ralph089 / nagios_check_paloalto Goto Github PK

Nagios/Icinga Plugin for Palo Alto Firewall Systems

License: Apache License 2.0

Python 97.37% Makefile 2.63%

nagios nagios-plugin python icinga palo-alto-firewalls paloaltonetworks

nagios_check_paloalto's Introduction

nagios_check_paloalto: a Nagios/Icinga Plugin

nagios_check_paloalto is a Nagios/Icinga plugin for Palo Alto Next Generation Firewalls. It is written in Python and based on the PA REST API.

Tested on:

PA-500 v6.0.1 - v6.0.9
PA-3050 v6.0.9 - 7.1.9

https://travis-ci.org/ralph-hm/nagios_check_paloalto.svg?branch=master

https://coveralls.io/repos/github/ralph-hm/nagios_check_paloalto/badge.svg?branch=master

Documentation

http://nagios-check-paloalto.readthedocs.org/en/latest/

Quickstart

Please make sure you have python-dev and libxslt1-dev installed on your machine.

To install nagios_check_paloalto:

$ pip install check_paloalto --upgrade

or use:

$ pip3 install check_paloalto --upgrade

The plugin requires a token to get information from the PA-REST-API. Please see the following link for more information: http://nagios-check-paloalto.readthedocs.org/en/latest/configuration.html#token

Usage

Command-line usage:

usage: check_paloalto [-h] -H HOST -T TOKEN [-v] [-t TIMEOUT] [--reset]
                  [--version]
                  {diskspace,certificates,load,useragent,environmental,sessinfo,thermal,throughput}
                  ...

positional arguments:
  {diskspace,certificates,load,useragent,environmental,sessinfo,thermal,throughput}
    diskspace           check used diskspace.
    certificates        check the certificate store for expiring certificates:
                        Outputs is a warning, if a certificate is in range.
    load                check the CPU load.
    useragent           check for running useragents.
    environmental       check if an alarm is found.
    sessinfo            check important session parameters.
    thermal             check the temperature.
    throughput          check the throughput.

optional arguments:
  -h, --help            show this help message and exit

Connection:
  -H HOST, --host HOST  PaloAlto Server Hostname
  -T TOKEN, --token TOKEN
                        Generated Token for REST-API access

Debug:
  -v, --verbose         increase output verbosity (use up to 3 times)
  -t TIMEOUT, --timeout TIMEOUT
                        abort check execution after so many seconds (use 0 for
                        no timeout)
  --reset               Deletes the cookie file for the throughput check.

Info:
  --version             show program's version number and exit

nagios_check_paloalto's People

Contributors

Stargazers

Watchers

Forkers

steadfasterx kerncore gdijk hrocc rverchere gv27 secure-diversity czifraj2 frank-m pandvan terait-at kmghari001 pizza666

nagios_check_paloalto's Issues

New name for hdd devices in PA5220's

Hi Ralph,

Is it possible to implement the new hard disk device names the PA5220's use?
Our 850's and 3020's use /dev/sdax
Our 5220's use /dev/mdx

kind regards

Geert van Dijk

Measuring throughput on multiple identically configured PA's fails

Hi,

We have a failover configuration, 2 PA3020's with interfaces with identical names.
I cannot get snmp reachable from the failover adres (perhaps it's possible?) so I check the throughput on both nodes.
However, the throughput checkfile has no mechanism that tells the plugin which values belong to what PA node, so the values are rather useless.
I solved it for now by creating and calling a second throughput.py that uses a different checkfile.
It would be nice however, if either the checkfile name could be passed on as an argument, or the hostname would be part of the checkfile.
Or is there a simpeler solution that I overlooked?

Kind regards

Wrong output

Dear,
the session check give wrong formatted perfdata output.
For example
SESSINFO OK - Active sessions: 28330 / Throughput: 6139kbps | session=28330;40000;200000;0;524286 throughput=6139kbps;;;0
Some ; is missing before "throughput=6139kbps"?
And a lot after?
Thanks for the excellent work,

Ivan

Certificate check issue

Hi,

we've got some certificates without time (only month day year)
changed the certificate.py code a bit:
from
date_object = datetime.strptime(not_valid_after, '%b %d %H:%M:%S %Y')
to
try:
date_object = datetime.strptime(not_valid_after, '%b %d %H:%M:%S %Y')
except ValueError:
date_object = datetime.strptime(not_valid_after, '%b %d %Y')

throughput usage

throughput also requires -i / --interface [INTERFACE]. Something to comment in usage and help.

non-free license

hi,

unfortunately the license you've chosen does not allow to distribute modified versions of your code and ensures that it is basically impossible to keep it updated to more recent PA versions - and it will also be impossible for Linux Distributions like Debian to ship your check_paloalto. Please consider to change it to a more open license like http://creativecommons.org/licenses/by-sa/4.0/

thanks,
bernd

AttributeError: 'NoneType' object has no attribute 'find_all'

Hi,

if i want to monitor any Interface (throughput option) i get following error:

THROUGHPUT UNKNOWN: AttributeError: 'NoneType' object has no attribute 'find_all'
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/nagiosplugin/runtime.py", line 43, in wrapper
return func(*args, **kwds)
File "/usr/local/lib/python2.7/dist-packages/check_pa/check_paloalto.py", line 22, in main
check.main(verbose=args.verbose, timeout=args.timeout)
File "/usr/local/lib/python2.7/dist-packages/nagiosplugin/check.py", line 120, in main
runtime.execute(self, verbose, timeout)
File "/usr/local/lib/python2.7/dist-packages/nagiosplugin/runtime.py", line 128, in execute
with_timeout(self.timeout, self.run, check)
File "/usr/local/lib/python2.7/dist-packages/nagiosplugin/platform/posix.py", line 19, in with_timeout
func(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/nagiosplugin/runtime.py", line 117, in run
check()
File "/usr/local/lib/python2.7/dist-packages/nagiosplugin/check.py", line 105, in call
self._evaluate_resource(resource)
File "/usr/local/lib/python2.7/dist-packages/nagiosplugin/check.py", line 72, in _evaluate_resource
metrics = resource.probe()
File "/usr/local/lib/python2.7/dist-packages/check_pa/throughput.py", line 72, in probe
for item in ifnet.find_all('entry'):
AttributeError: 'NoneType' object has no attribute 'find_all'

OS is Debian Jessie, latest patches.

Request to update to 8.0.X series

Dear,
this is not a issue, but a request.
Is possible to update to support PA-3050 v8.0.X?
I am now running 7.1.9 and everything seems fine. But shortly I want to update to 8.0.1, and losing the icinga check implemented with your check is not a good thing...
:-)
Thanks a lot,

Ivan

Feature Request: thermal: different warn/crit per entry

Our PA has a very high switch core temp (61 deg) and the default critical alert is fired:

<entry>
<slot>1</slot>
<description>Temperature @ Switch Core</description>
<min>0.0</min>
<max>85.0</max>
<alarm>False</alarm>
<DegreesC>61.0</DegreesC>
</entry>

It would be nice to set the warn/crit range for this (and Cavium Core) different from the other ones.

Two ideas:

Use the max value from the entry and set the warn/crit to a percent value regarding this max
add a parameter to filter entries, so I could create two checks: one for the 60 deg max sensors and one for the 85 deg sensors

About the TOKEN

I don't how to ues the TOKEN.
I have Already gen the TOKEN at my PA like this

LUFRPT1sRUI4UEZZL2FNbStiMnhnVmdpU0RERGErZU09aGJpakxHU0Z1ZGE0SC9UbkhtQlNBcmJBcFpjM2pBbFNrUnJDNDlEbGlFVT0=

how to use this???

USERAGENT UNKNOWN

Hello,
the command useragent reply the error "USERAGENT UNKNOWN".
Could you please let me know on which settings on Palo Alto depend this check? It is check of UserID-Agents in User Identification?

Thanks, Petr

Feature Request: Throughput total sum

Could you change the throughput module to add a total sum to the metrics for graphing it in Icinga/Nagios? The values are already computed for the status line, but not as a metric.

I would create a pull request, but I don't know enough python... :-(