Palo Alto Panorama extension
- Latest Dynatrace
- Extension
Monitor health and performance metrics of Palo Alto firewalls using Panorama.
Get started
Overview
Monitor your Palo Alto firewalls and their interfaces using Palo Alto's centralized management platform, Panorama. See the Unified Analysis pages and 
Infrastructure & Operations to find out how to analyze the health of your firewalls and drill down into individual metrics.
Use cases
- Monitor health and performance of Palo Alto firewalls and their interfaces
- Identify problems with individual network interfaces
- Detect and alert on hardware issues such as fan speed or temperature
Compatibility information
- The Palo Alto Panorama extension connects to Panorama via the XML API. The Panorama instance must be reachable from the ActiveGate where the extension has been activated.
- The minimum supported version is PAN-OS 9.1
Activation and setup
The Palo Alto Panorama extension requires a read-only Panorama user with XML API access enabled.
Details
The extension works remotely by accessing metrics over the Panorama XML API. It uses the same metric keys as the SNMP-based Palo Alto firewalls extension for compatibility.
- Creates custom entities for Palo Alto Firewalls, Interfaces, and Virtual Systems
- Imports generic network device metricsfor compatibility with Infrastructure & Operations
Licensing and cost
There is no charge for obtaining the extension, only for the data (metrics) that the extension ingests. The details of license consumption depend on which licensing model you are using: either Dynatrace classic licensing or the Dynatrace Platform Subscription (DPS) model.
Metrics
License consumption is based on the number of metric data points ingested. The following formula estimates annual data points ingested, assuming all feature sets are enabled.
(((51 * Number of Firewalls)+ (25 * Number of Interfaces)+ (3 * Number of Virtual Systems)) / <Metrics Collection Interval>) * 60 minutes * 24 hours * 365 days data points per year
Classic licensing
In the Dynatrace classic licensing model, metric ingestion consumes Davis Data Units (DDUs) at the rate of .001 DDUs per metric data point. Multiply the above formula for annual data points by .001 to estimate annual DDU usage.
FAQ
Why is my network device missing some of the fan speed or PSU metrics?
Fan speed and PSU metrics are only available on some Palo Alto systems. If your device has an external AC adapter, then PSU metrics will not be available. This is also the case with some fanless systems. For example, a PA-440 is a fanless system powered by an AC adapter, so those metrics will not be populated.
Why is the Infrastructure & Operations app not showing device location and contact data?
System location and system contact data can only be obtained via querying the Panorama's Configuration API. However, an API user with access to the Configuration API can also read sensitive configuration settings, for example, firewall policies. Panorama's Configuration API access is all-or-nothing. Given this limitation, the extension doesn't attempt to use the Configuration API and thus it is unable to report on the system location and system contact.
Feature sets
When activating your extension using monitoring configuration, you can limit monitoring to one of the feature sets. To work properly, the extension has to collect at least one metric after the activation.
In highly segmented networks, feature sets can reflect the segments of your environment. Then, when you create a monitoring configuration, you can select a feature set and a corresponding ActiveGate group that can connect to this particular segment.
All metrics that aren't categorized into any feature set are considered to be the default and are always reported.
A metric inherits the feature set of a subgroup, which in turn inherits the feature set of a group. Also, the feature set defined on the metric level overrides the feature set defined on the subgroup level, which in turn overrides the feature set defined on the group level.
Swap
| Metric name | Metric key | Description |
|---|---|---|
| Total Swap | com.dynatrace.extension.palo-alto.generic.swap.total | — |
| Free Swap | com.dynatrace.extension.palo-alto.generic.swap.free | — |
| Used Swap | com.dynatrace.extension.palo-alto.generic.swap.used | — |
| Swap Usage | com.dynatrace.extension.palo-alto.generic.swap.usage | — |
Advanced Interface
| Metric name | Metric key | Description |
|---|---|---|
| — | com.dynatrace.extension.palo-alto.generic.if.in.pkts.count | — |
| — | com.dynatrace.extension.palo-alto.generic.if.out.pkts.count | — |
| — | com.dynatrace.extension.palo-alto.generic.if.in.pkts.dropped.count | — |
| — | com.dynatrace.extension.network_device.if.in.multicast_pkts.count | — |
| — | com.dynatrace.extension.network_device.if.out.multicast_pkts.count | — |
| — | com.dynatrace.extension.network_device.if.in.broadcast_pkts.count | — |
| — | com.dynatrace.extension.network_device.if.out.broadcast_pkts.count | — |
| — | com.dynatrace.extension.network_device.if.in.ucast_pkts.count | — |
| — | com.dynatrace.extension.network_device.if.out.ucast_pkts.count | — |
| Interface Incoming Ucast Packets Count | com.dynatrace.extension.palo-alto.generic.if.in.ucast.packets.count | — |
| Interface Outgoing Ucast Packets Count | com.dynatrace.extension.palo-alto.generic.if.out.ucast.packets.count | — |
System
| Metric name | Metric key | Description |
|---|---|---|
| System Uptime | com.dynatrace.extension.palo-alto.generic.sys.uptime | — |
| System Users | com.dynatrace.extension.palo-alto.generic.sys.host.num_users | The number of user sessions for which this host is storing state information. |
| Total Processes | com.dynatrace.extension.palo-alto.generic.sys.host.max_processes | — |
| Running Processes | com.dynatrace.extension.palo-alto.generic.sys.host.num_processes | — |
| Load Average 1min | com.dynatrace.extension.palo-alto.generic.sys.host.load_average | The 1 minute load average |
| Sensor Value | com.dynatrace.extension.palo-alto.generic.sensor.value | Represents fan speed, temperature, and PSU voltage rails |
Sessions
| Metric name | Metric key | Description |
|---|---|---|
| Active Sessions | com.dynatrace.extension.palo-alto.generic.sessions.active | — |
| Max Sessions | com.dynatrace.extension.palo-alto.generic.sessions.max | — |
| TCP Sessions | com.dynatrace.extension.palo-alto.generic.sessions.tcp | — |
| UDP Sessions | com.dynatrace.extension.palo-alto.generic.sessions.udp | — |
| ICMP Sessions | com.dynatrace.extension.palo-alto.generic.sessions.icmp | — |
| Predict Sessions | com.dynatrace.extension.palo-alto.generic.sessions.predict | — |
| Broadcast Sessions | com.dynatrace.extension.palo-alto.generic.sessions.broadcast | — |
| Sessions - SSL Proxy | com.dynatrace.extension.palo-alto.generic.sessions.proxy | — |
| Session SSL proxy utilization | com.dynatrace.extension.palo-alto.generic.sessions.proxy.util | SSL proxt session utilization percentage |
| Gateway Utilization Percent | com.dynatrace.extension.palo-alto.generic.gateway.utilization | — |
| Session Utilization | com.dynatrace.extension.palo-alto.generic.sessions.utilization | Session table utilization percentage |
| Max Tunnels | com.dynatrace.extension.palo-alto.generic.tunnels.max | — |
| Active Tunnels | com.dynatrace.extension.palo-alto.generic.tunnels.active | — |
Memory
| Metric name | Metric key | Description |
|---|---|---|
| Free Memory | com.dynatrace.extension.palo-alto.generic.mem.free | — |
| Reclaimable Memory | com.dynatrace.extension.palo-alto.generic.mem.reclaimable | — |
| Used Memory | com.dynatrace.extension.palo-alto.generic.mem.used | — |
| Total Memory | com.dynatrace.extension.palo-alto.generic.mem.size | — |
| Memory Utilization | com.dynatrace.extension.palo-alto.generic.mem.usage | — |
Disk
| Metric name | Metric key | Description |
|---|---|---|
| Disk Size | com.dynatrace.extension.palo-alto.generic.disk_size | — |
| Disk Available | com.dynatrace.extension.palo-alto.generic.disk_available | — |
| Disk Used | com.dynatrace.extension.palo-alto.generic.disk_used | — |
| Disk Usage | com.dynatrace.extension.palo-alto.generic.disk_usage | — |
Basic Interface
| Metric name | Metric key | Description |
|---|---|---|
| Incoming Interface Errors | com.dynatrace.extension.palo-alto.generic.if.in.err.count | — |
| Outgoing Interface Errors | com.dynatrace.extension.palo-alto.generic.if.out.err.count | — |
| Incoming Interface Discards | com.dynatrace.extension.palo-alto.generic.if.in.discards.count | — |
| Outgoing Interface Discards | com.dynatrace.extension.palo-alto.generic.if.out.discards.count | — |
| Interface Incoming Octets Count | com.dynatrace.extension.palo-alto.generic.if.in.octets.count | — |
| Interface Outgoing Octets Count | com.dynatrace.extension.palo-alto.generic.if.out.octets.count | — |
Packet Drops
| Metric name | Metric key | Description |
|---|---|---|
| Packet Drops: No arp | com.dynatrace.extension.palo-alto.generic.packet_drops.noarp | — |
| — | com.dynatrace.extension.palo-alto.generic.packet_drops.norout | — |
| Device Management Sessions Denied | com.dynatrace.extension.palo-alto.generic.packet_drops.session_denied | — |
| Packet Drops: Layer2 receive error | com.dynatrace.extension.palo-alto.generic.packet_drops.l2_parse_error | — |
| Packet Drops: IP fragementation error | com.dynatrace.extension.palo-alto.generic.packet_drops.ip_frag_error | — |
| Packet Drops: QOS Timeout | com.dynatrace.extension.palo-alto.generic.packet_drops.qos_timeouts | — |
| Packet drops: Denied by policy | com.dynatrace.extension.palo-alto.generic.packet_drops.policy_drops | — |
VSYS
| Metric name | Metric key | Description |
|---|---|---|
| VSYS - Max Sessions | com.dynatrace.extension.palo-alto.generic.vsys.sessions.max | — |
| VSYS - Active Sessions | com.dynatrace.extension.palo-alto.generic.vsys.sessions.active | — |
| VSYS - Session Utilization | com.dynatrace.extension.palo-alto.generic.vsys.sessions.utilization | — |
default
| Metric name | Metric key | Description |
|---|---|---|
| — | com.dynatrace.extension.network_device.memory_total | — |
| — | com.dynatrace.extension.network_device.memory_used | — |
| — | com.dynatrace.extension.network_device.memory_usage | — |
| — | com.dynatrace.extension.network_device.if.speed | — |
| — | com.dynatrace.extension.network_device.if.status | — |
| — | com.dynatrace.extension.network_device.if.bytes_in.count | — |
| — | com.dynatrace.extension.network_device.if.bytes_out.count | — |
| — | com.dynatrace.extension.network_device.if.in.errors.count | — |
| — | com.dynatrace.extension.network_device.if.out.errors.count | — |
| — | com.dynatrace.extension.network_device.if.in.discards.count | — |
| — | com.dynatrace.extension.network_device.if.out.discards.count | — |
| — | com.dynatrace.extension.network_device.sysuptime | — |
CPU
| Metric name | Metric key | Description |
|---|---|---|
| CPU User | com.dynatrace.extension.palo-alto.generic.cpu.user | — |
| CPU Idle | com.dynatrace.extension.palo-alto.generic.cpu.idle | — |
| CPU System | com.dynatrace.extension.palo-alto.generic.cpu.system | — |
| CPU I/O wait | com.dynatrace.extension.palo-alto.generic.cpu.iowait | — |
| CPU Steal | com.dynatrace.extension.palo-alto.generic.cpu.steal | — |
| Data Plane CPU Usage | com.dynatrace.extension.palo-alto.generic.data_plane.cpu_usage | — |
| CPU System Plane Utilization | com.dynatrace.extension.palo-alto.generic.cpu.system.utilization | — |
| CPU Management Plane Utilization | com.dynatrace.extension.palo-alto.generic.cpu.management.utilization | — |
