Monitoring PaloAlto Firewall

eG Enterprise provides a specialized Palo Alto Firewall monitoring model (see Figure 1), which periodically polls the SNMP MIB of the firewall to measure the high availability status, session utilization, gateway utilization, and the tunnels that were created on the firewall, and notifies administrators of potential threats or configuration issues with the firewall.

Figure 1 : The layer model of the Palo Alto firewall

Using the metrics reported , administrators can find quick and accurate answers to the following performance issues:

  • Is the firewall available over the network? How is the network connectivity to the firewall – solid or flaky?
  • Is the high availability of the firewall enabled or disabled? If enabled, what is the mode of high availability configuration?
  • How many sessions are currently active on the firewall? Which type of sessions are causing network overload - is it TCP? UDP? SSL Proxy?
  • How many tunnels are active on a GlobalProtect subscription? How well the GlobalProtect gateways are utilized?
  • How many sessions are active on each virtual system of the firewall? What is the session utilization on each virtual system?

The Operating System, Network and Application Processes layers of the Palo Alto Firewall model is similar to that of a Windows server model. Since these tests have been dealt with in the Monitoring Unix and Windows Servers document, let us now focus on The Firewall Service layer alone.