There is an available Palo Alto firewall NagiosXI check which utilises the REST API to obtain state information from the firewall, this includes things such as PSU and FAN health. The plugin uses an API Key to allow access but to ensure you only allow the minimal privileges’ to get the information you need please use the below procedure.
Create the Role
You only need to perform this on one Firewall in the cluster (these users are replicated automatically), you also need to complete this with the local “admin” user, you can’t use your normal administrative credentials these don’t seem to see the full set of options needed.
Click Device→Admin Roles, then click “Add”.
Create a Role called “monitoring” with a description, then set the following options for each tab:
- Web UI = All disabled.
- XML API = Enable “Operational Requests” then disable all other options.
- Command Line = None (should be set to “None”).
- REST API = All disabled.
The role is now ready for use.
Create the User
Click Device→Administrators, then click “Add”.
Complete the user configuration as shown below, ensure you set the “Administrator Type” to “Role Based” and select the role you just created!
Make a note of these credentials in the department keysafe.
Obtain the API Key
Now you have a username and password with the correct role on the Palo Alto Firewall, you need to generate a key.
Open a web browser to the following URL, you need to substitute in the FQDN, Username and Password accordingly:
https://firewall1.domain.com/api?type=keygen&user=monitoring&password=<password here>You should get a response as follows, which shows the API key, so take a copy of this.
You now have the API Key (or Token as they call it) you can use in the check.