From 8503acf960ef66c66b3eb39e528a00ba726256a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B8rund=20Helleb=C3=B8?= Date: Fri, 8 Nov 2024 07:42:02 +0100 Subject: [PATCH] Update PaloaltoArp documentation --- NOTES.rst | 30 ++++++++++++++++++++++++ changelog.d/3147.changed.md | 3 +++ doc/reference/ipdevpoll.rst | 29 ----------------------- doc/reference/management-profiles.rst | 33 ++++++++++++++++++++++++++- 4 files changed, 65 insertions(+), 30 deletions(-) create mode 100644 changelog.d/3147.changed.md diff --git a/NOTES.rst b/NOTES.rst index 37a1963a06..87b03dff0f 100644 --- a/NOTES.rst +++ b/NOTES.rst @@ -8,6 +8,36 @@ existing bug reports, go to https://github.com/uninett/nav/issues . To see an overview of upcoming release milestones and the issues they resolve, please go to https://github.com/uninett/nav/milestones . +NAV 5.12 +======== +Deprecation warnings +-------------------- +.. warning:: The ``[paloaltoarp]`` section of :file:`ipdevpoll.conf`, used for + configuring HTTP-based ARP fetching from Palo Alto firewalls, is + deprecated and will be ignored in NAV 5.12 and future versions. + HTTP-based ARP fetching from Palo Alto + firewalls *must* now be configured using management profiles, + analogous to configuration of SNMP-based fetching. :ref:`See below + for more details<5.12-new-http-rest-api-management-profile-type>`. + +.. _5.12-new-http-rest-api-management-profile-type: +New way to configure fetching of Palo Alto firewall ARP cache data +------------------------------------------------------------------ +.. NOTE:: See + :ref:`management profile reference documentation` + for instructions on how to reconfigure your Palo Alto firewall + devices in NAV 5.12 to enable support for fetching of their + ARP information. + +Starting with NAV 5.12, a new ``HTTP API`` management profile type has been +added to NAV for configuring HTTP API specific parameters used in fetching of +ARP information from Palo Alto firewalls running PAN-OS. Currently, this +management profile type is only used to configure Palo Alto firewall devices. If +support for other devices that similarly can be managed using a HTTP API is +added to NAV in future releases, you can expect to be able to configure API +parameters for these devices by using management profiles as well. + + NAV 5.11 ======== diff --git a/changelog.d/3147.changed.md b/changelog.d/3147.changed.md new file mode 100644 index 0000000000..2e3d42d345 --- /dev/null +++ b/changelog.d/3147.changed.md @@ -0,0 +1,3 @@ +The ipdevpoll plugin to fetch ARP cache data from a netbox's Palo Alto firewall +API is now configured through a new management profile type assigned to that +netbox. diff --git a/doc/reference/ipdevpoll.rst b/doc/reference/ipdevpoll.rst index eafa417a9e..59e2abc5f1 100644 --- a/doc/reference/ipdevpoll.rst +++ b/doc/reference/ipdevpoll.rst @@ -106,35 +106,6 @@ Section [linkstate] The value ``any`` will generate alerts for all link state changes, but **this is not recommended** for performance reasons. -Section [paloaltoarp] ---------------------- - -This section configures the Palo Alto ARP plugin. Palo Alto firewalls do -support SNMP. They do not, however, support fetching ARP cache data using -SNMP. This plugin enables fetching ARP records from Palo Alto firewalls using -their built-in REST API. - -Currently, there is no management profile type for this type of REST APIs, so -credentials to access a Palo Alto firewall's API must be configured in this -section. - -If you have a Palo Alto firewall named ``example-fw.example.org``, with an IP -address of ``10.0.42.42`` and a secret API token of -``762e87e0ec051a1c5211a08dd48e7a93720eee63``, you can configure this in this -section by adding:: - - example-fw.example.org = 762e87e0ec051a1c5211a08dd48e7a93720eee63 - -Or, alternatively:: - - 10.0.42.42 = 762e87e0ec051a1c5211a08dd48e7a93720eee63 - - -.. warning:: The Palo Alto ARP plugin does not currently verify TLS - certificates when accessing a Palo Alto API. This will be changed - at a later date, but if it worries you, you should not use the - plugin yet. - Job sections ------------ diff --git a/doc/reference/management-profiles.rst b/doc/reference/management-profiles.rst index 8300d47494..f7a4cd057e 100644 --- a/doc/reference/management-profiles.rst +++ b/doc/reference/management-profiles.rst @@ -86,7 +86,38 @@ Use keys Alternate port If access to the switch is not on the default port (22, in the case of the JunOS driver), put the alternate port here. - + .. _`NAPALM`: https://napalm.readthedocs.io/en/latest/ .. _`NETCONF`: https://en.wikipedia.org/wiki/NETCONF + +.. _http-rest-api-management-profile: +HTTP APIs +-------------- +As of NAV 5.12, HTTP API profiles are used to configure access to +services of the following devices. + +`Palo Alto PAN-OS firewalls`_ + A HTTP API profile is needed for NAV to access the firewall's ARP information. + +.. warning:: The Palo Alto ARP implementation in NAV does not currently verify TLS + certificates when accessing a Palo Alto API. This will be changed + at a later date, but if it worries you, you should not configure + any netboxes to use the Palo Alto Arp service yet. + +.. image:: http-rest-api-profile-example.png + +If you have a Palo Alto firewall running on a netbox managed by NAV, +with a secret API key of ``762e87e0ec051a1c5211a08dd48e7a93720eee63``, +you can configure NAV to fetch ARP information from this firewall by +creating a new management profile with + +* protocol set to ``HTTP API``, + +* API key set to ``762e87e0ec051a1c5211a08dd48e7a93720eee63``, + +* service set to ``Palo Alto ARP``, + +and then add this management profile to the netbox. + +.. _`Palo Alto PAN-OS firewalls`: https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-panorama-api/pan-os-xml-api-request-types/configuration-api/get-active-configuration/use-xpath-to-get-arp-information