No ARP table data collected from PaloAlto firewalls

[ruehlb]

We have several PaloAlto firewalls that function as the default gateway for protected subnets. When setting up the .def file, I have selected PANOS for the Operating System and CLI for the ARP collection. It appears that it runs without any problem as I am getting this is the output:

Code: [Select]

CMDR:show arp all dns no result is OK
ARPC:0 ARP entries found
I have verified that I can run 'show arp all dns no' on the firewalls with the same account that Nedi is using. When running manually, I get a CLI output like this followed by all the entries:

Code: [Select]

user@pa-firewall> show arp all dns no

maximum of entries supported :      5000
default timeout:                    1800 seconds
total ARP entries in table :        178
total ARP entries shown :           178
I am failing to figure out why the table is not being collected. This is starting to become more critical as this prevents the "Nodes" section of Nedi from identifying where the device is connected. Any help with identifying an issue is appreciated.

[rickli]

I noticed different behavior (like very long pauses) on some devices when NeDi connects with SSH. Strangely enough a user can connect manually without any issues...

[ruehlb]

I agree. I have seen these pauses as well, primarily with config collection. One change I have made to accommodate for that is up the SNMP timeout to 10 seconds which allows for the collection of data. This appears to be different. When using the "Discover Now" button on the device, there is a couple second pause only at the login section. The CLI commands flow by with no hesitation. It is almost like the output is not matching what is expected therefor resulting in a 0 count table. I have tried to decipher the language in inc/libcli.pm but since coding is not my strong point, I can't for sure determine if that is the issue. My thought was if the CLI output changed at some point and the table is displayed differently than what is expected.

[ruehlb]

My alternatives for finding a solution for this were not working out so I circuled back to see if I could find a resolution on my own. I think I have figure out part of the problem, not sure if it is the fix for everything yet. In the file /var/nedi/inc/libcli.pm, starting at line 1285, it appears the columns are off by 1. This is what the file has:

Code: [Select]

}elsif( $main::dev{$na}{os} eq 'PANOS' ){                                       # Palo Alto FW
    $ix = 0;
    $mx = 1;
    $px = 2;
}
Looking at the output of the CLI on a Palo Alto, these identifiers are incorrect. They are 1 column off. The correct code should be:

Code: [Select]

}elsif( $main::dev{$na}{os} eq 'PANOS' ){                                       # Palo Alto FW
    $ix = 1;
    $mx = 2;
    $px = 3;
}
Once I changed these variables, when I run the "Discover Now", there is a full arp table discovered on the device. Being this is in a lab environment, I don't have further equipment discovered to see if this fixes everything. I am going to test with a couple more devices and see if this is the full fix.