SNMP Counter Monitoring

SNMP Counter Monitoring

23369
Created On 09/26/18 13:44 PM - Last Updated 08/14/20 21:04 PM


Symptom
We rely on global counters to solve many of the problems we see. Customers also have come to rely on global counters to debug some of the issues they might encounter.  In fact, some of our customers have asked us if it is possible to monitor these counters so they know something is going on and they can act on it right away!

Environment
Pre PAN-OS 7.0, this was only possible using the CLI and via scripts that run the 'show counter global' command, then parse the output and look for a certain value.

Resolution

 

 

Since PAN-OS 7.0, we are able to monitor a limited set of these counters via SNMP.  Note that not all of the global counters are available with this feature, that would be too many, but as of PAN-OS 7.0, 56 global counters can be monitored via SNMP.

 

These 56 counters are divided into 4 different categories:

 

  • DoS-related counters
  • IP fragmentation counters
  • TCP state-related counters
  • All relevant packet-drop counters

 

All these counters are covered under the MIB called panGlobalCounters (.1.3.6.1.4.1.25461.2.1.2.1.19).  Also notice the 4 subfolders for each of the categories mentioned above:

2016-06-06_13-43-46.png

panGlobalCounters MIB
Details of the 4 subcategories:

  • panGlobalCountersDOSCounters - DoS-related counters (.1.3.6.1.4.1.25461.2.1.2.1.19.8)

2016-06-06_13-48-23.png
panGlobalCountersDOSCounters MIB

 

Using snmpwalk, you can find all the OIDs related to this category:

 

AMSMACG7EVG8WN:~ kwens$ snmpwalk -v 2c -c public 10.192.16.170 .1.3.6.1.4.1.25461.2.1.2.1.19.8
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.1.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.2.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.3.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.4.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.5.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.6.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.7.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.8.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.9.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.10.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.11.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.12.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.13.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.14.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.15.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.16.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.17.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.18.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.19.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.20.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.21.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.22.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.23.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.24.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.25.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.26.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.27.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.28.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.29.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.30.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.31.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.8.32.0 = Counter64: 0

 

  • panGlobalCountersDropCounters - All relevant packet-drop counters (1.3.6.1.4.1.25461.2.1.2.1.19.9)

2016-06-06_13-49-13.png
panGlobalCountersDropCounters MIB

 

Using snmpwalk, you can find all the OIDs related to this category:

 

AMSMACG7EVG8WN:~ kwens$ snmpwalk -v 2c -c public 10.192.16.170 .1.3.6.1.4.1.25461.2.1.2.1.19.9
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.9.1.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.9.2.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.9.3.0 = Counter64: 2328
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.9.4.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.9.5.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.9.6.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.9.7.0 = Counter64: 0

 

  • panGlobalCountersIPFragmentationCounters - IP fragmentation counters (1.3.6.1.4.1.25461.2.1.2.1.19.10)

2016-06-06_13-49-39.png
panGlobalCountersIPFragmentationCounters MIB

 

Using snmpwalk, you can find all the OIDs related to this category:

 

AMSMACG7EVG8WN:~ kwens$ snmpwalk -v 2c -c public 10.192.16.170 .1.3.6.1.4.1.25461.2.1.2.1.19.10
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.10.1.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.10.2.0 = Counter64: 0

 

  • panGlobalCountersTCPState - TCP state-related counters (1.3.6.1.4.1.25461.2.1.2.1.19.11)

2016-06-06_13-50-14.png
panGlobalCountersTCPState MIB

 

Using snmpwalk, you can find all the OIDs related to this category:

 

AMSMACG7EVG8WN:~ kwens$ snmpwalk -v 2c -c public 10.192.16.170 .1.3.6.1.4.1.25461.2.1.2.1.19.11
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.11.1.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.11.2.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.11.3.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.11.4.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.11.5.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.11.6.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.11.7.0 = Counter64: 0
SNMPv2-SMI::enterprises.25461.2.1.2.1.19.11.8.0 = Counter64: 0

 

Note that the counters reset every time you restart the dataplane or reboot the device!

 

The same SNMP configuration applies, as always.  The following articles describe how to set up SNMP:

How-to-Verify-SNMP-Functionality

How-to-Configure-SNMPv2-on-the-Palo-Alto-Networks-Firewall

How-to-Configure-Sending-SNMPv3-Traps-on-PAN-OS-5-0-x-and-above

 

Troubleshooting is also done the way it was done before:

 

  • Via snmpd.log
>less mp-log snmpd.log

 

  • Via tcpdump if SNMP is managed through the management interface
> tcpdump snaplen 1500 filter "udp port 161"
Press Ctrl-C to stop capturing
 
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
^C468 packets captured
936 packets received by filter
0 packets dropped by kernel
> view-pcap no-dns-lookup yes hex-ascii yes mgmt-pcap mgmt.pcap 
21:50:08.148539 IP 10.192.7.40.61459 > 10.192.16.170.snmp:  GetNextRequest(34)  .1.3.6.1.4.1.25461.2.1.2.1.19.11
        0x0000:  4560 004d 0ffa 0000 3f11 3df5 0ac0 0728  E`.M....?.=....(
        0x0010:  0ac0 10aa f013 00a1 0039 4897 302f 0201  .........9H.0/..
        0x0020:  0104 0670 7562 6c69 63a1 2202 042a 9727  ...public."..*.'
        0x0030:  1702 0100 0201 0030 1430 1206 0e2b 0601  .......0.0...+..
        0x0040:  0401 81c6 7502 0102 0113 0b05 00         ....u........
21:50:08.153053 IP 10.192.16.170.snmp > 10.192.7.40.61459:  GetResponse(37)  .1.3.6.1.4.1.25461.2.1.2.1.19.11.1.0=0
        0x0000:  4500 0050 0000 4000 4011 0d4c 0ac0 10aa  E..P..@.@..L....
        0x0010:  0ac0 0728 00a1 f013 003c 2d9f 3032 0201  ...(.....<-.02..
        0x0020:  0104 0670 7562 6c69 63a2 2502 042a 9727  ...public.%..*.'
        0x0030:  1702 0100 0201 0030 1730 1506 102b 0601  .......0.0...+..
        0x0040:  0401 81c6 7502 0102 0113 0b01 0046 0100  ....u........F..

 

  • Via packet-diag capture of SNMP through a dataplane port

Getting-Started-Packet-Capture

 

You can download the Enterprise SNMP MIB files here:

 

SNMP MIBS

 

I hope this article has helped you understand this feature.

 

As always, we welcome all feedback, comments and questions in the comment section below.

 

Kim

(KiWi)



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CllvCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language