nav icon indicating copy to clipboard operation
nav copied to clipboard

Published 20 hours ago verified publisher icon Uninett

Palo Alto ARP table import for Machine Tracer

Open ingeborgoh opened this issue 3 years ago • 2 comments

Palo Alto Firewall does not support collection of arp table via snmp, but has a REST API and provides data as XML.

We need a script that can collect these data via the API and insert them into the NAV database.

Example python project: [ http://api-lab.paloaltonetworks.com/pan-python.html | http://api-lab.paloaltonetworks.com/pan-python.html ]

Trial version of Palo Alto https://www.paloaltonetworks.com/vm-series-trial

UiT will also soon have some lab equipment to run tests on.

ingeborgoh avatar Feb 03 '22 09:02 ingeborgoh

This is the exact same problem that has been reported for Cisco ASA through many years. Most stuff works through SNMP, but not ARP cache collection.

lunkwill42 avatar May 05 '22 12:05 lunkwill42

Tip from HiVolda: https://docs.paloaltonetworks.com/iot/iot-security-api-reference/iot-security-api/get-device-details-per-mac-address

lunkwill42 avatar Sep 01 '22 11:09 lunkwill42

How to export Arp table into XML

curl -kG "https://192.168.1.1/api/?type=op&cmd=%3Cshow%3E%3Carp%3E%3Centry+name+%3D+%27all%27%2F%3E%3C%2Farp%3E%3C%2Fshow%3E&key=" > arp-list.xml

IP address and api-key must exist somewhere

Entries looks like this

<entry>
  <status>  c  </status>
  <ip>10.11.12.13</ip>
  <mac>00:aa:00:bb:00:cc</mac>
  <ttl>665</ttl>
  <interface>ae2</interface>
  <port>ae2</port>
</entry>

where status: s - static, c - complete, e - expiring, i - incomplete.

ingeborgoh avatar Oct 18 '22 14:10 ingeborgoh