Welcome, Guest. Please login or register.

Author Topic: Using arpwatch tables to import IP's to Nedi  (Read 443 times)

steveballantyne

  • Newbie
  • *
  • Posts: 2
    • View Profile
Using arpwatch tables to import IP's to Nedi
« on: August 12, 2019, 06:12:03 PM »
Hello all, I have a fancy new Palo Alto firewall and I have moved some VLAN's over to it. I ran into trouble with Nedi which ultimately I figured out was because Palo Alto doesn't provide MAC/ARP with SNMP (boooo!!!).

I am attempting to pull a fast one on Nedi by using Arpwatch. I wrote a shell script that connects to the Palo Alto, pulls down an ARP list, formats it into a standard Arpwatch file, and then waits for Nedi to come collect it.

When I run Nedi manually, it *seems* to be collecting the data and ingesting it ...

Quote
/usr/bin/perl /var/nedi/nedi.pl -vopN arpwatch
8< snip 8<
ARPW:b827eb772282 10.20.11.25 10.20.11.25       ups-drmckinley.kch.local.       OK
ARPW:b8ca3a7683fc 10.20.11.101 10.20.11.101     dt-dh04dx1.kch.local.   OK
ARPW:f8b156c5aa08 10.20.11.103 10.20.11.103     dt-9n4cfz1.kch.local.   OK
ARPW:000cc67ddc81 10.20.11.104 10.20.11.104     no-hostname     OK
ARPW:180373468467 10.20.11.105 10.20.11.105     dt-5smwjs1.kch.local.   OK
ARPW:3417ebaa3070 10.20.11.106 10.20.11.106     dt-1tf3v12.kch.local.   OK
ARPW:b8ca3a7f7783 10.20.11.107 10.20.11.107     dt-655phx1.kch.local.   OK
ARPW:1cdea7a0b388 10.20.11.108 10.20.11.108     vg204xm_drmckinley.kch.local.   OK
ARPW:5c260a870946 10.20.11.109 10.20.11.109     docron-pc.kch.local.    OK
ARPW:842b2b9a37c2 10.20.11.110 10.20.11.110     dt-5pgdpm1.kch.local.   OK
ARPW:b8ac6fab4ff7 10.20.11.112 10.20.11.112     dt-5pgcpm1.kch.local.   OK
ARPW:782bcb8a355a 10.20.11.113 10.20.11.113     dt-7dszdq1.kch.local.   OK
ARPW:002673c2f499 10.20.12.10 10.20.12.10       lex_murnen.kch.local.   OK
ARPW:b4b52ff56231 10.20.12.11 10.20.12.11       no-hostname     OK
ARPW:0021b7de06a8 10.20.12.12 10.20.12.12       lex_murnen2.kch.local.  OK
ARPW:f8b156c5a5bd 10.20.12.101 10.20.12.101     dt-9n69fz1.kch.local.   OK
ARPW:b083fe4feec8 10.20.12.102 10.20.12.102     dt-93rh942.kch.local.   OK
ARPW:18037327e196 10.20.12.103 10.20.12.103     dt-8ncjtv1.kch.local.   OK
ARPW:002564f75691 10.20.12.105 10.20.12.105     dt-22htql1.kch.local.   OK
ARPW:842b2baa804c 10.20.12.108 10.20.12.108     dt-ggn7nn1.kch.local.   OK
ARPW:d89ef3985718 10.20.12.109 10.20.12.109     dt-30phrr2.kch.local.   OK
ARPW:54e14034cb19 10.20.12.110 10.20.12.110     25064878.kch.local.     OK
ARPW:d89ef39856a1 10.20.12.111 10.20.12.111     dt-33skrr2.kch.local.   OK

BUT, then if I search my Nedi database for any Nodes or Devices with these IP addresses - I come up empty. If I search for the MAC address, I can find it. But the IP is blank. Is there something else that I need to do to force Nedi to connect these two pieces of information?

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2701
    • View Profile
    • NeDi
Re: Using arpwatch tables to import IP's to Nedi
« Reply #1 on: August 19, 2019, 10:07:32 AM »
You might as well just upgrade to 1.8 as it supports reading Palo's ARP cache via SNMP. It'll be relased officially in a few weeks :-)

http://www.nedi.ch/pub/nedi-1.8C.pkg
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

steveballantyne

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: Using arpwatch tables to import IP's to Nedi
« Reply #2 on: August 20, 2019, 03:46:42 PM »
Quote
supports reading Palo's ARP cache via SNMP

Nice work! Thanks. I will work on getting that installed.  :-)

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2701
    • View Profile
    • NeDi
Re: Using arpwatch tables to import IP's to Nedi
« Reply #3 on: September 05, 2019, 02:37:57 PM »
Ups, I meant SSH not SNMP. They don't support that Mib...
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2701
    • View Profile
    • NeDi
Re: Using arpwatch tables to import IP's to Nedi
« Reply #4 on: October 11, 2019, 09:59:32 AM »
Yeh, gonna make it official today :-) I'm busier than usual, hence the silence over here...
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo