[network::paloalto::ssh::plugin] --mode=ipsec: timeout because multiple logins for one mode

centreon / centreon-plugins

Collection of standard plugins to discover and gather cloud-to-edge metrics and status across your whole IT infrastructure.

https://www.centreon.com

Apache License 2.0

310 stars 274 forks source link

[network::paloalto::ssh::plugin] --mode=ipsec: timeout because multiple logins for one mode #4478

Open joschi99 opened 1 year ago

joschi99 commented 1 year ago

latest plugin version

Monitoring paloalto ipsec through ssh launches 3 commands:

show vpn ike-sa
show vpn ipsec-sa
show vpn flow

For every CMD execution the plugin will login and logout, so for the mode "ipsec" we have 3 login/logout activities. Paloalto has a long logon process (~30 seconds) and the total plugin execution needs ~90 sec. It should be better and also more efficient to logon only 1 time and execute all commands. This avoids timeouts and unnecessary access (logs).

garnier-quentin commented 1 year ago

Please use the libssh backend. It will be only one connection opened

joschi99 commented 1 year ago

We use libssh, but seem's that we have 3 logons. Every logon needs ~30 sec I have inserted a timestamp output on every command execution and this should be the result:

-bash-4.2$ ./centreon_plugins.pl --hostname=x.x.x.x --timeout=60 --ssh-backend=libssh --ssh-username=username--ssh-password='password' --plugin=network::paloalto::ssh::plugin --mode=ipsec  --verbose
start show vpn ike-sa: Wed Jun 14 09:51:46 2023
end show vpn ike-sa: Wed Jun 14 09:52:32 2023
start show vpn ipsec-vpn: Wed Jun 14 09:52:32 2023
end show vpn ipsec-vpn: Wed Jun 14 09:53:18 2023
start show vpn flow: Wed Jun 14 09:53:18 2023
end show vpn flow: Wed Jun 14 09:54:00 2023
OK: All ipsec tunnels are ok | 'tunnels.ipsec.total.count'=2;;;0;
Tunnel ipsec 'AA' state: active [monitor status: off][ike phase1 state: up]
Tunnel ipsec 'AB' state: active [monitor status: off][ike phase1 state: up]

Every single command execution is fast, so the long time should be came from logon.

garnier-quentin commented 1 year ago

It's weird. we should have a single connection.

joschi99 commented 1 year ago

yes, it should but looking the output it seem's different

garnier-quentin commented 1 year ago

I understand. we exit each time:

$self->{ssh_commands} = 
        "set cli op-command-xml-output on\n" .
        $options{command} . "\nexit\n";

garnier-quentin commented 1 year ago

i will try a patch

joschi99 commented 1 year ago

if you need to test it i can do it

garnier-quentin commented 1 year ago

Could you test with that archive: https://github.com/centreon/centreon-plugins/archive/refs/heads/fix-paloalto-multiple-connections.zip ?

joschi99 commented 1 year ago

Have done a test with the new version, but the result is the same: total execution > 90 secs

garnier-quentin commented 1 year ago

It should work

joschi99 commented 1 year ago

I have done another test and thos

User <username> logged out via CLI from 172.16.1.19 01.06.2014 15:06
User <username> logged in via CLI from 172.16.1.19  01.06.2014 15:05
User <username> logged in via CLI from 172.16.1.19  01.06.2014 15:05
Accepted password for <username> from 172.16.1.19 port 52824 ssh2   01.06.2014 15:05
User <username> logged in via CLI from 172.16.1.19  01.06.2014 15:05
User <username> logged in via CLI from 172.16.1.19  01.06.2014 15:04
authenticated for user '<username> '. From: 172.16.1.19.    01.06.2014 15:04

This are the logs from one execution. I can see here 4 logins and 1 logout. Strange. Did you have some idea?

For sure the execution of the single commands are quick, I have logged manualy with ssh always with this user and executed all commands and they are respondig quick (1-2 secs). Only login takes time.

garnier-quentin commented 1 year ago

Maybe it's closed by libssh if we use input command.

garnier-quentin commented 1 year ago

It's not the libssh. There is only one connection opened. I don't understand the multiple connetions

joschi99 commented 1 year ago

if you need to do a remote session please let me know

garnier-quentin commented 1 year ago

I will send you a remote session tomorrow morning

joschi99 commented 1 year ago

I have a slot tomorrow from 09:30 to 10:30

garnier-quentin commented 1 year ago

We have checked. The issue is not about connection. Palo Alto takes time to request a shell and a channel. I can improve the perl libssh and have a system like Expect. But we are going to check the rest api of palo alto.

joschi99 commented 1 year ago

Here is a overview about the API requests for PaloAlto: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-panorama-api/get-started-with-the-pan-os-rest-api/access-the-rest-api If you need let me know with endpoints you need and I will provide returned data.

joschi99 commented 12 months ago

Hi @garnier-quentin, did you evaluate the rest api? Do you need something to develop a Rest API plugin for PA, please let me know.

lucie-dubrunfaut commented 1 month ago

Hello :)

@joschi99 can you tell me if the API usage for requesting PaloAlto here is the same idea than what we have discussed yesterday (about requesting PaloAlto with API rather than SSH)? :) I speak about this TheWatch ideas: 3238 and 3224

joschi99 commented 1 month ago

PaloAlto seem's offering a complete Rest API: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-panorama-api/get-started-with-the-pan-os-rest-api/access-the-rest-api

I have asked a PA specialist for more information and examples, but unfortunatly he is in holiday until July 8. So need's some time to have a response, but I will update you