Palo alto firewall Aggregated Ports

[tbs-infrastructure]

A couple of days ago, we upgraded our Paloalto firewalls to PanOS 9, now I am noticing that NagioXI is unable to report the bandwidth of the interfaces that are aggregated, while it reports the single interfaces that are port of the group, it is not able to report the aggregate interface.
Any idea what I can do?

[tgriep]

We would need to see what sort of errors are generated when the MRTG process gathers the data from the device.

Code: Select all

Can you run the following commands as root and post the the /tmp/mrtg.txt file to the ticket?
LANG=C LC_ALL=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg -debug=cfg,base,log &> /tmp/mrtg.txt
LANG=C LC_ALL=C /usr/bin/mrtg &>> /tmp/mrtg.txt
LANG=C LC_ALL=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg --lock-file /var/lib/mrtg/mrtg.lock --confcache-file /var/lib/mrtg/mrtg.ok &>> /tmp/mrtg.txt
{ time LANG=C LC_ALL=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg 2>1 ; } 2>> /tmp/mrtg.txt

Then, post the name and IP address of the device and the ports that are not reporting the bandwidth so we can check the file for any errors.

[tbs-infrastructure]

Hi,
find attached the file you requested, this is happening with the following firewalls (Paloalto):
HOST: pdfirewall
Interfaces:
ae2
ae3
ae5
ae6

HOST: drfirewall
ae2
ae3

Once again, these aggregated interfaces, we can still "see" the bandwidth for the single interfaces that are part of that aggregation (group).
Thanks,

[tgriep]

Thanks for the file. I do not see any errors but when the device is polling for the data from those ports, it is returning 0 as the bandwidth.
What I think happened when the devices were updated, the index number for the ports were changed and that is why they could be returning 0 bandwidth data.
Try re-running the Network Switch / Router wizard against those devices to see if the ports are re-added to the checks.

You can run the following commands on the XI server and post the /tmp/walk.txt file so I can confirm what I think happened.

Code: Select all

snmpwalk pdfirewall -v 2c -c tbs_snmp >/tmp/walk.txt
snmpwalk drfirewall -v 2c -c tbs_snmp >>/tmp/walk.txt

[tbs-infrastructure]

I don't think it is the case, because I've tried to add one of the firewalls to another instance of Nagios and I see the same behavior, even that one cannot "see" the bandwidth, it is always at 0.
Attached the files you requested.

[tgriep]

Thanks for the file. It looks like the upgrade could of changed the counters from the 32 bit counters to the 64 bit counters.
All of the 32 bit counters are showing 0 and if the MRTG config file is set to not look as the High Speed counters, then it will show zero bandwidth.

Go to the /etc/mrtg/conf.d folder and look at the config files for those devices. Look for lines with noHC in them and if they are in the config section for these interfaces, remove them so the MRTG application would switch the High Speed counters.

After 15 to 20 minutes, check to see if they start to report bandwidth data.

[tbs-infrastructure]

I found this:

### Interface 500020000 >> Descr: 'ae2' | Name: 'ae2' | Ip: 'No Ip' | Eth: 'No Ethernet Id' ###

Target[pdfirewall_500020000]: 500020000:tbs_snmp@pdfirewall:161::::2
noHC[pdfirewall_500020000]: yes
SetEnv[pdfirewall_500020000]: MRTG_INT_IP="No Ip" MRTG_INT_DESCR="ae2"
MaxBytes[pdfirewall_500020000]: 12500000
Title[pdfirewall_500020000]: Traffic Analysis for 500020000 -- pd-firewall
PageTop[pdfirewall_500020000]: <h1>Traffic Analysis for 500020000 -- pd-firewall</h1>
<div id="sysdetails">
<table>
<tr>
<td>System:</td>
<td>pd-firewall in Edison, NJ</td>
</tr>
<tr>
<td>Maintainer:</td>
<td>Infrastructure Team</td>
</tr>
<tr>
<td>Description:</td>
<td>ae2 </td>
</tr>
<tr>
<td>ifType:</td>
<td>Uknown Interface Type (161)</td>
</tr>
<tr>
<td>ifName:</td>
<td>ae2</td>
</tr>
<tr>
<td>Max Speed:</td>
<td>12.5 MBytes/s</td>
</tr>
<tr>
<td>Ip:</td>
<td>No Ip (No DNS name)</td>
</tr>
</table>
</div>


Should I replace: noHC[pdfirewall_500020000]: yes - with - noHC[pdfirewall_500020000]: no ?
Thanks

[tbs-infrastructure]

I have tried in one interface replacing noHC[pdfirewall_500020000]: yes - with - noHC[pdfirewall_500020000]: no and it worked.
Do I need to this for all the interfaces not showing the bandwidth?

[tgriep]

Yes, you will have to do that for all of the interfaces that are not showing bandwidth information. Especially the aggregated interfaces as they seem to be using the 64 bit counters.

[tbs-infrastructure]

Thanks, it worked perfectly.