Palo Alto Networks PAN-OS
Plugin: go.d.plugin Module: panos
Overview
This collector monitors Palo Alto Networks PAN-OS firewalls. It collects read-only XML API telemetry for BGP, system status, HA, environment sensors, licenses, and IPsec SAs.
It gathers metrics by periodically running PAN-OS XML API operational commands through the pango SDK.
This collector is supported on all platforms.
This collector supports collecting metrics from multiple instances of this integration, including remote instances.
The configured PAN-OS account must be allowed to use the XML API and run read-only operational requests for the collected telemetry.
Default Behavior
Auto-Detection
This collector does not auto-detect PAN-OS firewalls. A job must be configured with the firewall management URL and credentials.
Limits
The default collection interval is 60 seconds to keep polling load conservative on the PAN-OS management plane.
Performance Impact
Each collection runs PAN-OS XML API operational requests. The collector uses serial requests and caps the SDK transport to 2 connections per firewall job. Multiple jobs targeting the same firewall multiply that per-job connection budget, so configure one job per firewall management interface unless you intentionally need separate scopes.
Setup
You can configure the panos collector in two ways:
| Method | Best for | How to |
|---|---|---|
| UI | Fast setup without editing files | Go to Nodes → Configure this node → Collectors → Jobs, search for panos, then click + to add a job. |
| File | If you prefer configuring via file, or need to automate deployments (e.g., with Ansible) | Edit go.d/panos.conf and add a job. |
UI configuration requires paid Netdata Cloud plan.
Prerequisites
PAN-OS XML API access
Enable XML API access and provide either an API key or username/password credentials that can generate one. The account needs permission to run operational commands.
Configuration
Options
The following options can be defined globally: update_every, autodetection_retry.
Config options
| Group | Option | Description | Default | Required |
|---|---|---|---|---|
| Collection | update_every | Data collection interval (seconds). | 60 | no |
| autodetection_retry | Autodetection retry interval (seconds). Set 0 to disable. | 0 | no | |
| Target | url | PAN-OS management interface URL. The path must be empty, /, or /api. | https://127.0.0.1 | yes |
| timeout | PAN-OS XML API request timeout (seconds). | 3 | no | |
| vsys | Optional PAN-OS virtual system scope for operational commands. | no | ||
| Auth | api_key | PAN-OS XML API key. Takes priority over username/password key generation. | no | |
| username | PAN-OS username used for API key generation. | no | ||
| password | PAN-OS password used for API key generation. | no | ||
| TLS | tls_skip_verify | Skip TLS certificate and hostname verification. | no | no |
| tls_ca | Path to CA bundle used to validate the server certificate. | no | ||
| tls_cert | Path to client TLS certificate. | no | ||
| tls_key | Path to client TLS private key. | no | ||
| Proxy | proxy_url | HTTP proxy URL. Include proxy credentials in the URL if needed. | no | |
| Headers | headers | Additional HTTP headers. | no | |
| Virtual Node | vnode | Associates this data collection job with a Virtual Node. | no |
via UI
Configure the panos collector from the Netdata web interface:
- Go to Nodes.
- Select the node where you want the panos data-collection job to run and click the ⚙ (Configure this node). That node will run the data collection.
- The Collectors → Jobs view opens by default.
- In the Search box, type panos (or scroll the list) to locate the panos collector.
- Click the + next to the panos collector to add a new job.
- Fill in the job fields, then click Test to verify the configuration and Submit to save.
- Test runs the job with the provided settings and shows whether data can be collected.
- If it fails, an error message appears with details (for example, connection refused, timeout, or command execution errors), so you can adjust and retest.
via File
The configuration file name for this integration is go.d/panos.conf.
The file format is YAML. Generally, the structure is:
update_every: 1
autodetection_retry: 0
jobs:
- name: some_name1
- name: some_name2
You can edit the configuration file using the edit-config script from the
Netdata config directory.
cd /etc/netdata 2>/dev/null || cd /opt/netdata/etc/netdata
sudo ./edit-config go.d/panos.conf
Examples
API key
Collecting PAN-OS metrics with an existing XML API key.
jobs:
- name: firewall
url: https://192.0.2.1
api_key: YOUR_PANOS_XML_API_KEY
update_every: 60
timeout: 3
Username/password key generation
Letting the collector generate and reuse an API key through PAN-OS.
Config
jobs:
- name: firewall
url: https://192.0.2.1
username: netdata
password: YOUR_PASSWORD
update_every: 60
timeout: 3
Alerts
The following alerts are available:
| Alert name | On metric | Description |
|---|---|---|
| panos_bgp_peer_not_established | panos.bgp.peer.state | Critical when a BGP peer has not been established for 5 minutes. |
| panos_device_certificate_invalid | panos.system.device_certificate_status | Critical when PAN-OS reports the device certificate as invalid. |
| panos_ha_peer_connection_down | panos.ha.peer.connection_status | Critical when the HA peer connection has not been up for 5 minutes. |
| panos_environment_sensor_alarm | panos.environment.sensor_alarm_status | Critical when PAN-OS reports an environment sensor alarm. |
| panos_license_expired | panos.license.status | Critical when PAN-OS reports a license as expired. |
| panos_license_expires_soon | panos.license.time_until_expiration | Warning under 30 days before expiration, critical under 7 days. Expired licenses trigger panos_license_expired instead. |
Metrics
Metrics grouped by scope.
The scope defines the instance that the metric belongs to. An instance is uniquely identified by a set of labels.
Per System
These metrics refer to the PAN-OS device.
Labels:
| Label | Description |
|---|---|
| hostname | PAN-OS hostname. |
| model | PAN-OS model. |
| serial | Device serial number. |
| sw_version | PAN-OS software version. |
Metrics:
| Metric | Dimensions | Unit |
|---|---|---|
| panos.system.uptime | uptime | seconds |
| panos.system.device_certificate_status | valid, invalid | status |
| panos.system.operational_mode | normal, other | mode |
Per High availability
These metrics refer to the PAN-OS HA pair state reported by the local firewall.
This scope has no labels.
Metrics:
| Metric | Dimensions | Unit |
|---|---|---|
| panos.ha.status | enabled, disabled | status |
| panos.ha.local.state | active, passive, non_functional, suspended, unknown | state |
| panos.ha.peer.state | active, passive, non_functional, suspended, unknown | state |
| panos.ha.peer.connection_status | up, down, unknown | status |
| panos.ha.state_sync_status | synchronized, not_synchronized, unknown | status |
Per High availability link
These metrics refer to a single PAN-OS HA link.
Labels:
| Label | Description |
|---|---|
| link | HA link name. |
Metrics:
| Metric | Dimensions | Unit |
|---|---|---|
| panos.ha.link_status | up, down, unknown | status |
Per Environment sensor
These metrics refer to a single PAN-OS environment sensor.
Labels:
| Label | Description |
|---|---|
| slot | Hardware slot. |
| sensor | Sensor description. |
| sensor_type | Sensor type. |
Metrics:
| Metric | Dimensions | Unit |
|---|---|---|
| panos.environment.temperature | temperature | Celsius |
| panos.environment.fan_speed | speed | RPM |
| panos.environment.voltage | voltage | Volts |
| panos.environment.sensor_alarm_status | clear, alarm | status |
| panos.environment.power_supply_presence_status | present, absent | status |
| panos.environment.power_supply_alarm_status | clear, alarm | status |
Per License summary
These metrics summarize PAN-OS licenses.
This scope has no labels.
Metrics:
| Metric | Dimensions | Unit |
|---|---|---|
| panos.license.count | total, expired | licenses |
Per License
These metrics refer to one PAN-OS license.
Labels:
| Label | Description |
|---|---|
| feature | License feature name. |
| description | License description. |
Metrics:
| Metric | Dimensions | Unit |
|---|---|---|
| panos.license.status | valid, expired | status |
| panos.license.time_until_expiration | time_until_expiration | days |
Per IPsec summary
These metrics summarize active PAN-OS IPsec security associations.
This scope has no labels.
Metrics:
| Metric | Dimensions | Unit |
|---|---|---|
| panos.ipsec.tunnels | active | tunnels |
Per IPsec tunnel
These metrics refer to one active PAN-OS IPsec security association.
Labels:
| Label | Description |
|---|---|
| tunnel | Tunnel name. |
| gateway | Gateway name. |
| remote | Remote peer. |
| tunnel_id | PAN-OS tunnel identifier. |
| protocol | Tunnel protocol. |
| encryption | Encryption algorithm. |
Metrics:
| Metric | Dimensions | Unit |
|---|---|---|
| panos.ipsec.tunnel.sa_lifetime | remaining_lifetime | seconds |
Per BGP peer
These metrics refer to a single BGP peer on a PAN-OS virtual router or logical router.
Labels:
| Label | Description |
|---|---|
| vr | PAN-OS virtual router or logical router. |
| peer_address | BGP peer address. |
| local_address | Local BGP address. |
| remote_as | Remote autonomous system. |
| peer_group | PAN-OS peer group. |
Metrics:
| Metric | Dimensions | Unit |
|---|---|---|
| panos.bgp.peer.state | idle, connect, active, opensent, openconfirm, established, unknown | state |
| panos.bgp.peer.uptime | uptime | seconds |
| panos.bgp.peer.messages | in, out | messages/s |
| panos.bgp.peer.updates | in, out | messages/s |
| panos.bgp.peer.flaps | flaps | flaps/s |
| panos.bgp.peer.established_transitions | established | transitions/s |
Per BGP peer address family
These metrics refer to one AFI/SAFI family for a BGP peer.
Labels:
| Label | Description |
|---|---|
| vr | PAN-OS virtual router or logical router. |
| peer_address | BGP peer address. |
| local_address | Local BGP address. |
| remote_as | Remote autonomous system. |
| peer_group | PAN-OS peer group. |
| afi | Address family. |
| safi | Subsequent address family. |
Metrics:
| Metric | Dimensions | Unit |
|---|---|---|
| panos.bgp.peer.prefixes_received | total, accepted, rejected | prefixes |
| panos.bgp.peer.prefixes_advertised | advertised | prefixes |
Per BGP virtual router
These metrics refer to one PAN-OS virtual router or logical router.
Labels:
| Label | Description |
|---|---|
| vr | PAN-OS virtual router or logical router. |
Metrics:
| Metric | Dimensions | Unit |
|---|---|---|
| panos.bgp.vr.peers_by_state | idle, connect, active, opensent, openconfirm, established, unknown | peers |
| panos.bgp.vr.peers_total | configured, established | peers |
Troubleshooting
Debug Mode
Important: Debug mode is not supported for data collection jobs created via the UI using the Dyncfg feature.
To troubleshoot issues with the panos collector, run the go.d.plugin with the debug option enabled. The output
should give you clues as to why the collector isn't working.
-
Navigate to the
plugins.ddirectory, usually at/usr/libexec/netdata/plugins.d/. If that's not the case on your system, opennetdata.confand look for thepluginssetting under[directories].cd /usr/libexec/netdata/plugins.d/ -
Switch to the
netdatauser.sudo -u netdata -s -
Run the
go.d.pluginto debug the collector:./go.d.plugin -d -m panosTo debug a specific job:
./go.d.plugin -d -m panos -j jobName
Getting Logs
If you're encountering problems with the panos collector, follow these steps to retrieve logs and identify potential issues:
- Run the command specific to your system (systemd, non-systemd, or Docker container).
- Examine the output for any warnings or error messages that might indicate issues. These messages should provide clues about the root cause of the problem.
System with systemd
Use the following command to view logs generated since the last Netdata service restart:
journalctl _SYSTEMD_INVOCATION_ID="$(systemctl show --value --property=InvocationID netdata)" --namespace=netdata --grep panos
System without systemd
Locate the collector log file, typically at /var/log/netdata/collector.log, and use grep to filter for collector's name:
grep panos /var/log/netdata/collector.log
Note: This method shows logs from all restarts. Focus on the latest entries for troubleshooting current issues.
Docker Container
If your Netdata runs in a Docker container named "netdata" (replace if different), use this command:
docker logs netdata 2>&1 | grep panos
No BGP charts are created
Verify that BGP is configured and that the account can run PAN-OS XML API operational requests. The collector logs when no legacy or Advanced Routing Engine BGP peer command returns peers. Advanced Routing Engine parsing is best-effort until validated with sanitized real PAN-OS ARE XML output.
Panorama proxy collection is unsupported
Configure one job per firewall management interface. This collector does not support using Panorama as a target proxy for managed firewalls in v1.
A metricset fails but other charts work
The collector keeps successful metricsets running and logs the failing metricset name and XML command context.
PAN-OS accepted a command but no telemetry appears
A "success response has no recognized telemetry payload" error means PAN-OS accepted the operational command, but the XML result did not contain the expected section for that metricset. Verify the account permissions and platform support for the metricset, or provide a sanitized XML sample so the parser can be updated.
A PAN-OS value cannot be parsed
The collector reports missing or invalid integer, decimal, duration, status, license expiration, and IPsec tunnel-count values with the metricset, field, entity name, and raw value when present. It does not silently convert missing or malformed values to zero, report fake valid status, or treat unrecognized license dates as never-expiring licenses.
Do you have any feedback for this page? If so, you can open a new issue on our netdata/learn repository.