Discovery of Palo Alto firewall on SSH

scooterp · ‎03-08-2017

We are attempting to discovery Palo Alto firewalls on SSH but are getting the "No shell detected and probe parameter 'allow_unsupported_shells' is set to 'false'" message. I created a behavior to discover these devices with SNMP, however, we want to use SSH. Is anyone successfully discovering Palo Alto firewalls with via SSH?

Thanks in advance.

Marc Clasby · ‎03-08-2017

Scott we use SNMP currently, we are only concerned with creating the device, SN, model, a few basics. It leverages the OOB firewall classifier we just added OIDs when needed.

minaz · ‎02-05-2020

Hello Marc, I am new to this integration and discovery stuff and have a need to do exactly what you did. Use SNMP to disocver the device and some basic info. I am looking for the SNMP string that you used to discover the Palo Alto Firewalls?

Would you mind sharing?

Marc Clasby · ‎02-05-2020

I try to use a Non-Prod Instance to test first. There's a few great videos on discovery that can also help if you like the visuals.

First - if you are failing out of the gate. You may want to check with your security / network team to white list your midserver ip(s) that you use for discovery

Second - Run a Quick Discovery vs you target IP (this might just work if the issue was auth related)

Drill into the discovery status for that IP.
in ECC Queue You will be looking for:
SNMP - Classify - output <-- request sent to device
SNMP - Classify: <some number> OIDs - input <-- device response and what you need

Third - open that form, click on the little payload XML> icon to open a new window with XML and look for 'sysdescr'
it will have details like this:

<system oid="1.3.6.1.2.1.1">
<sysName oid="1.3.6.1.2.1.1.5" type="SnmpOctetString"> 'your device name' </sysName>
<sysDescr oid="1.3.6.1.2.1.1.1" type="SnmpOctetString"> 'your device details' </sysDescr>
<sysObjectID oid="1.3.6.1.2.1.1.2" type="SnmpObjectId"> 'oid of device/model' </sysObjectID>
</system>

(I tend to copy out to notepad for later use if needed )

Fourth - so if the Quick Discovery Completed activity ends with Active, couldn't classify We can try again by adding the sysObjectID as an indicator to discovery of what classification to use for this device. sysDescr might have model etc. and in this case, the generic classifier put enough details into the CI that I didn't have to any additional discovery components.

in Filter Navigator type in 'SNMP'
Discovery Definition...CI Classification...SNMP
search for Name = Firewall <-- this is this is the OOB SNMP Classfier for Firewalls
on Related List Tab SNMP OID Classificaitons you can click NEW
oid field = 'oid of device' from above
Manufacturer = Palo Alto Networks
Save (it should look like below)
Re-Run Discovery for that IP
The CI should now be classified and created
Review the CI for expected details (model, serial number,etc)

Hope this helps

Marc

Bonus

http://oid-info.com/

this website is a good resource you can leverage to identify unclassified devices is by using the 'oid' found in discovery and has helped me identify and classify multiple unknown devices. A quick tip is you walk it back to the base like below. So now I know the manufacturer which is a good starting point if you need other it teams to assist!