In this scenario I had a pair of Palo Alto Firewalls that were providing firewall services as a perimeter pair of firewalls acting in an active/passive cluster.
Due to our internal network configuration, use of OSPF etc. the interfaces (ports) on the passive firewall were set to be down/disabled when that firewall was not active. Great for sorting our odd OSPF timer issues during failover, bad for monitoring the link status from the switch to the firewall.
Essentially the issue was that we monitor network interface status via SNMP using NagiosXI, for links that are always up even if they are not necessarily active in the case of EAPS rings (Extreme Networks) for other network devices (e.g. load balancers) its fine, you can verify that all the ports and links are up even on the passive node, if link failure was to occur you’re at least able to see what is going on.
With the Palo Alto Firewall you can specify when firewall interfaces/links go down if this triggers a failover of the firewall to its passive firewall node or not. The configuration for this can be found under Device->High Availability-> Active/Passive Settings->Passive Link State, this determines if the ports on the passive firewall are up or down in normal operation, in my case I needed them to be down.
The firewall “Link and Path Monitoring” also under this section specifies what your firewall should do in the event of a failure of one or more of the ports.
The scenario was that these perimeter firewalls had a number of connected interfaces for some isolation of some low importance legacy networks, we didn’t want a failure of one of these links to trigger a firewall failover (as this would have other effects) but we did want it to be monitored, so we could at least see when one of these links went down. Of course monitoring from the switch side was useless because our monitoring system would show half of the ports down all the time; hence querying the floating IP (VIP) of the firewall cluster instead, that way you’re always querying the active firewall node, if one of these links were to fail, we’d know and could take action.
Palo Alto Firewalls provide like many things the normal SNMP monitoring ability (poll).
Download the MIB from here: https://docs.paloaltonetworks.com/resources/snmp-mib-files find the correct one for your PanOS version.
To monitor you can therefore use something like the below:
./check_snmp -H firewall-vip.domain.com -o .1.3.6.1.2.1.2.2.1.8.1 -C public -P 2c -r 1This queries the ifOperStatus OID in this case for the hal-a (HA 1) interface, you can walk the tree and identify which port is which from there on. It checks with the “-r” for the result of 1 (meaning Up), 2 (meaning Down), if the result is not 1 (Up) it returns critical alert. For example:
hal-a - Status - HA 1
./check_snmp -H firewall-vip.domain.com -o .1.3.6.1.2.1.2.2.1.8.1 -C public -P 2c -r 1
hal-b - Status - HA 2
./check_snmp -H firewall-vip.domain.com -o .1.3.6.1.2.1.2.2.1.8.2 -C public -P 2c -r 1
hsci - Status - Session Synch
./check_snmp -H firewall-vip.domain.com -o .1.3.6.1.2.1.2.2.1.8.3 -C public -P 2c -r 1And so on, your OIDs may differ depending on your hardware and software version, but you can query the ifOperStatus to get a view of the status of the ports accordingly.