- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2024 09:37 AM
We have been pulling in the Firewall info from our PAN devices, but we have an issue with multiple domains. We need to separate out the Security Policies per domain, but the patterns for the PANs don't pull in domain information using the command:
${panoramaUrl} + "?key=" + ${apiKey} + encodeURI("&type=op&cmd=<show><system><info></info></system></show>");
According to CLI commands (this is passed to me from the firewall team) the above is similar to running:
run show system info
Our Firewall tech can get the domain info running this:
show system state filter cfg.net.s0.dns"
I have tried to translate this into the encodeURI string, but it does not seem to return an output. Has anyone found a way to pull the domain info during discovery for Panorama devices? Not sure if the 'run' is required in the text as this is bein
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2024 08:40 AM
ok, have this figured out. Seems that the Firewall Manager table [cmdb_ci_firewall_manager_panorama] and the firewall device table [cmdb_ci_firewall_device_palo_alto] do not have any relationship set, even though the manager is a firewall device. Once I got the PAN devices properly horizontally discovered, I can see the domain info there.
for what I need done, I am scripting out populating the field in the Firewall Rule form based on that data, but wondering why there is not a relationship set. I mean, I have to poll one table to get the PAN names, then pole the other table to get the domains, where if it was related, I could dotwalk.
Is there a reason these tables are not related? I am no firewall expert, but the only thing that comes to mind is that if there are different brands of Firewall managers? the ones we use are specifically all Palo Alto, but I am sure there are others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2024 08:40 AM
ok, have this figured out. Seems that the Firewall Manager table [cmdb_ci_firewall_manager_panorama] and the firewall device table [cmdb_ci_firewall_device_palo_alto] do not have any relationship set, even though the manager is a firewall device. Once I got the PAN devices properly horizontally discovered, I can see the domain info there.
for what I need done, I am scripting out populating the field in the Firewall Rule form based on that data, but wondering why there is not a relationship set. I mean, I have to poll one table to get the PAN names, then pole the other table to get the domains, where if it was related, I could dotwalk.
Is there a reason these tables are not related? I am no firewall expert, but the only thing that comes to mind is that if there are different brands of Firewall managers? the ones we use are specifically all Palo Alto, but I am sure there are others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-17-2025 02:36 PM - edited 03-17-2025 02:55 PM
Hi Jason,
I may have run into a similar issue as you've described. I have setup a discovery schedule using a horizontal pattern called "PaloAlto - Firewall Manager". It attempts run this line of javascript from within the pattern:
var panoramaSysInfoUrl = ${panoramaUrl} + \"?key=\" + ${apiKey} + encodeURI(\"&type=op&cmd=<show><system><info></info></system></show>\");
rtrn = firewallMgmtUtils.fetchPanoramaInfo(panoramaSysInfoUrl, trustInsecureHosts);"}
And then returns this error message:
"Pattern exit because Graceful Termination, reason: Panorama manager information is empty. Please check Mid Server logs for more information. Failed Condition(s): [(${panorama_system_info} : value=) IS NOT EMPTY"
I have checked my credential alias and api key, as well as the Panorama IP. I have also made a successful GET call to the Panorama api. Any suggestions on what I might be missing or something else I should check?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-07-2025 06:00 AM
Sorry, wish I could offer some help here. Have you checked the MID Server logs to see if they can point to anything more specific? It could be, like in my case above, you are using the command in the wrong pattern. I am not a PAN expert in any way, but I believe that was the issue for me. The data was retrieved from a different pattern and existed on a different table.
