NeDi Community

NeDi Software Specific => Discovery => Topic started by: steveballantyne on August 12, 2019, 06:12:03 PM

Title: Using arpwatch tables to import IP's to Nedi
Post by: steveballantyne on August 12, 2019, 06:12:03 PM
Hello all, I have a fancy new Palo Alto firewall and I have moved some VLAN's over to it. I ran into trouble with Nedi which ultimately I figured out was because Palo Alto doesn't provide MAC/ARP with SNMP (boooo!!!).

I am attempting to pull a fast one on Nedi by using Arpwatch. I wrote a shell script that connects to the Palo Alto, pulls down an ARP list, formats it into a standard Arpwatch file, and then waits for Nedi to come collect it.

When I run Nedi manually, it *seems* to be collecting the data and ingesting it ...

Quote
/usr/bin/perl /var/nedi/nedi.pl -vopN arpwatch
8< snip 8<
ARPW:b827eb772282 10.20.11.25 10.20.11.25       ups-drmckinley.kch.local.       OK
ARPW:b8ca3a7683fc 10.20.11.101 10.20.11.101     dt-dh04dx1.kch.local.   OK
ARPW:f8b156c5aa08 10.20.11.103 10.20.11.103     dt-9n4cfz1.kch.local.   OK
ARPW:000cc67ddc81 10.20.11.104 10.20.11.104     no-hostname     OK
ARPW:180373468467 10.20.11.105 10.20.11.105     dt-5smwjs1.kch.local.   OK
ARPW:3417ebaa3070 10.20.11.106 10.20.11.106     dt-1tf3v12.kch.local.   OK
ARPW:b8ca3a7f7783 10.20.11.107 10.20.11.107     dt-655phx1.kch.local.   OK
ARPW:1cdea7a0b388 10.20.11.108 10.20.11.108     vg204xm_drmckinley.kch.local.   OK
ARPW:5c260a870946 10.20.11.109 10.20.11.109     docron-pc.kch.local.    OK
ARPW:842b2b9a37c2 10.20.11.110 10.20.11.110     dt-5pgdpm1.kch.local.   OK
ARPW:b8ac6fab4ff7 10.20.11.112 10.20.11.112     dt-5pgcpm1.kch.local.   OK
ARPW:782bcb8a355a 10.20.11.113 10.20.11.113     dt-7dszdq1.kch.local.   OK
ARPW:002673c2f499 10.20.12.10 10.20.12.10       lex_murnen.kch.local.   OK
ARPW:b4b52ff56231 10.20.12.11 10.20.12.11       no-hostname     OK
ARPW:0021b7de06a8 10.20.12.12 10.20.12.12       lex_murnen2.kch.local.  OK
ARPW:f8b156c5a5bd 10.20.12.101 10.20.12.101     dt-9n69fz1.kch.local.   OK
ARPW:b083fe4feec8 10.20.12.102 10.20.12.102     dt-93rh942.kch.local.   OK
ARPW:18037327e196 10.20.12.103 10.20.12.103     dt-8ncjtv1.kch.local.   OK
ARPW:002564f75691 10.20.12.105 10.20.12.105     dt-22htql1.kch.local.   OK
ARPW:842b2baa804c 10.20.12.108 10.20.12.108     dt-ggn7nn1.kch.local.   OK
ARPW:d89ef3985718 10.20.12.109 10.20.12.109     dt-30phrr2.kch.local.   OK
ARPW:54e14034cb19 10.20.12.110 10.20.12.110     25064878.kch.local.     OK
ARPW:d89ef39856a1 10.20.12.111 10.20.12.111     dt-33skrr2.kch.local.   OK

BUT, then if I search my Nedi database for any Nodes or Devices with these IP addresses - I come up empty. If I search for the MAC address, I can find it. But the IP is blank. Is there something else that I need to do to force Nedi to connect these two pieces of information?
Title: Re: Using arpwatch tables to import IP's to Nedi
Post by: rickli on August 19, 2019, 10:07:32 AM
You might as well just upgrade to 1.8 as it supports reading Palo's ARP cache via SNMP. It'll be relased officially in a few weeks :-)

http://www.nedi.ch/pub/nedi-1.8C.pkg
Title: Re: Using arpwatch tables to import IP's to Nedi
Post by: steveballantyne on August 20, 2019, 03:46:42 PM
Quote
supports reading Palo's ARP cache via SNMP

Nice work! Thanks. I will work on getting that installed.  :-)
Title: Re: Using arpwatch tables to import IP's to Nedi
Post by: rickli on September 05, 2019, 02:37:57 PM
Ups, I meant SSH not SNMP. They don't support that Mib...