search

jenningsloy318 / panos_exporter

paloalto os expoter for prometheus
Apache License 2.0
21 stars 16 forks source link

License and certificate information #5

Open ognjen011 opened 3 years ago

ognjen011 commented 3 years ago

Do you have any plans to add new features? I was thinking an ability to get license information so i can start sending alerts well ahead of time when the license is about to expire. Same thing for the loaded Certificates used for GP.

jenningsloy318 commented 3 years ago

Hi @ognjen011

I will check it later, if possible I can add this license info . as for "Same thing for the loaded Certificates used for GP." I don't understand your mean, can you elaborate it a little bit ?

ognjen011 commented 3 years ago

Hi

So we have ssl certificates that get loaded for global protect. It would be nice to get a certificate expiration date and then be able to alert on it.

jenningsloy318 commented 3 years ago

I hope I can get this, but our environment configured without this. But nevertheless, will try it out. If no luck, I'd like ask your help to provide me some output as xml or json format.

ognjen011 commented 3 years ago

Ok that is perfect i can provide the info you need.

jenningsloy318 commented 3 years ago

Hi from my device, I did't find any license API, if your device has such api, please let me konw the path and output

regarding for global protect, my device only contain API > Operational Commands > show > global-protect > redirect, there is no ssl entities under global-protect.

P.S. you can get all APIs under https://pa-ipaddress/api

ognjen011 commented 3 years ago

SSL certificates for the GP and few other things. To get the SSL via API in my case it is in:

https://{host}/api/?type=op&cmd=<request><certificate><show><certificate-name></certificate-name></show></certificate></request>

In there i see a list of certificates on the system:

DigiCert Global Protect SSL1 SSL2 Wildcard Self Signed CA

then i specify a name of the cert and i get the output below which i amended not to show all the fields also this is just one of the few certificates loaded.

{ "response": { "@status": "success", "result": { "entry": { "@name": "DigiCert", "ca": "yes", "common-name": "DigiCert Global Root CA", "expiry": "1608242400", "issuer": "", "issuer-hash": "", "not-valid-after": "Nov 10 00:00:00 2031 GMT", "not-valid-before": "Nov 10 00:00:00 2006 GMT", "subject": "", "subject-hash": "" } } } }

Then for the license, 

 https://{host}/api/?type=op&cmd=<request><license><info></info></license></request>

"response": { "@status": "success", "result": { "licenses": { "entry": [ { "authcode": null, "description": "Standard VM-Series", "expired": "no", "expires": "Never", "feature": "VM", "issued": "December 23, 2019", "serial": "myserialnumber" }, { "authcode": null, "base-license-name": "Name", "description": "GlobalProtect Gateway License", "expired": "yes", "expires": "December 02, 2020", "feature": "GlobalProtect Gateway", "issued": "December 23, 2019", "serial": "myserialnumber" }, { "authcode": null, "base-license-name": "VM", "description": "Palo Alto Networks DNS Security License", "expired": "yes", "expires": "December 02, 2020", "feature": "DNS Security", "issued": "December 23, 2019", "serial": "myserialnumber" }, { "authcode": null, "base-license-name": "VM", "description": "Threat Prevention", "expired": "yes", "expires": "December 02, 2020", "feature": "Threat Prevention", "issued": "December 23, 2019", "serial": "myserialnumber" }, { "authcode": null, "base-license-name": "VM", "description": "WildFire signature feed, integrated WildFire logs, WildFire API", "expired": "yes", "expires": "December 02, 2020", "feature": "WildFire License", "issued": "December 23, 2019", "serial": "myserialnumber" }, { "authcode": null, "base-license-name": "VM", "description": "Palo Alto Networks URL Filtering License", "expired": "yes", "expires": "December 02, 2020", "feature": "PAN-DB URL Filtering", "issued": "December 23, 2019", "serial": "myserialnumber" }, { "authcode": null, "base-license-name": "VM", "description": "Premium Partner", "expired": "yes", "expires": "December 02, 2020", "feature": "Premium Partner", "issued": "December 23, 2019", "serial": "myserialnumber" } ] } } } }

jenningsloy318 commented 3 years ago

Hi @ognjen011 I am considering the feature, and kindly provide below info, as you don't paste all parameters of request, so I don't know how to construct the request, and my environment don't have such entities, I can't re-produce your request.

  1. response body of json for the first request?
  2. all requests of individual certs ? including all parameters?
  3. for the third request, do you add any parameter to the request? please also include all parameters?

and my current implementation works on 8.1.7, whose response body is xml, so can you please confirm your panos version, and if your version is 9 or above, this should not work