Palo Alto firewalls support is currently an alpha feature. This means that some workarounds are needed to let SuzieQ poll these devices. We tested it with a PA-VM with PanOS version 8.0 but should be compatible with higher versions too.
At the moment SuzieQ cannot discover automatically if a node is running panos, therefore this should be manually specified in the inventory. If you haven't checked out the new inventory format for SuzieQ, read the related docs before proceeding.
If you are using Netbox or Ansible as source, SuzieQ cannot pull the device type information from it. Therefore, you will need to define another source only for the panos device in order to specify the devtype. For example:
sources:
# only non-panos devices in this source
- name: vagrant
type: ansible
path: /path/to/ansible/list.json
# works with netbox too
# type: netbox
# url: https://netbox.instance
- name: panos
type: ansible
path: /path/to/ansible/panos-list.json
devices:
- name: all
ignore-known-hosts: true
# this will copy the default values from 'all' and override the
# 'devtype' to panos
- name: panos
devtype: panos
copy: all
namespaces:
- name: vagrant
source: vagrant
device: all
# having the same name, a single namespace will be created that will be
# the result of the merge of the two groups
- name: vagrant
source: panos
device: panosOtherwise, if the panos device is specified in a host list, then all you need to do is add devtype=panos:
sources:
- name: my-list
hosts:
- url: https://[email protected] devtype=panos
- url: ssh://[email protected]:22 keyfile=/path/to/private_key
- url: ssh://[email protected]:22 devtype=eos keyfile=/path/to/private_key
devices:
- name: all
ignore-known-hosts: true
namespaces:
- name: dc-edge-01
source: my-list
device: allThe services currently supported are:
- device
- interfaces
- routes
- lldp
- arpnd
- bgp