Author Topic: Using arpwatch tables to import IP's to Nedi (Read 3345 times)

steveballantyne · « **on:** August 12, 2019, 06:12:03 pm »

Hello all, I have a fancy new Palo Alto firewall and I have moved some VLAN's over to it. I ran into trouble with Nedi which ultimately I figured out was because Palo Alto doesn't provide MAC/ARP with SNMP (boooo!!!).

I am attempting to pull a fast one on Nedi by using Arpwatch. I wrote a shell script that connects to the Palo Alto, pulls down an ARP list, formats it into a standard Arpwatch file, and then waits for Nedi to come collect it.

When I run Nedi manually, it *seems* to be collecting the data and ingesting it ...

Quote

/usr/bin/perl /var/nedi/nedi.pl -vopN arpwatch
8< snip 8<
ARPW:b827eb772282 10.20.11.25 10.20.11.25 ups-drmckinley.kch.local. OK
ARPW:b8ca3a7683fc 10.20.11.101 10.20.11.101 dt-dh04dx1.kch.local. OK
ARPW:f8b156c5aa08 10.20.11.103 10.20.11.103 dt-9n4cfz1.kch.local. OK
ARPW:000cc67ddc81 10.20.11.104 10.20.11.104 no-hostname OK
ARPW:180373468467 10.20.11.105 10.20.11.105 dt-5smwjs1.kch.local. OK
ARPW:3417ebaa3070 10.20.11.106 10.20.11.106 dt-1tf3v12.kch.local. OK
ARPW:b8ca3a7f7783 10.20.11.107 10.20.11.107 dt-655phx1.kch.local. OK
ARPW:1cdea7a0b388 10.20.11.108 10.20.11.108 vg204xm_drmckinley.kch.local. OK
ARPW:5c260a870946 10.20.11.109 10.20.11.109 docron-pc.kch.local. OK
ARPW:842b2b9a37c2 10.20.11.110 10.20.11.110 dt-5pgdpm1.kch.local. OK
ARPW:b8ac6fab4ff7 10.20.11.112 10.20.11.112 dt-5pgcpm1.kch.local. OK
ARPW:782bcb8a355a 10.20.11.113 10.20.11.113 dt-7dszdq1.kch.local. OK
ARPW:002673c2f499 10.20.12.10 10.20.12.10 lex_murnen.kch.local. OK
ARPW:b4b52ff56231 10.20.12.11 10.20.12.11 no-hostname OK
ARPW:0021b7de06a8 10.20.12.12 10.20.12.12 lex_murnen2.kch.local. OK
ARPW:f8b156c5a5bd 10.20.12.101 10.20.12.101 dt-9n69fz1.kch.local. OK
ARPW:b083fe4feec8 10.20.12.102 10.20.12.102 dt-93rh942.kch.local. OK
ARPW:18037327e196 10.20.12.103 10.20.12.103 dt-8ncjtv1.kch.local. OK
ARPW:002564f75691 10.20.12.105 10.20.12.105 dt-22htql1.kch.local. OK
ARPW:842b2baa804c 10.20.12.108 10.20.12.108 dt-ggn7nn1.kch.local. OK
ARPW:d89ef3985718 10.20.12.109 10.20.12.109 dt-30phrr2.kch.local. OK
ARPW:54e14034cb19 10.20.12.110 10.20.12.110 25064878.kch.local. OK
ARPW:d89ef39856a1 10.20.12.111 10.20.12.111 dt-33skrr2.kch.local. OK

BUT, then if I search my Nedi database for any Nodes or Devices with these IP addresses - I come up empty. If I search for the MAC address, I can find it. But the IP is blank. Is there something else that I need to do to force Nedi to connect these two pieces of information?

rickli · « **Reply #1 on:** August 19, 2019, 10:07:32 am »

You might as well just upgrade to 1.8 as it supports reading Palo's ARP cache via SNMP. It'll be relased officially in a few weeks :-)

http://www.nedi.ch/pub/nedi-1.8C.pkg

steveballantyne · « **Reply #2 on:** August 20, 2019, 03:46:42 pm »

Quote

supports reading Palo's ARP cache via SNMP

Nice work! Thanks. I will work on getting that installed. :-)

rickli · « **Reply #3 on:** September 05, 2019, 02:37:57 pm »

Ups, I meant SSH not SNMP. They don't support that Mib...

rickli · « **Reply #4 on:** October 11, 2019, 09:59:32 am »

Yeh, gonna make it official today :-) I'm busier than usual, hence the silence over here...

Author Topic: Using arpwatch tables to import IP's to Nedi (Read 3345 times)

steveballantyne

Using arpwatch tables to import IP's to Nedi

rickli

Re: Using arpwatch tables to import IP's to Nedi

steveballantyne

Re: Using arpwatch tables to import IP's to Nedi

rickli

Re: Using arpwatch tables to import IP's to Nedi

rickli

Re: Using arpwatch tables to import IP's to Nedi