Smarts NCM: How to add support for Palo Alto PA-200 devices discovery?
book
Article ID: 331005
calendar_today
Updated On:
Products
VMware Smart Assurance
Environment
VMware Smart Assurance - NCM
Resolution
Does NCM (Network Configuration Manager) support Palo Alto PA-200 devices?
At this time NCM does not support Palo Alto PA-200 devices, however there is a work around to make them pull data and work. The next Dsr release slated for Jan 2017 is expected to have resolved this issue.
Complete the following on a Device Server, Application Server and Combo Server CLI: (In a distributed enviroment you will need to complete this both on the AS and DS.) 1. source /etc/voyence.conf 2. copy the ddtVars.inc and PANFirewalls.models files from the $VOYENCE_HOME/package/pan/firewall/ directory to the $VOYENCE_HOME/custompackage/pan/firewall/ directory. If one doesn't exist please create exact path and directory structure with the same capitalization.
3. Make sure $VOYENCE_HOME/custompackage/pan/firewall/ddtVars.inc has permissions of 440 and ownership of root:voyence.
4. Edit the ddtVars.inc file a. Search for "pull.inc" b. Look for the current lines below: ddesPullTermCmd["running"]="show config merged"+stdEOL; ddesPullTermCmd["startup"]="show config merged"+stdEOL; ddesPullTermCmd["setmoderunning"]="show"+stdEOL; ddesPullTermCmd["setmodetemplate"]="show template"+stdEOL;
c. Make the requested changes below: ddesPullTermCmd["running"]="show config candidate"+stdEOL; ddesPullTermCmd["running"]="show config merged"+stdEOL; ddesPullTermCmd["startup"]="show config running"+stdEOL; ddesPullTermCmd["setmoderunning"]="show"+stdEOL;
d. There is another section below that needs to be modified, look for the following lines: ddesPullTftpCmd["running"]="tftp export configuration to $SERVERIPADDR$ from candidate-config"+stdEOL; ddesPullTftpCmd["startup"]="tftp export configuration to $SERVERIPADDR$ from $LOCALFILE$"+stdEOL; ddesPullTftpError="timed out|[Ee]rror|[Ff]ailed"; ddesPullTftpSuccess="[Ss]uccess|[Cc]ompleted|[Dd]one|[Ss]ent|saved";
e. Make the requested changes below: ddesPullTftpCmd["running"]="tftp export configuration to $SERVERIPADDR$ from candidate-config"+stdEOL; ddesPullTftpCmd["running"]="tftp export configuration to $SERVERIPADDR$ from merged-config"+stdEOL; ddesPullTftpCmd["startup"]="tftp export configuration to $SERVERIPADDR$ from $LOCALFILE$"+stdEOL; ddesPullTftpError="timed out|[Ee]rror|[Ff]ailed"; ddesPullTftpSuccess="[Ss]uccess|[Cc]ompleted|[Dd]one|[Ss]ent|saved";
5. save and exit ddtVars.inc.
6. edit the $VOYENCE_HOME/custompackage/pan/firewall/PANFirewall.models file. a. Complete a SNMPwalk on the PA-200 device and enter the OID information in the PANFirewall.models file. Please see the added information below in bold:
7. Create the following directory $VOYENCE_HOME/custompackage/pkgxml/PANFirewall/ if not created, also make sure you create exact path and directory structure with the same capitalization. 8. Run the following script to export the PANFirewall.models file to an xml file: $VOYENCE_HOME/tools/mkmodelsxml.pl < $VOYENCE_HOME/custompackage/pan/firewall/PANFirewall.models > $VOYENCE_HOME/custompackage/pkgxml/PANFirewall/PANFirewallModels.xml 9. Then to have to the changes apply complete a vcmaster restart on the Application server and device server. This will stop all jobs in the processing