Smarts NCM: How to add support for Palo Alto PA-200 devices discovery?
search cancel

Smarts NCM: How to add support for Palo Alto PA-200 devices discovery?

book

Article ID: 331005

calendar_today

Updated On:

Products

VMware Smart Assurance

Environment

VMware Smart Assurance - NCM

Resolution

Does NCM (Network Configuration Manager) support Palo Alto PA-200 devices?

At this time NCM does not support Palo Alto PA-200 devices, however there is a work around to make them pull data and work. The next Dsr release slated for Jan 2017 is expected to have resolved this issue. 

Complete the following on a Device Server, Application Server and Combo Server CLI: (In a distributed enviroment you will need to complete this both on the AS and DS.)
1. source /etc/voyence.conf
2. copy the ddtVars.inc and PANFirewalls.models files from the $VOYENCE_HOME/package/pan/firewall/ directory to the $VOYENCE_HOME/custompackage/pan/firewall/ directory. If one doesn't exist please create exact path and directory structure with the same capitalization. 

3. Make sure $VOYENCE_HOME/custompackage/pan/firewall/ddtVars.inc has permissions of 440 and ownership of root:voyence.

4. Edit the ddtVars.inc file
      a. Search for "pull.inc" 
      b. Look for the current lines below:
ddesPullTermCmd["running"]="show config merged"+stdEOL;
ddesPullTermCmd["startup"]="show config merged"+stdEOL;
ddesPullTermCmd["setmoderunning"]="show"+stdEOL;
ddesPullTermCmd["setmodetemplate"]="show template"+stdEOL;


     c. Make the requested changes below:
ddesPullTermCmd["running"]="show config candidate"+stdEOL;
ddesPullTermCmd["running"]="show config merged"+stdEOL;
ddesPullTermCmd["startup"]="show config running"+stdEOL;
ddesPullTermCmd["setmoderunning"]="show"+stdEOL;

     
     d. There is another section below that needs to be modified, look for the following lines:
ddesPullTftpCmd["running"]="tftp export configuration to $SERVERIPADDR$ from candidate-config"+stdEOL;
ddesPullTftpCmd["startup"]="tftp export configuration to $SERVERIPADDR$ from $LOCALFILE$"+stdEOL;
ddesPullTftpError="timed out|[Ee]rror|[Ff]ailed";
ddesPullTftpSuccess="[Ss]uccess|[Cc]ompleted|[Dd]one|[Ss]ent|saved";


    e. Make the requested changes below:
ddesPullTftpCmd["running"]="tftp export configuration to $SERVERIPADDR$ from candidate-config"+stdEOL;
ddesPullTftpCmd["running"]="tftp export configuration to $SERVERIPADDR$ from merged-config"+stdEOL;
ddesPullTftpCmd["startup"]="tftp export configuration to $SERVERIPADDR$ from $LOCALFILE$"+stdEOL;
ddesPullTftpError="timed out|[Ee]rror|[Ff]ailed";
ddesPullTftpSuccess="[Ss]uccess|[Cc]ompleted|[Dd]one|[Ss]ent|saved";


5. save and exit ddtVars.inc.

6. edit the $VOYENCE_HOME/custompackage/pan/firewall/PANFirewall.models file. 
    a. Complete a SNMPwalk on the PA-200 device and enter the OID information in the PANFirewall.models file.  Please see the added information below in bold:

EnterpriseOid = 1.3.6.1.4.1.25461
PA-4050;                 2.3.1;      7812;  PA-4000
PA-5050;                 2.3.9;      7812;  PA-5000
PA-5020;                 2.3.11;     7812;  PA-5000
M-100;                   2.3.30;     7812
PA-200                (OID information from SNMPWalk); 7812


7. Create the following directory $VOYENCE_HOME/custompackage/pkgxml/PANFirewall/ if not created, also make sure you create exact path and directory structure with the same capitalization.  
8. Run the following script to export the PANFirewall.models file to an xml file:  $VOYENCE_HOME/tools/mkmodelsxml.pl < $VOYENCE_HOME/custompackage/pan/firewall/PANFirewall.models > $VOYENCE_HOME/custompackage/pkgxml/PANFirewall/PANFirewallModels.xml   
9. Then to have to the changes apply complete a vcmaster restart on the Application server and device server.  This will stop all jobs in the processing