Add paloaltoarp plugin documentation

Uninett · Apr 30, 2024 · 8b707c1 · 8b707c1
1 parent 41364b0
commit 8b707c1
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 1 deletion.
diff --git a/NOTES.rst b/NOTES.rst
@@ -8,6 +8,37 @@ existing bug reports, go to https://github.com/uninett/nav/issues .
 To see an overview of upcoming release milestones and the issues they resolve,
 please go to https://github.com/uninett/nav/milestones .
 
+NAV 5.10 (Unreleased)
+=====================
+
+Dependency changes
+------------------
+
+New dependencies
+~~~~~~~~~~~~~~~~
+
+Dependencies to these Python modules have been added in order to support
+communicating with Palo Alto firewall APIs:
+
+* :mod:`PyOpenSSL` (``==23.3.0``)
+* :mod:`service-identity` (``==21.1.0``)
+
+Support for fetching ARP cache data from Palo Alto firewalls
+------------------------------------------------------------
+
+Palo Alto firewalls do support SNMP.  They do not, however, support fetching
+ARP cache data using SNMP.  A new ipdevpoll plugin, ``paloaltoarp``, has been
+added to fetch ARP cache data using the REST API built in to these firewall
+products.
+
+Access credentials for Palo Alto firewalls need to be configured in
+:file:`ipdevpoll.conf`, but a later NAV release should move to providing
+management profiles also for this.
+
+Please read more in :doc:`the ipdevpoll reference documentation
+</reference/ipdevpoll>` for configuration details.
+
+
 NAV 5.9
 =======
 

diff --git a/doc/reference/ipdevpoll.rst b/doc/reference/ipdevpoll.rst
@@ -106,6 +106,30 @@ Section [linkstate]
   The value ``any`` will generate alerts for all link state changes, but
   **this is not recommended** for performance reasons.
 
+Section [paloaltoarp]
+---------------------
+
+This section configures the Palo Alto ARP plugin.  Palo Alto firewalls do
+support SNMP.  They do not, however, support fetching ARP cache data using
+SNMP.  This plugin enables fetching ARP records from Palo Alto firewalls using
+their built-in REST API.
+
+Currently, there is no management profile type for this type of REST APIs, so
+credentials to access a Palo Alto firewall's API must be configured in this
+section.
+
+If you have a Palo Alto firewall named ``example-fw.example.org``, with an IP
+address of ``10.0.42.42`` and a secret API token of
+``762e87e0ec051a1c5211a08dd48e7a93720eee63``, you can configure this in this
+section by adding::
+
+  example-fw.example.org = 762e87e0ec051a1c5211a08dd48e7a93720eee63
+
+Or, alternatively::
+
+  10.0.42.42 = 762e87e0ec051a1c5211a08dd48e7a93720eee63
+
+
 Job sections
 ------------
 

diff --git a/python/nav/ipdevpoll/plugins/paloaltoarp.py b/python/nav/ipdevpoll/plugins/paloaltoarp.py
@@ -1,5 +1,6 @@
 #
-# Copyright (C) 2023 University of Tromsø
+# Copyright (C) 2023, 2024 University of Tromsø
+# Copyright (C) 2024 Sikt
 #
 # This file is part of Network Administration Visualized (NAV).
 #