SNMP is Simple Network Management Protocol. It allows SNMP servers (SNMP Agents) to report data when queried by a SNMP client (SNMP Manager). SNMP servers are normally on things like switches, firewalls, etc. The SNMP client is normally installed on a network manager solution (e.g. SolarWinds). SNMP servers can also sent SNMP “Traps” to the SNMP client.

A MIB (Management Information Base) is a collection of definitions that define the properties of the managed object within the device to be managed. OIDs or Object Identifiers uniquely identify managed objects in the MIB. There are many MIB and OIDs specified in RFCs. It is very common for vendors (e.g. firewall manufactures) to also have MIBs specific to their product. For example, if you have a Palo Alto Networks firewall, it can report on standard MIB information as well as Palo Alto Networks specific information.

OID is a sequence that is a bit like a DNS name that you can use to specify what data you are after.

For example, a common OID is 1.3.6.1.2.1.1.6. This is the location field.

Vendor specific OIDs will be under 1.3.6.1.4.1. For example, Palo Alto Networks store the serial number under 1.3.6.1.4.1.25461.2.1.2.1.3.

The MIB pack provided my a vendor maps OID to human readable output (e.g. 1.3.6.1.4.1.25461.2.1.2.1.19.8.41 to panFlowDosPfIcmplpkt)

You then use SNMP client software to query a device on the network. For example, to get the device uptime from an appliance that has a SNMP server listening on port UDP 161 on 10.1.1.1, you would run on your Linux client

snmpwalk -v2c -c public 10.1.1.1 1.3.6.1.2.1.25.1.1

and you would get back something like

(6448630) 17:54:46.30

On Windows, you can use something like iReasoning MIB Browser. You set the address of the target SNMP server in the top left and then click the Advanced button to set community strings and set SNMP version. You also load the applicable MIB files under the MIB Files tab. You can also have your appliances forward SNMP Traps to iReasoning MIB Browser under the Tools > Traps Receiver.

You use the Get command to get the latest value of a specific object.

Note: For Palo Alto Networks PAN-OS, SNMP can be used to get packets per second and bytes per second information for individual interfaces but not for an aggregate interface. Statistics from the individual ports need to be added manually in order to get the throughput of all the interfaces.

You can use SNMP to monitor interface bandwidth usage as well as counters and other system variables.

A nice video on using SNMP to monitor PAN-OS global counters is here.

• RFC 1213 defines MIB-II MIB.
• RFC 2863 defines IF_MIB MIB.
• RFC 2790 defines HOST-RESOURCES-MIB MIB.
• RFC 4133 defines ENTITY-MIB MIB.
• RFC 3433 defines the ENTITY-SENSOR-MIB MIB.
• RFC 4268 defines the ENTITY-STATE-MIB MIB.

When setting up SNMPv3 to provide access to all management information, use the top-level OID 1.3.6.1, set the Mask to 0xf0, and set the matching Option to include.

If that doesn't work, try using the OID of .1 and set the mask as 0x80.

The following commands get data from a SNMP server running SNMP v2c and community string public.

snmpwalk -v2c -c public 10.1.1.1 .1.3.6.1.2.1.1.1

RFC MIB Information

Palo Alto Networks MIB Information

You can get a list of PAN-OS supported MIBs here.

You can download the MIB files for PAN-OS here.

PAN-COMMON-MIB.my Use the PAN-COMMON-MIB to monitor the following information for Palo Alto Networks firewalls, Panorama, and WF-500 appliances

• panSys - Contains such objects as system software/hardware versions, dynamic content versions, serial number, HA mode/state, and global counters (firewall only).
• panChassis Chassis type and M-Series appliance mode (Panorama or Log Collector).
• panSession Session utilization information. For example, the total number of active sessions on the firewall or a specific virtual system.
• panMgmt Status of the connection from the firewall to the Panorama management server.
• panGlobalProtect GlobalProtect gateway utilization as a percentage, maximum tunnels allowed, and number of active tunnels.
• panLogCollector Logging statistics for each Log Collector, including logging rate, log quotas, disk usage, retention periods, log redundancy (enabled or disabled), the forwarding status from firewalls to Log Collectors, the forwarding status from Log Collectors to external services, and the status of firewall-to-Log Collector connections.
• panDeviceLogging Logging statistics for each firewall, including logging rate, disk usage, retention periods, the forwarding status from individual firewalls to Panorama and external servers, and the status of firewall-to-Log Collector connections.

PAN-LC-MIB.my PAN-LC-MIB.my contains definitions of managed objects that Log Collectors (M-Series appliances in Log Collector mode) implement. Use this MIB to monitor the logging rate, log database storage duration (in days), and disk usage (in MB) of each logical disk (up to four) on a Log Collector. For example, you can use this information to determine whether you should add more Log Collectors or forward logs to an external server (for example, a syslog server) for archiving.

PAN-GLOBAL-REG-MIB.my PAN-GLOBAL-REG-MIB.my contains global, top-level OID definitions for various sub-trees of Palo Alto Networks enterprise MIB modules. This MIB doesn’t contain objects for you to monitor; it is required only for referencing by other MIBs.

PAN-GLOBAL-TC-MIB.my PAN-GLOBAL-TC-MIB.my defines conventions (for example, character length and allowed characters) for the text values of objects in Palo Alto Networks enterprise MIB modules. All Palo Alto Networks products use these conventions. This MIB doesn’t contain objects for you to monitor; it is required only for referencing by other MIBs.

PAN-PRODUCT-MIB.my PAN-PRODUCT-MIB.my defines sysObjectID OIDs for all Palo Alto Networks products. This MIB doesn’t contain objects for you to monitor; it is required only for referencing by other MIBs.

PAN-ENTITY-EXT-MIB.my Use PAN-ENTITY-EXT-MIB.my in tandem with the ENTITY-MIB to monitor power usage for the physical components of a PA-7000 Series firewall (for example, fan trays, and power supplies), which is the only Palo Alto Networks firewall that supports this MIB.

PAN-TRAPS.my Use PAN-TRAPS.my to see a complete listing of all the generated traps and information about them (for example, a description). For a list of traps that Palo Alto Networks firewalls, Panorama, and WF-500 appliances support, refer to the PAN-COMMON-MIB.mypanCommonEvents panCommonEventsEvents > panCommonEventEventsV2 > object.