Palo Alto 5250 / NCPA Agent / SSH Commands

[rkane]

I'm looking to monitor how many users are connected via VPN (Global Protect) to our Palo. I can SSH into the device and issue a command to get the result I'm after....how can I set Nagios up to do the same? On all of our Windows boxes I use NCPA...anyone ever install the NCPA client on a Palo Alto? I've tried an SNMP walk and get no results despite having the community string / IP / port correct. Any help appreciated.

[ar0431]

You can use check_by_ssh plugin. So nagios will ssh to remote machine by using user name and password and run your script and get the output.
No need to install any plugin.
That is one way to solve the problem.

[scottwilkerson]

You can use check_by_ssh plugin. So nagios will ssh to remote machine by using user name and password and run your script and get the output.
No need to install any plugin.
That is one way to solve the problem.

This was going to be my suggestion as well

Here is a doc we have that outlines how to set this up
https://assets.nagios.com/downloads/nag ... ng_SSH.pdf

[rkane]

Appreciate the suggestions. Reading through the documentation I need to install plugins and such on the PaloAlto. Here in this thread though there's mention that I don't need to do any plugin install. Which is correct? Thx...

[scottwilkerson]

Appreciate the suggestions. Reading through the documentation I need to install plugins and such on the PaloAlto. Here in this thread though there's mention that I don't need to do any plugin install. Which is correct? Thx...

Well, you mentioned this

I can SSH into the device and issue a command to get the result I'm after....

So in this case you don't need to install plugins.

The PDF just outlines a case where you wanted to use the standard Linux plugins

[rkane]

Perfect, that's what I suspected, appreciate the confirmation. Is there a way to configure a (read only of course) username / pw in the check command or do I need to follow the part of the documentation where I configure keys and such?

Appreciate the suggestions. Reading through the documentation I need to install plugins and such on the PaloAlto. Here in this thread though there's mention that I don't need to do any plugin install. Which is correct? Thx...

Well, you mentioned this

I can SSH into the device and issue a command to get the result I'm after....

So in this case you don't need to install plugins.

The PDF just outlines a case where you wanted to use the standard Linux plugins

[KPoulsen]

What version of PAN-OS are you running ?
I use the following OID with check_snmp and that gives me the GP tunnels:

$USER1$/check_snmp -H $HOSTADDRESS$ -C ReadCommunityHere -o .1.3.6.1.4.1.25461.2.1.2.5.1.3.0 -P 2c -l "Sessions"

We are running PAN-OS 8.1.13 btw.

Hope this helps

[scottwilkerson]

What version of PAN-OS are you running ?
I use the following OID with check_snmp and that gives me the GP tunnels:

$USER1$/check_snmp -H $HOSTADDRESS$ -C ReadCommunityHere -o .1.3.6.1.4.1.25461.2.1.2.5.1.3.0 -P 2c -l "Sessions"

We are running PAN-OS 8.1.13 btw.

Hope this helps

Thanks for the help @KPoulsen

[rkane]

What version of PAN-OS are you running ?
I use the following OID with check_snmp and that gives me the GP tunnels:

$USER1$/check_snmp -H $HOSTADDRESS$ -C ReadCommunityHere -o .1.3.6.1.4.1.25461.2.1.2.5.1.3.0 -P 2c -l "Sessions"

We are running PAN-OS 8.1.13 btw.

Hope this helps

Thank you, will give it a try!
Software Version 9.0.3
GlobalProtect Agent 5.0.1

[scottwilkerson]

What version of PAN-OS are you running ?
I use the following OID with check_snmp and that gives me the GP tunnels:

$USER1$/check_snmp -H $HOSTADDRESS$ -C ReadCommunityHere -o .1.3.6.1.4.1.25461.2.1.2.5.1.3.0 -P 2c -l "Sessions"

We are running PAN-OS 8.1.13 btw.

Hope this helps

Thank you, will give it a try!
Software Version 9.0.3
GlobalProtect Agent 5.0.1

Good luck!