Palo Alto
Introduction
InfraSonar monitors Palo Alto firewalls using the rest API.
Also available as probe
We also offer a probe to monitor Palo Alto firewalls, this allows you to monitor firewalls using your own InfraSonar appliance.
Features
Configuration
When the GlobalProtect Portal or Gateway is enabled the probe needs to use a different TCP port number 4443 instead of 443. You can toggle this behavior when configuring the service.
IPv4 addresses
Ensure you authorize the IPv4 addresses we use for our services.
Credentials
The Palo Alto rest API uses a key which can be generated for a user.
Don't use an admin account
We strongly recommend creating a read only account specific for monitoring.
Get your API key
To generate an API key, make a GET or POST request to the firewall’s hostname or IP addresses using the administrative credentials and type=keygen:
curl -k -X GET 'https://<firewall>/api/?type=keygen&user=<username>&password=<password>'
Ensure to change
<firewall>
with your firewall IP or FQDN<username>
with the username of your readl-only monitoring user<password>
with the password of your readl-only monitoring user
A successful API call returns status="success" along with the API key within the key element:
<response status="success">
<result>
<key>Your_secret_key_is_here</key>
</result>
</response>
You can test your API key using the following command:
curl -k 'https://<firewall>//api/?type=op&cmd=<show><system><info></info></system></show>&key=<apikey>'
Ensure to change:
<firewall>
with your firewall IP or FQDN<apikey
with the previously generated API key
Revoke API keys
You can revoke all currently valid API keys, in the event one or more keys are compromised. To change an API key associated with an administrator account change the password associated with the administrator account. API keys that were generated before you expired all keys, or a key that was created using the previous credentials will no longer be valid.
Configure API Key Lifetime
An optional step is to configure the API Key Lifetime.
Be aware though that monitoring fails when the API key is expired!
Service configuration
- Add the paloaltosvc service on your asset
- Open the paloaltosvc configuration tab
- Enter the address and API key
- The API key is encrypted before it is send to the InfraSonar backend
- Click save
Known issues
XML API Issue With Passwords Containing Special Characters
Passwords containing special characters can cause problems retrieving the API key.