens$ snmpwalk -v 2c -c public 10.192.16.170 .1.3.6.1.4.1.25461.2.1.2.1.19.8
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.1.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.2.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.3.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.4.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.5.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.6.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.7.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.8.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.9.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.10.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.11.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.12.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.13.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.14.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.15.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.16.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.17.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.18.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.19.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.20.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.21.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.22.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.23.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.24.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.25.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.26.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.27.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.28.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.29.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.30.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.31.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.32.0 = Counter64: 0
panGlobalCountersDropCounters - All relevant packet-drop counters (1.3.6.1.4.1.25461.2.1.2.1.19.9 )
panGlobalCountersDropCounters MIB
Using snmpwalk, you can find all the OIDs related to this category:
AMSMACG7EVG8WN:~ kwens$ snmpwalk -v 2c -c public 10.192.16.170 .1.3.6.1.4.1.25461.2.1.2.1.19.9
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.9.1.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.9.2.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.9.3.0 = Counter64: 2328
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.9.4.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.9.5.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.9.6.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.9.7.0 = Counter64: 0
panGlobalCountersIPFragmentationCounters - IP fragmentation counters (1.3.6.1.4.1.25461.2.1.2.1.19.10 )
panGlobalCountersIPFragmentationCounters MIB
Using snmpwalk, you can find all the OIDs related to this category:
AMSMACG7EVG8WN:~ kwens$ snmpwalk -v 2c -c public 10.192.16.170 .1.3.6.1.4.1.25461.2.1.2.1.19.10
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.10.1.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.10.2.0 = Counter64: 0
panGlobalCountersTCPState - TCP state-related counters (1.3.6.1.4.1.25461.2.1.2.1.19.11 )
panGlobalCountersTCPState MIB
Using snmpwalk, you can find all the OIDs related to this category:
AMSMACG7EVG8WN:~ kwens$ snmpwalk -v 2c -c public 10.192.16.170 .1.3.6.1.4.1.25461.2.1.2.1.19.11
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.11.1.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.11.2.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.11.3.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.11.4.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.11.5.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.11.6.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.11.7.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.11.8.0 = Counter64: 0
Note that the counters reset every time you restart the dataplane or reboot the device!
The same SNMP configuration applies, as always. The following articles describe how to set up SNMP:
How-to-Verify-SNMP-Functionality
How-to-Configure-SNMPv2-on-the-Palo-Alto-Networks-Firewall
How-to-Configure-Sending-SNMPv3-Traps-on-PAN-OS-5-0-x-and-above
Troubleshooting is also done the way it was done before:
>less mp-log snmpd.log
Via tcpdump if SNMP is managed through the management interface
> tcpdump snaplen 1500 filter "udp port 161"
Press Ctrl-C to stop capturing
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
^C468 packets captured
936 packets received by filter
0 packets dropped by kernel
> view-pcap no-dns-lookup yes hex-ascii yes mgmt-pcap mgmt.pcap
21:50:08.148539 IP 10.192.7.40.61459 > 10.192.16.170.snmp: GetNextRequest(34) .1.3.6.1.4.1.25461.2.1.2.1.19.11
0x0000: 4560 004d 0ffa 0000 3f11 3df5 0ac0 0728 E`.M....?.=....(
0x0010: 0ac0 10aa f013 00a1 0039 4897 302f 0201 .........9H.0/..
0x0020: 0104 0670 7562 6c69 63a1 2202 042a 9727 ...public."..*.'
0x0030: 1702 0100 0201 0030 1430 1206 0e2b 0601 .......0.0...+..
0x0040: 0401 81c6 7502 0102 0113 0b05 00 ....u........
21:50:08.153053 IP 10.192.16.170.snmp > 10.192.7.40.61459: GetResponse(37) .1.3.6.1.4.1.25461.2.1.2.1.19.11.1.0=0
0x0000: 4500 0050 0000 4000 4011 0d4c 0ac0 10aa E..P..@.@..L....
0x0010: 0ac0 0728 00a1 f013 003c 2d9f 3032 0201 ...(.....<-.02..
0x0020: 0104 0670 7562 6c69 63a2 2502 042a 9727 ...public.%..*.'
0x0030: 1702 0100 0201 0030 1730 1506 102b 0601 .......0.0...+..
0x0040: 0401 81c6 7502 0102 0113 0b01 0046 0100 ....u........F..
Via packet-diag capture of SNMP through a dataplane port
Getting-Started-Packet-Capture
You can download the Enterprise SNMP MIB files here:
SNMP MIBS
I hope this article has helped you understand this feature.
As always, we welcome all feedback, comments and questions in the comment section below.
Kim
(KiWi)