Update: Check PAN Firewall´s Sessions Counters with SNMP

About a year ago I published my first ever developed plug-in for check_mk (https://sitweak.wordpress.com/2012/08/30/snmp-based-check_mk-plug-in-for-palo-alto-firewalls/). For all who missed out on that milestone in my programming carrer: It´s doing not more than fetching some sessions counters with the help of SNMP.

Even though I realized that there is not a high demand for such an plug-in (until now it has one rating on the check_mk Exchange – haha) I am still very proud that there is a piece of self-made code which is actually working. J That’s why I decided to give a small update.

Some hours ago I uploaded and version 1.0. Here´s a Changelog:


o   Two more SNMP values are being fetched
– Total number of active SSL proxy sessions
– Total number of active SSL proxy sessions.

o   Code updated
– Added a snmp_scan_function
– Added declaration according to new Check_MK API (https://mathias-kettner.de/checkmk_devel_newapi.html)

o   Added warning and critical levels (Service State is based on SNMP value of sessions utilization)
– Factory default: 80% warning level and 90% critical level. You can define your own values by editing ~/local/share/check_mk/checks/paloalto_sessions.

o Added value ‘proxied ssl sessions’ to perfdata

o   Added graph for value ‘proxied ssl sessions’
o   Cleaned PNP-Template

Plug-In Output
o   Added value for proxied SSL sessions
o   Added value for utilization of SSL proxy


This is what it looks like:


Tested on Check_MK 1.2.4


I´m looking forward to any feedback here, on twitter or check_mk Exchange!



About sitweak
Monitoring, Network, Firewall, Mobile Security. I´m totally into that stuff!

2 Responses to Update: Check PAN Firewall´s Sessions Counters with SNMP

  1. Gis says:

    I have installed the plugin . How to add this plugin to the existing host ?

    • sitweak says:

      Gis, it should show up on the auto inventory. Unfortunately, I am not working with Palo Alto firewalls and check_mk anymore. Hence, I cannot guarantee that the script is still working with current version of PANos and check_mk. Please feel free to modify the script and republish it. The code is fairly easy to modify, most likely the SNMP OIDs have changed in newer version of the PANos.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: