Monitoring an IPSec Tunnel on a Palo Alto Firewall Using PRTG

A client recently needed to be able to use PRTG to monitor the state of an IPSec VPN Tunnel that was terminated on their Palo Alto Firewall array. Palo Alto firewalls have a very useful REST API so I was able to modify a Power Shell script that I had created previously (Which itself was a modified version of a script by Markus Kraus over at My Cloud-(R)evolution) to get the job done.

The script monitors whether the tunnel is up or not, producing an error in PRTG if the tunnel is down. This client uses an Active/Passive firewall array so I had to create some logic to determine which of the array members is active (as only the Active member would have the VPN Tunnel enabled). If the Active/Passive identification logic detects an issue with the HA state of the array it will produce an alert in PRTG.

The first step is to create a local user on the Palo Alto Firewall with Read Only privileges. We will use this account to access the REST API.

Log into the Web Management interface of your Palo Alto Firewall and navigate to Device – Local User Database – Users

Add a new User

Enter an appropriate Username, set the Mode to Password and enter a Password. Make sure the Enable check box is ticked!

Now go to Device – Administrators

Add a new Administrator

Enter the same Username as the User we created in the previous step

Set the Authentication Profile to Local

Set the Administrator Type to Dynamic and select Device administrator (read-only)

Save and Commit

Now we need to generate an API key for use in our Power Shell script. This involves making a HTTP GET request to the Firewall using the Username and Password that we have just created.

I generally use a program called Postman for this however it is a bit complex for the purposes of this post. It is however a fantastic tool for interrogating and exploring REST API’s and I highly recommend having a play with it!

For now I will refer you to the online documentation provided by Palo Alto here.

Once you have the API key we need to encrypt it before we put it in our script to protect it from prying eyes!

We will use Windows in built encryption provider to generate the encrypted password. The encrypted password is tied to the account profile on the Windows instance that it is generated on so you MUST perform the following steps on the PRTG server.

This particular PRTG instance was configured to run as the LOCAL SYSTEM account so we need a little help from PsExec by Mark Russinovich.

Download it onto the PRTG server from here. Unzip the PSTools zip file and copy PSExec.exe into a folder in your executable path.

Launch a PowerShell window using the following command.

psexec -s -i powershell.exe

Execute the following commands in your newly opened PowerShell window. If PRTG is running under a different user account (i.e. not LOCAL SYSTEM), you just need to log in as that user and run these commands, you don’t need to use psexec.

$Password = "Password of the Palo Alto Read Only Admin User"

$Password | ConvertTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString | Out-File c:\temp\encrypted.txt

Use the contents of c:\temp\encrypted.txt for the $EncryptedPassword variable in the script.

You will need to update the $Firewall1, $Firewall2 and $VPNTunnelName variables with appropriate values, The $VPNTunnelName is the same as the Name value for the IPSec Tunnel that you are monitoring and can be located under Network – IPSec Tunnels on the Firewall.

Copy the script to C:\Program Files (x86)\PRTG Network Monitor\Custom Sensors\EXEXML on the PRTG server.

Create a sensor of type EXE/Script Advanced in PRTG. You should be able to select the new script in the drop down list labelled EXE/Script.