Available solutions

Palo Alto PA-440 by HTTP
3rd party solutions

This template is for Zabbix version: 7.2

Also available for: 7.0

Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/net/paloalto/paloalto_pa440?at=release/7.2

Palo Alto PA-440 by HTTP

Overview

This template is designed for the effortless deployment of Palo Alto PA-440 monitoring by Zabbix via XML API and doesn't require any external scripts.

For more details about PAN-OS API, refer to the official documentation.

Requirements

Zabbix version: 7.2 and higher.

Tested versions

This template has been tested on:

Palo Alto PA-440, PAN-OS 11.2.4-h1

Configuration

Zabbix should be configured according to the instructions in the Templates out of the box section.

Setup

Configure a user for monitoring. Note that in order to retrieve the device certificate information, superuser privileges are required. If you opt for a user with limited access (for security reasons), the device certificate expiration metrics will not be discovered.

Superuser privileges user (full access to all data):

Add a new administrator user. Go to Device > Administrators and click Add.
Enter the necessary details. Set the Administrator Type to Dynamic and select the built-in Superuser role. Commit the changes.

Limited privileges user (no access to device certificate data):

Create a new Admin Role. Go to Device > Admin Role and click Add.
Enter the necessary details. Adjust the list of permissions:

Restrict access to all sections in the Web UI tab
Allow access to the Configuration and Operational Requests sections in the XML API tab
Check that the access to CLI is set to None in the Command Line tab
Restrict access to all sections in the REST API tab

Add a new administrator user. Go to Device > Administrators and click Add.
Enter the necessary details. Set the Administrator Type to Role Based and select the profile that was created in the previous steps. Commit the changes.

Set the host macros:

Set the firewall XML API endpoint URL in the {$PAN.PA440.API.URL} macro in the format <scheme>://<host>[:port]/api (port is optional).
Set the name of the user that you created in the {$PAN.PA440.USER} macro.
Set the password of the user that you created in the {$PAN.PA440.PASSWORD} macro.

Macros used

Name	Description	Default
{$PAN.PA440.API.URL}	The firewall XML API endpoint in the format `<scheme>://<host>[:port]/api` (port is optional).
{$PAN.PA440.HTTP_PROXY}	The HTTP proxy for HTTP agent items (set if needed). If the macro is empty, then no proxy is used.
{$PAN.PA440.TIMEOUT}	The timeout threshold for the HTTP items that retrieve data from the API.	`15s`
{$PAN.PA440.USER}	The name of the user that is used for monitoring.	`zbx_monitor`
{$PAN.PA440.PASSWORD}	The password of the user that is used for monitoring.
{$PAN.PA440.HA.CONFIG_SYNC.THRESH}	The threshold for the configuration synchronization trigger. Can be set to an evaluation period in seconds (time suffixes can be used) or an evaluation range of the latest collected values (if preceded by a hash mark).	`#1`
{$PAN.PA440.HA.STATE.IGNORE_USER_SUSPENDED}	Controls whether the HA "suspended" state trigger should fire if the state is caused by the user request. "1" - ignored, "0" - not ignored.	`1`
{$PAN.PA440.IF.HW.IFNAME.MATCHES}	The interface name regex filter to use in hardware interface discovery - for including.	`.+`
{$PAN.PA440.IF.HW.IFNAME.NOT_MATCHES}	The interface name regex filter to use in hardware interface discovery - for excluding.	`^(?:tunnel\|vlan\|loopback)$`
{$PAN.PA440.IF.HW.CONTROL}	The link status triggers will fire only for hardware interfaces where the context macro equals "1".	`1`
{$PAN.PA440.IF.HW.ERRORS.WARN}	The warning threshold of the packet error rate for hardware interfaces. Can be used with the hardware interface name as context.	`2`
{$PAN.PA440.IF.HW.UTIL.MAX}	The threshold in the hardware interface utilization triggers.	`90`
{$PAN.PA440.IF.SW.IFNAME.MATCHES}	The interface name regex filter to use in logical interface discovery - for including.	`.+`
{$PAN.PA440.IF.SW.IFNAME.NOT_MATCHES}	The interface name regex filter to use in logical interface discovery - for excluding.	`^(?:tunnel\|vlan\|loopback)$`
{$PAN.PA440.IF.SW.IFZONE.MATCHES}	The interface zone name regex filter to use in logical interface discovery - for including.	`.+`
{$PAN.PA440.IF.SW.IFZONE.NOT_MATCHES}	The interface zone name regex filter to use in logical interface discovery - for excluding.	`CHANGE_IF_NEEDED`
{$PAN.PA440.IF.SW.VSYS.MATCHES}	The interface virtual system name regex filter to use in logical interface discovery - for including.	`.+`
{$PAN.PA440.IF.SW.VSYS.NOT_MATCHES}	The interface virtual system name regex filter to use in logical interface discovery - for excluding.	`CHANGE_IF_NEEDED`
{$PAN.PA440.IF.SW.ERRORS.WARN}	The warning threshold of the packet error rate for logical interfaces. Can be used with the logical interface name as context.	`2`
{$PAN.PA440.BGP.PEER.NAME.MATCHES}	The BGP peer name regex filter to use in BGP peer discovery - for including.	`.+`
{$PAN.PA440.BGP.PEER.NAME.NOT_MATCHES}	The BGP peer name regex filter to use in BGP peer discovery - for excluding.	`CHANGE_IF_NEEDED`
{$PAN.PA440.BGP.PEER.GROUP.MATCHES}	The BGP peer group regex filter to use in BGP peer discovery - for including.	`.+`
{$PAN.PA440.BGP.PEER.GROUP.NOT_MATCHES}	The BGP peer group regex filter to use in BGP peer discovery - for excluding.	`CHANGE_IF_NEEDED`
{$PAN.PA440.BGP.CONTROL}	The BGP session triggers will fire only for peers where the context macro equals "1".	`1`
{$PAN.PA440.OSPF.NEIGHBOR.ADDR.MATCHES}	The OSPF neighbor address regex filter to use in OSPF neighbor discovery - for including.	`.+`
{$PAN.PA440.OSPF.NEIGHBOR.ADDR.NOT_MATCHES}	The OSPF neighbor address regex filter to use in OSPF neighbor discovery - for excluding.	`CHANGE_IF_NEEDED`
{$PAN.PA440.OSPF.NEIGHBOR.AREA.MATCHES}	The OSPF neighbor area regex filter to use in OSPF neighbor discovery - for including.	`.+`
{$PAN.PA440.OSPF.NEIGHBOR.AREA.NOT_MATCHES}	The OSPF neighbor area regex filter to use in OSPF neighbor discovery - for excluding.	`CHANGE_IF_NEEDED`
{$PAN.PA440.OSPF.CONTROL}	The OSPF neighbor triggers will fire only for neighbors where the context macro equals "1".	`1`
{$PAN.PA440.OSPFV3.NEIGHBOR.ADDR.MATCHES}	The OSPFv3 neighbor address regex filter to use in OSPFv3 neighbor discovery - for including.	`.+`
{$PAN.PA440.OSPFV3.NEIGHBOR.ADDR.NOT_MATCHES}	The OSPFv3 neighbor address regex filter to use in OSPFv3 neighbor discovery - for excluding.	`CHANGE_IF_NEEDED`
{$PAN.PA440.OSPFV3.NEIGHBOR.AREA.MATCHES}	The OSPFv3 neighbor area regex filter to use in OSPFv3 neighbor discovery - for including.	`.+`
{$PAN.PA440.OSPFV3.NEIGHBOR.AREA.NOT_MATCHES}	The OSPFv3 neighbor area regex filter to use in OSPFv3 neighbor discovery - for excluding.	`CHANGE_IF_NEEDED`
{$PAN.PA440.OSPFV3.CONTROL}	The OSPFv3 neighbor triggers will fire only for neighbors where the context macro equals "1".	`1`
{$PAN.PA440.LICENSE.FEATURE.MATCHES}	The license feature name regex filter to use in license discovery - for including.	`.+`
{$PAN.PA440.LICENSE.FEATURE.NOT_MATCHES}	The license feature name regex filter to use in license discovery - for excluding.	`CHANGE_IF_NEEDED`
{$PAN.PA440.LICENSE.DESC.MATCHES}	The license feature description regex filter to use in license discovery - for including.	`.+`
{$PAN.PA440.LICENSE.DESC.NOT_MATCHES}	The license feature description regex filter to use in license discovery - for excluding.	`CHANGE_IF_NEEDED`
{$PAN.PA440.LICENSE.EXPIRY.WARN}	The time threshold until the license expires; used in the license expiry trigger. Can be set to an evaluation period in seconds (time suffixes can be used). Can be used with the license feature name as context.	`7d`
{$PAN.PA440.CERT.DEVICE.EXPIRY.WARN}	The time threshold until the device certificate expires; used in the device certificate expiry trigger. Can be set to an evaluation period in seconds (time suffixes can be used).	`7d`
{$PAN.PA440.CERT.NAME.MATCHES}	The certificate name regex filter to use in certificate discovery - for including.	`.+`
{$PAN.PA440.CERT.NAME.NOT_MATCHES}	The certificate name regex filter to use in certificate discovery - for excluding.	`CHANGE_IF_NEEDED`
{$PAN.PA440.CERT.EXPIRY.WARN}	The time threshold until the certificate expires; used in the certificate expiry trigger. Can be set to an evaluation period in seconds (time suffixes can be used). Can be used with the certificate name as context.	`7d`

Items

Name	Description	Type	Key and additional info
Get system info	Get the general system information.	HTTP agent	pan.pa440.system_info.get Preprocessing XML to JSON
Get session info	Get the information about sessions.	HTTP agent	pan.pa440.session_info.get Preprocessing XML to JSON
Get system state	Get the system state information. Used with a filter to retrieve CPU utilization metrics.	HTTP agent	pan.pa440.system_state.get Preprocessing XML to JSON
Get system environmentals	Get the system environment state information.	HTTP agent	pan.pa440.environmentals.get Preprocessing XML to JSON
Get HA info	Get the high availability information.	HTTP agent	pan.pa440.ha.get Preprocessing XML to JSON
Get OSPF neighbors	Get the OSPF neighbor information.	HTTP agent	pan.pa440.ospf.neighbors.get Preprocessing XML to JSON JavaScript: `The text is too long. Please see the template.`
Get OSPFv3 neighbors	Get the OSPFv3 neighbor information.	HTTP agent	pan.pa440.ospfv3.neighbors.get Preprocessing XML to JSON JavaScript: `The text is too long. Please see the template.`
Get licenses	Get the information about installed licenses.	HTTP agent	pan.pa440.licenses.get Preprocessing XML to JSON JavaScript: `The text is too long. Please see the template.`
Get device certificate	Get the information about the device certificate. Note that superuser privileges are required to obtain the device certificate data.	HTTP agent	pan.pa440.certificate.device.get Preprocessing XML to JSON
Get certificates	Get the information about the certificates on the device.	HTTP agent	pan.pa440.certificate.get Preprocessing XML to JSON JavaScript: `The text is too long. Please see the template.`
Get system info check	Data collection check. Check the latest values for details.	Dependent item	pan.pa440.system_info.get.check Preprocessing JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`
Get session info check	Data collection check. Check the latest values for details.	Dependent item	pan.pa440.session_info.get.check Preprocessing JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`
Get system state check	Data collection check. Check the latest values for details.	Dependent item	pan.pa440.system_state.get.check Preprocessing JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`
Get system environmental check	Data collection check. Check the latest values for details.	Dependent item	pan.pa440.environmentals.get.check Preprocessing JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`
Get HA info check	Data collection check. Check the latest values for details.	Dependent item	pan.pa440.ha.get.check Preprocessing JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`
Get OSPF neighbor check	Data collection check. Check the latest values for details.	Dependent item	pan.pa440.ospf.neighbors.get.check Preprocessing JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`
Get OSPFv3 neighbor check	Data collection check. Check the latest values for details.	Dependent item	pan.pa440.ospfv3.neighbors.get.check Preprocessing JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`
Get license check	Data collection check. Check the latest values for details.	Dependent item	pan.pa440.licenses.get.check Preprocessing JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`
Get device certificate check	Data collection check. Check the latest values for details.	Dependent item	pan.pa440.certificate.device.get.check Preprocessing JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`
Get certificate check	Data collection check. Check the latest values for details.	Dependent item	pan.pa440.certificate.get.check Preprocessing JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`
App-ID version	Currently installed application definition version. If no application definition is found, 0 is returned.	Dependent item	pan.pa440.app_id.version Preprocessing JSON Path: `$.response.result.system['app-version']` Discard unchanged with heartbeat: `12h`
App-ID release date	Currently installed application definition release date. If no release date is found, the value is discarded.	Dependent item	pan.pa440.app_id.release_date Preprocessing JSON Path: `$.response.result.system['app-release-date']` ⛔️Custom on fail: Discard value Discard unchanged with heartbeat: `12h`
GlobalProtect client package version	Currently installed GlobalProtect client package version. If package is not installed, "0.0.0" is returned.	Dependent item	pan.pa440.gp.client.version Preprocessing JSON Path: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `12h`
Threat version	Currently installed threat definition version. If no threat definition is found, "0" is returned.	Dependent item	pan.pa440.threat.version Preprocessing JSON Path: `$.response.result.system['threat-version']` Discard unchanged with heartbeat: `12h`
URL filtering version	Currently installed URL filtering version. If no URL filtering is installed, "0" is returned.	Dependent item	pan.pa440.url_filtering.version Preprocessing JSON Path: `$.response.result.system['url-filtering-version']` Discard unchanged with heartbeat: `12h`
PAN-OS version	Full software version. The first two components of the full version are the major and minor versions. The third component indicates the maintenance release number.	Dependent item	pan.pa440.os.version Preprocessing JSON Path: `$.response.result.system['sw-version']` Discard unchanged with heartbeat: `12h`
Serial number	The serial number of the unit. If not available, an empty string is returned.	Dependent item	pan.pa440.serial_number Preprocessing JSON Path: `$.response.result.system.serial` Discard unchanged with heartbeat: `12h`
Host name	The host name of the system.	Dependent item	pan.pa440.hostname Preprocessing JSON Path: `$.response.result.system.hostname` Discard unchanged with heartbeat: `12h`
Uptime	The system uptime.	Dependent item	pan.pa440.uptime Preprocessing JSON Path: `$.response.result.system.uptime` JavaScript: `The text is too long. Please see the template.`
Sessions: Supported, total	Total number of supported sessions.	Dependent item	pan.pa440.sessions.supported.total Preprocessing JSON Path: `$.response.result['num-max']` Discard unchanged with heartbeat: `12h`
Sessions: Active, total	Total number of active sessions.	Dependent item	pan.pa440.sessions.active.total Preprocessing JSON Path: `$.response.result['num-active']`
Sessions: Session table utilization, in %	Session table utilization in percent.	Dependent item	pan.pa440.sessions.table_util Preprocessing JavaScript: `The text is too long. Please see the template.`
Sessions: TCP, active	Total number of active TCP sessions.	Dependent item	pan.pa440.sessions.tcp.active Preprocessing JSON Path: `$.response.result['num-tcp']`
Sessions: UDP, active	Total number of active UDP sessions.	Dependent item	pan.pa440.sessions.udp.active Preprocessing JSON Path: `$.response.result['num-udp']`
Sessions: ICMP, active	Total number of active ICMP sessions.	Dependent item	pan.pa440.sessions.icmp.active Preprocessing JSON Path: `$.response.result['num-icmp']`
Data Plane: CPU utilization, in %	The average percentage of time over the last minute that this processor was not idle. Implementations may approximate this one-minute smoothing period if necessary.	Dependent item	pan.pa440.data_plane.cpu.util Preprocessing JSON Path: `$.response.result` Regular expression: `(?m)^sys\.monitor\.s1\.dp0\.exports:.1minavg'?:\s(\d+) \1`
Management Plane: CPU utilization, in %	The average percentage of time over the last minute that this processor was not idle. Implementations may approximate this one-minute smoothing period if necessary.	Dependent item	pan.pa440.management_plane.cpu.util Preprocessing JSON Path: `$.response.result` Regular expression: `(?m)^sys\.monitor\.s1\.mp\.exports:.1minavg'?:\s(\d+) \1`
CPU temperature	The CPU temperature in degrees Celsius.	Dependent item	pan.pa440.cpu.temp Preprocessing JSON Path: `$.response.result.thermal.Slot1.entry.DegreesC`

Triggers

Name	Description	Expression	Severity
PA-440: Failed to get system info data from the API	Failed to get data from the API. Check the latest values for details.	`length(last(/Palo Alto PA-440 by HTTP/pan.pa440.system_info.get.check))>0`	High
PA-440: Failed to get session info data from the API	Failed to get data from the API. Check the latest values for details.	`length(last(/Palo Alto PA-440 by HTTP/pan.pa440.session_info.get.check))>0`	High
PA-440: Failed to get system state data from the API	Failed to get data from the API. Check the latest values for details.	`length(last(/Palo Alto PA-440 by HTTP/pan.pa440.system_state.get.check))>0`	High
PA-440: Failed to get environmental data from the API	Failed to get data from the API. Check the latest values for details.	`length(last(/Palo Alto PA-440 by HTTP/pan.pa440.environmentals.get.check))>0`	High
PA-440: Failed to get HA data from the API	Failed to get data from the API. Check the latest values for details.	`length(last(/Palo Alto PA-440 by HTTP/pan.pa440.ha.get.check))>0`	High
PA-440: Failed to get OSPF neighbor data from the API	Failed to get data from the API. Check the latest values for details.	`length(last(/Palo Alto PA-440 by HTTP/pan.pa440.ospf.neighbors.get.check))>0`	High
PA-440: Failed to get OSPFv3 neighbor data from the API	Failed to get data from the API. Check the latest values for details.	`length(last(/Palo Alto PA-440 by HTTP/pan.pa440.ospfv3.neighbors.get.check))>0`	High
PA-440: Failed to get license data from the API	Failed to get data from the API. Check the latest values for details.	`length(last(/Palo Alto PA-440 by HTTP/pan.pa440.licenses.get.check))>0`	High
PA-440: Failed to get device certificate data from the API	Failed to get data from the API. Check the latest values for details.	`length(last(/Palo Alto PA-440 by HTTP/pan.pa440.certificate.device.get.check))>0`	High
PA-440: Failed to get certificate data from the API	Failed to get data from the API. Check the latest values for details.	`length(last(/Palo Alto PA-440 by HTTP/pan.pa440.certificate.get.check))>0`	High

LLD rule HA metric discovery

Name Description Type Key and additional info

HA metric discovery

Name	Description	Type	Key and additional info
HA metric discovery	Discovers high availability metrics.	Dependent item	pan.pa440.ha.discovery Preprocessing JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `12h`

Discovers high availability metrics.

Dependent item

pan.pa440.ha.discovery

Preprocessing

JavaScript: The text is too long. Please see the template.
Discard unchanged with heartbeat: 12h

Item prototypes for HA metric discovery

Name	Description	Type	Key and additional info
HA state	The current state of high availability. Information about high availability states: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-firewall-states	Dependent item	pan.pa440.ha.local[state{#SINGLETON}] Preprocessing JSON Path: `$.response.result.group['local-info'].state` JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `1h`
HA state reason	The reason for the current state of high availability. May be absent in the master item data in some cases; set to an empty string if not found. Information about high availability states: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-firewall-states	Dependent item	pan.pa440.ha.local[state_reason{#SINGLETON}] Preprocessing JSON Path: `$.response.result.group['local-info']['state-reason']` ⛔️Custom on fail: Set value to: Discard unchanged with heartbeat: `1h`
HA peer state	The current peer state of high availability. Information about high availability states: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-firewall-states	Dependent item	pan.pa440.ha.peer[state{#SINGLETON}] Preprocessing JSON Path: `$.response.result.group['peer-info'].state` JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `1h`
HA configuration synchronization status	The current state of the running configuration synchronization.	Dependent item	pan.pa440.ha[config_sync_status{#SINGLETON}] Preprocessing JSON Path: `$.response.result.group['running-sync']`
HA mode	The current mode of high availability. Possible values: 0 - Active-Passive 1 - Active-Active 2 - Unknown	Dependent item	pan.pa440.ha[mode{#SINGLETON}] Preprocessing JSON Path: `$.response.result.group.mode` JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `1d`

Trigger prototypes for HA metric discovery

Name	Description	Expression	Severity
PA-440: HA state has been changed	The high availability state has changed. The following state transitions are checked: 1. Active-Passive HA mode: - "passive" > "active" - "active" > "passive" 2. Active-Active HA mode: - "active-secondary" > "active-primary" - "active-primary" > "active-secondary" Information about high availability states: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-firewall-states	(last(/Palo Alto PA-440 by HTTP/pan.pa440.ha.local[state{#SINGLETON}])=1 and last(/Palo Alto PA-440 by HTTP/pan.pa440.ha.local[state{#SINGLETON}],#2)=2) or (last(/Palo Alto PA-440 by HTTP/pan.pa440.ha.local[state{#SINGLETON}])=2 and last(/Palo Alto PA-440 by HTTP/pan.pa440.ha.local[state{#SINGLETON}],#2)=1) or (last(/Palo Alto PA-440 by HTTP/pan.pa440.ha.local[state{#SINGLETON}])=3 and last(/Palo Alto PA-440 by HTTP/pan.pa440.ha.local[state{#SINGLETON}],#2)=4) or (last(/Palo Alto PA-440 by HTTP/pan.pa440.ha.local[state{#SINGLETON}])=4 and last(/Palo Alto PA-440 by HTTP/pan.pa440.ha.local[state{#SINGLETON}],#2)=3)	High
PA-440: HA is in "non-functional" state	Error state due to a dataplane failure or a configuration mismatch such as: only one firewall configured for packet forwarding, VR sync, or QoS sync. In active/passive mode, all of the causes listed for the tentative state cause the non-functional state: - Failure of a firewall. - Failure of a monitored object (a link or path). - The firewall leaves the suspended or non-functional state. Information about high availability states: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-firewall-states	`last(/Palo Alto PA-440 by HTTP/pan.pa440.ha.local[state{#SINGLETON}])=6 and length(last(/Palo Alto PA-440 by HTTP/pan.pa440.ha.local[state_reason{#SINGLETON}]))>0`	High
PA-440: HA is in "tentative" state	State of a firewall (in an active/active configuration) caused by one of the following: - Failure of a firewall. - Failure of a monitored object (a link or path). - The firewall leaves the suspended or non-functional state. A firewall in the tentative state synchronizes sessions and configurations from the peer. Information about high availability states: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-firewall-states	`last(/Palo Alto PA-440 by HTTP/pan.pa440.ha.local[state{#SINGLETON}])=5 and length(last(/Palo Alto PA-440 by HTTP/pan.pa440.ha.local[state_reason{#SINGLETON}]))>0`	Average
PA-440: HA is in "suspended" state	The device is disabled and won't pass data traffic; although HA communications still occur, the device doesn't participate in the HA election process. It can't move to a HA functional state without user intervention. The following case is excluded from the trigger's logic by default (can be changed by setting the `{$PAN.PA440.HA.STATE.IGNORE_USER_SUSPENDED}` macro value to "0"): the user suspends the device for HA manually. Information about high availability states: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-firewall-states	`last(/Palo Alto PA-440 by HTTP/pan.pa440.ha.local[state{#SINGLETON}])=7 and not (find(/Palo Alto PA-440 by HTTP/pan.pa440.ha.local[state_reason{#SINGLETON}],,"iregexp","^User requested$")=1 and {$PAN.PA440.HA.STATE.IGNORE_USER_SUSPENDED}=1)`	Average
PA-440: Configuration is not synchronized with HA peer	This trigger indicates that the configuration cannot be synchronized with the HA peer. Please debug this manually by checking the logs (Monitor > Logs > System).	`count(/Palo Alto PA-440 by HTTP/pan.pa440.ha[config_sync_status{#SINGLETON}],{$PAN.PA440.HA.CONFIG_SYNC.THRESH},"iregexp","^(?:synchronized\|synchronization in progress)$")=0`	High

LLD rule HA link discovery

Name Description Type Key and additional info

HA link discovery

Name	Description	Type	Key and additional info
HA link discovery	Discovers high availability link metrics. Information about high availability links: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-concepts/ha-links-and-backup-links	Dependent item	pan.pa440.ha.links.discovery Preprocessing JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`

Discovers high availability link metrics.

Information about high availability links:

https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-concepts/ha-links-and-backup-links

Dependent item

pan.pa440.ha.links.discovery

Preprocessing

JavaScript: The text is too long. Please see the template.
Discard unchanged with heartbeat: 3h

Item prototypes for HA link discovery

Name Description Type Key and additional info

HA link [{#HALINK}]: Status

Name	Description	Type	Key and additional info
HA link [{#HALINK}]: Status	The current state of the high availability link. Information about high availability links: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-concepts/ha-links-and-backup-links	Dependent item	pan.pa440.ha.peer.link.state[{#HALINK}] Preprocessing JSON Path: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `1h`

The current state of the high availability link.

Information about high availability links:

https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-concepts/ha-links-and-backup-links

Dependent item

pan.pa440.ha.peer.link.state[{#HALINK}]

Preprocessing

JSON Path: The text is too long. Please see the template.
Discard unchanged with heartbeat: 1h

Trigger prototypes for HA link discovery

Name	Description	Expression	Severity	Dependencies and additional info
PA-440: HA link [{#HALINK}]: Link down	The status of the high availability link is "down".	`last(/Palo Alto PA-440 by HTTP/pan.pa440.ha.peer.link.state[{#HALINK}])="down"`	High

LLD rule Hardware network interface discovery

Name Description Type Key and additional info

Hardware network interface discovery

Name	Description	Type	Key and additional info
Hardware network interface discovery	Discovers hardware network interfaces.	HTTP agent	pan.pa440.if.hw.discovery Preprocessing XML to JSON JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`

Discovers hardware network interfaces.

HTTP agent

pan.pa440.if.hw.discovery

Preprocessing

XML to JSON
JavaScript: The text is too long. Please see the template.
Discard unchanged with heartbeat: 3h

Item prototypes for Hardware network interface discovery

Name	Description	Type	Key and additional info
Interface [{#IFNAME}]: Get data	Get the interface statistics.	HTTP agent	pan.pa440.if.hw.get[{#IFNAME}] Preprocessing XML to JSON
Interface [{#IFNAME}]: Status	The current state of the interface.	Dependent item	pan.pa440.if.hw.status[{#IFNAME}] Preprocessing JSON Path: `$.response.result.hw.state` Discard unchanged with heartbeat: `1h`
Interface [{#IFNAME}]: Speed	The current bandwidth of the interface. The item is created only for interfaces that report the actual speed in units of 1,000,000 bits.	Dependent item	pan.pa440.if.hw.speed[{#IFNAME}] Preprocessing JSON Path: `$.response.result.hw.speed` Custom multiplier: `1000000` Discard unchanged with heartbeat: `1h`
Interface [{#IFNAME}]: Bits received, per second	The number of bits received per second by the interface.	Dependent item	pan.pa440.if.hw.bits.in.rate[{#IFNAME}] Preprocessing JSON Path: `$.response.result.ifnet.counters.hw.entry.port['rx-bytes']` Change per second Custom multiplier: `8`
Interface [{#IFNAME}]: Bits sent, per second	The number of bits sent per second by the interface.	Dependent item	pan.pa440.if.hw.bits.out.rate[{#IFNAME}] Preprocessing JSON Path: `$.response.result.ifnet.counters.hw.entry.port['tx-bytes']` Change per second Custom multiplier: `8`
Interface [{#IFNAME}]: Inbound packets discarded, per second	The number of inbound packets per second which were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher-layer protocol.	Dependent item	pan.pa440.if.hw.packets.in.discards.rate[{#IFNAME}] Preprocessing JSON Path: `The text is too long. Please see the template.` Change per second
Interface [{#IFNAME}]: Inbound packets with errors, per second	The number of inbound packets per second that contained errors preventing them from being deliverable to a higher-layer protocol.	Dependent item	pan.pa440.if.hw.packets.in.errors.rate[{#IFNAME}] Preprocessing JSON Path: `$.response.result.ifnet.counters.hw.entry.port['rx-error']` Change per second
Interface [{#IFNAME}]: Outbound packets with errors, per second	The number of outbound packets per second that contained errors preventing them from being deliverable to a higher-layer protocol.	Dependent item	pan.pa440.if.hw.packets.out.errors.rate[{#IFNAME}] Preprocessing JSON Path: `$.response.result.ifnet.counters.hw.entry.port['tx-error']` Change per second

Trigger prototypes for Hardware network interface discovery

Name	Description	Expression	Severity	Dependencies and additional info
PA-440: Interface [{#IFNAME}]: Link down	This trigger expression works as follows: 1. It can be triggered if the operational status is "down". 2. `{$PAN.PA440.IF.HW.CONTROL:"{#IFNAME}"}=1` - a user can redefine the context macro to "0", marking this interface as not important. No new trigger will be fired if this interface is down. 3. `last(/TEMPLATE_NAME/METRIC)<>last(/TEMPLATE_NAME/METRIC,#2)` - the trigger fires only if the operational status has changed to "down" from some other state (it does not fire for "eternal off" interfaces). WARNING: if closed manually - it will not fire again on the next poll because of `last(/TEMPLATE_NAME/METRIC)<>last(/TEMPLATE_NAME/METRIC,#2)`.	`{$PAN.PA440.IF.HW.CONTROL:"{#IFNAME}"}=1 and last(/Palo Alto PA-440 by HTTP/pan.pa440.if.hw.status[{#IFNAME}])="down" and (last(/Palo Alto PA-440 by HTTP/pan.pa440.if.hw.status[{#IFNAME}])<>last(/Palo Alto PA-440 by HTTP/pan.pa440.if.hw.status[{#IFNAME}],#2))`	Average	Manual close: Yes
PA-440: Interface [{#IFNAME}]: High bandwidth usage	The utilization of the network interface is close to its estimated maximum bandwidth.	`(avg(/Palo Alto PA-440 by HTTP/pan.pa440.if.hw.bits.in.rate[{#IFNAME}],15m)>({$PAN.PA440.IF.HW.UTIL.MAX:"{#IFNAME}"}/100)last(/Palo Alto PA-440 by HTTP/pan.pa440.if.hw.speed[{#IFNAME}]) or avg(/Palo Alto PA-440 by HTTP/pan.pa440.if.hw.bits.out.rate[{#IFNAME}],15m)>({$PAN.PA440.IF.HW.UTIL.MAX:"{#IFNAME}"}/100)last(/Palo Alto PA-440 by HTTP/pan.pa440.if.hw.speed[{#IFNAME}])) and last(/Palo Alto PA-440 by HTTP/pan.pa440.if.hw.speed[{#IFNAME}])>0`	Warning	Manual close: Yes Depends on: PA-440: Interface [{#IFNAME}]: Link down
PA-440: Interface [{#IFNAME}]: High error rate	It recovers when it is below 80% of the `{$PAN.PA440.IF.HW.ERRORS.WARN:"{#IFNAME}"}` threshold.	`min(/Palo Alto PA-440 by HTTP/pan.pa440.if.hw.packets.in.errors.rate[{#IFNAME}],5m)>{$PAN.PA440.IF.HW.ERRORS.WARN:"{#IFNAME}"} or min(/Palo Alto PA-440 by HTTP/pan.pa440.if.hw.packets.out.errors.rate[{#IFNAME}],5m)>{$PAN.PA440.IF.HW.ERRORS.WARN:"{#IFNAME}"}`	Warning	Manual close: Yes Depends on: PA-440: Interface [{#IFNAME}]: Link down

LLD rule Logical network interface discovery

Name Description Type Key and additional info

Logical network interface discovery

Name	Description	Type	Key and additional info
Logical network interface discovery	Discovers logical network interfaces.	HTTP agent	pan.pa440.if.sw.discovery Preprocessing XML to JSON JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`

Discovers logical network interfaces.

HTTP agent

pan.pa440.if.sw.discovery

Preprocessing

XML to JSON
JavaScript: The text is too long. Please see the template.
Discard unchanged with heartbeat: 3h

Item prototypes for Logical network interface discovery

Name	Description	Type	Key and additional info
VSYS [{#VSYS}]: Interface [{#IFNAME}]: Get data	Get the interface statistics.	HTTP agent	pan.pa440.if.sw.get[{#VSYS}, {#IFNAME}] Preprocessing XML to JSON
VSYS [{#VSYS}]: Interface [{#IFNAME}]: Bits received, per second	The number of bits received per second by the interface.	Dependent item	pan.pa440.if.sw.bits.in.rate[{#VSYS}, {#IFNAME}] Preprocessing JSON Path: `$.response.result.ifnet.counters.ifnet.entry.ibytes` Change per second Custom multiplier: `8`
VSYS [{#VSYS}]: Interface [{#IFNAME}]: Bits sent, per second	The number of bits sent by the interface.	Dependent item	pan.pa440.if.sw.bits.out.rate[{#VSYS}, {#IFNAME}] Preprocessing JSON Path: `$.response.result.ifnet.counters.ifnet.entry.obytes` Change per second Custom multiplier: `8`
VSYS [{#VSYS}]: Interface [{#IFNAME}]: Inbound packets dropped, per second	The number of inbound packets per second which were chosen to be dropped even though no errors had been detected to prevent their being deliverable to a higher-layer protocol.	Dependent item	pan.pa440.if.sw.packets.in.drops.rate[{#VSYS}, {#IFNAME}] Preprocessing JSON Path: `$.response.result.ifnet.counters.ifnet.entry.idrops` Change per second
VSYS [{#VSYS}]: Interface [{#IFNAME}]: Inbound packets with errors, per second	The number of inbound packets per second that contained errors preventing them from being deliverable to a higher-layer protocol.	Dependent item	pan.pa440.if.sw.packets.in.errors.rate[{#VSYS}, {#IFNAME}] Preprocessing JSON Path: `$.response.result.ifnet.counters.ifnet.entry.ierrors` Change per second

Trigger prototypes for Logical network interface discovery

Name	Description	Expression	Severity	Dependencies and additional info
PA-440: VSYS [{#VSYS}]: Interface [{#IFNAME}]: High error rate	It recovers when it is below 80% of the `{$PAN.PA440.IF.SW.ERRORS.WARN:"{#IFNAME}"}` threshold.	`min(/Palo Alto PA-440 by HTTP/pan.pa440.if.sw.packets.in.errors.rate[{#VSYS}, {#IFNAME}],5m)>{$PAN.PA440.IF.SW.ERRORS.WARN:"{#IFNAME}"}`	Warning	Manual close: Yes

LLD rule BGP peer discovery

Name Description Type Key and additional info

BGP peer discovery

Name	Description	Type	Key and additional info
BGP peer discovery	Discovers BGP peers.	HTTP agent	pan.pa440.bgp.peer.discovery Preprocessing XML to JSON JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`

Discovers BGP peers.

HTTP agent

pan.pa440.bgp.peer.discovery

Preprocessing

XML to JSON
JavaScript: The text is too long. Please see the template.
Discard unchanged with heartbeat: 3h

Item prototypes for BGP peer discovery

Name Description Type Key and additional info

BGP peer [{#PEER}]: Get data

Name	Description	Type	Key and additional info
BGP peer [{#PEER}]: Get data	Get the information about the peer.	HTTP agent	pan.pa440.bgp.peer.get[{#PEERGROUP}, {#PEERADDR}, {#PEER}] Preprocessing XML to JSON
BGP peer [{#PEER}]: Status	The current state of the BGP peer.	Dependent item	pan.pa440.bgp.peer.status[{#PEERGROUP}, {#PEERADDR}, {#PEER}] Preprocessing JSON Path: `$.response.result.entry.status` JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `1h`
BGP peer [{#PEER}]: Status duration	The duration of the current state of the BGP peer.	Dependent item	pan.pa440.bgp.peer.status.duration[{#PEERGROUP}, {#PEERADDR}, {#PEER}] Preprocessing JSON Path: `$.response.result.entry['status-duration']`

Get the information about the peer.

HTTP agent

pan.pa440.bgp.peer.get[{#PEERGROUP}, {#PEERADDR}, {#PEER}]

Preprocessing

XML to JSON

BGP peer [{#PEER}]: Status

The current state of the BGP peer.

Dependent item

pan.pa440.bgp.peer.status[{#PEERGROUP}, {#PEERADDR}, {#PEER}]

Preprocessing

JSON Path: $.response.result.entry.status
JavaScript: The text is too long. Please see the template.
Discard unchanged with heartbeat: 1h

BGP peer [{#PEER}]: Status duration

The duration of the current state of the BGP peer.

Dependent item

pan.pa440.bgp.peer.status.duration[{#PEERGROUP}, {#PEERADDR}, {#PEER}]

Preprocessing

JSON Path: $.response.result.entry['status-duration']

Trigger prototypes for BGP peer discovery

Name	Description	Expression	Severity	Dependencies and additional info
PA-440: BGP peer [{#PEER}]: Session is not Established or Idle	The session with the peer is not "Established" or "Idle".	`{$PAN.PA440.BGP.CONTROL:"{#PEER}"}=1 and last(/Palo Alto PA-440 by HTTP/pan.pa440.bgp.peer.status[{#PEERGROUP}, {#PEERADDR}, {#PEER}])<>5 and last(/Palo Alto PA-440 by HTTP/pan.pa440.bgp.peer.status[{#PEERGROUP}, {#PEERADDR}, {#PEER}])<>0`	High
PA-440: BGP peer [{#PEER}]: Session status duration has been reset	The duration of the session status with the peer has been reset.	`{$PAN.PA440.BGP.CONTROL:"{#PEER}"}=1 and last(/Palo Alto PA-440 by HTTP/pan.pa440.bgp.peer.status.duration[{#PEERGROUP}, {#PEERADDR}, {#PEER}])<10m`	Average

LLD rule OSPF neighbor discovery

Name Description Type Key and additional info

OSPF neighbor discovery

Name	Description	Type	Key and additional info
OSPF neighbor discovery	Discovers OSPF neighbors.	Dependent item	pan.pa440.ospf.neighbor.discovery Preprocessing JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`

Discovers OSPF neighbors.

Dependent item

pan.pa440.ospf.neighbor.discovery

Preprocessing

JavaScript: The text is too long. Please see the template.
Discard unchanged with heartbeat: 3h

Item prototypes for OSPF neighbor discovery

Name Description Type Key and additional info

OSPF neighbor [{#NEIGHBORADDR}]: Status

Name	Description	Type	Key and additional info
OSPF neighbor [{#NEIGHBORADDR}]: Status	The current state of the OSPF neighbor.	Dependent item	pan.pa440.ospf.neighbor.status[{#NEIGHBORAREA}, {#NEIGHBORADDR}] Preprocessing JSON Path: `The text is too long. Please see the template.`

The current state of the OSPF neighbor.

Dependent item

pan.pa440.ospf.neighbor.status[{#NEIGHBORAREA}, {#NEIGHBORADDR}]

Preprocessing

JSON Path: The text is too long. Please see the template.

Trigger prototypes for OSPF neighbor discovery

Name	Description	Expression	Severity	Dependencies and additional info
PA-440: OSPF neighbor [{#NEIGHBORADDR}]: Neighbor is not found anymore	The neighbor is not found anymore and the neighborship is gone. Please investigate if this is planned.	`{$PAN.PA440.OSPF.CONTROL:"{#NEIGHBORADDR}"}=1 and nodata(/Palo Alto PA-440 by HTTP/pan.pa440.ospf.neighbor.status[{#NEIGHBORAREA}, {#NEIGHBORADDR}],5m)=1`	High
PA-440: OSPF neighbor [{#NEIGHBORADDR}]: Status is not full or 2way	The status of the neighbor is not "full" or "2way". This may indicate issues with the OSPF session.	`{$PAN.PA440.OSPF.CONTROL:"{#NEIGHBORADDR}"}=1 and last(/Palo Alto PA-440 by HTTP/pan.pa440.ospf.neighbor.status[{#NEIGHBORAREA}, {#NEIGHBORADDR}])<>"full" and last(/Palo Alto PA-440 by HTTP/pan.pa440.ospf.neighbor.status[{#NEIGHBORAREA}, {#NEIGHBORADDR}])<>"2way"`	High

LLD rule OSPFv3 neighbor discovery

Name Description Type Key and additional info

OSPFv3 neighbor discovery

Name	Description	Type	Key and additional info
OSPFv3 neighbor discovery	Discovers OSPFv3 neighbors.	Dependent item	pan.pa440.ospfv3.neighbor.discovery Preprocessing JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`

Discovers OSPFv3 neighbors.

Dependent item

pan.pa440.ospfv3.neighbor.discovery

Preprocessing

JavaScript: The text is too long. Please see the template.
Discard unchanged with heartbeat: 3h

Item prototypes for OSPFv3 neighbor discovery

Name Description Type Key and additional info

OSPFv3 neighbor [{#NEIGHBORADDR}]: Status

Name	Description	Type	Key and additional info
OSPFv3 neighbor [{#NEIGHBORADDR}]: Status	The current status of the OSPFv3 neighbor.	Dependent item	pan.pa440.ospfv3.neighbor.status[{#NEIGHBORAREA}, {#NEIGHBORADDR}] Preprocessing JSON Path: `The text is too long. Please see the template.`

The current status of the OSPFv3 neighbor.

Dependent item

pan.pa440.ospfv3.neighbor.status[{#NEIGHBORAREA}, {#NEIGHBORADDR}]

Preprocessing

JSON Path: The text is too long. Please see the template.

Trigger prototypes for OSPFv3 neighbor discovery

Name	Description	Expression	Severity	Dependencies and additional info
PA-440: OSPFv3 neighbor [{#NEIGHBORADDR}]: Neighbor is not found anymore	The neighbor is not found anymore and the neighborship is gone. Please investigate if this is planned.	`{$PAN.PA440.OSPFV3.CONTROL:"{#NEIGHBORADDR}"}=1 and nodata(/Palo Alto PA-440 by HTTP/pan.pa440.ospfv3.neighbor.status[{#NEIGHBORAREA}, {#NEIGHBORADDR}],5m)=1`	High
PA-440: OSPFv3 neighbor [{#NEIGHBORADDR}]: Status is not full or 2way	The status of the neighbor is not "full" or "2way". This may indicate issues with the OSPF session.	`{$PAN.PA440.OSPFV3.CONTROL:"{#NEIGHBORADDR}"}=1 and last(/Palo Alto PA-440 by HTTP/pan.pa440.ospfv3.neighbor.status[{#NEIGHBORAREA}, {#NEIGHBORADDR}])<>"full" and last(/Palo Alto PA-440 by HTTP/pan.pa440.ospfv3.neighbor.status[{#NEIGHBORAREA}, {#NEIGHBORADDR}])<>"2way"`	High

LLD rule License discovery

Name Description Type Key and additional info

License discovery

Name	Description	Type	Key and additional info
License discovery	Discovers licenses installed on the device. Only the licenses with an expiration date are discovered.	Dependent item	pan.pa440.licenses.discovery Preprocessing JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`

Discovers licenses installed on the device. Only the licenses with an expiration date are discovered.

Dependent item

pan.pa440.licenses.discovery

Preprocessing

JavaScript: The text is too long. Please see the template.
Discard unchanged with heartbeat: 3h

Item prototypes for License discovery

Name Description Type Key and additional info

License [{#FEATURE}]: Expires on

Name	Description	Type	Key and additional info
License [{#FEATURE}]: Expires on	The expiration date for the license `{#DESCRIPTION}`.	Dependent item	pan.pa440.license.expires[{#FEATURE}] Preprocessing JSON Path: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `12h`
License [{#FEATURE}]: Expired	Indicates whether the license `{#DESCRIPTION}` has expired.	Dependent item	pan.pa440.license.expired[{#FEATURE}] Preprocessing JSON Path: `The text is too long. Please see the template.` Boolean to decimal Discard unchanged with heartbeat: `12h`

The expiration date for the license {#DESCRIPTION}.

Dependent item

pan.pa440.license.expires[{#FEATURE}]

Preprocessing

JSON Path: The text is too long. Please see the template.
Discard unchanged with heartbeat: 12h

License [{#FEATURE}]: Expired

Indicates whether the license {#DESCRIPTION} has expired.

Dependent item

pan.pa440.license.expired[{#FEATURE}]

Preprocessing

JSON Path: The text is too long. Please see the template.
Boolean to decimal
Discard unchanged with heartbeat: 12h

Trigger prototypes for License discovery

Name	Description	Expression	Severity	Dependencies and additional info
PA-440: License [{#FEATURE}]: Expires soon	The license will expire in less than `{$PAN.PA440.LICENSE.EXPIRY.WARN:"{#FEATURE}"}`.	`(last(/Palo Alto PA-440 by HTTP/pan.pa440.license.expires[{#FEATURE}]) - now())<{$PAN.PA440.LICENSE.EXPIRY.WARN:"{#FEATURE}"}`	Warning
PA-440: License [{#FEATURE}]: Has expired	The license `{#DESCRIPTION}` has expired.	`last(/Palo Alto PA-440 by HTTP/pan.pa440.license.expired[{#FEATURE}])=1`	High	Manual close: Yes

LLD rule Device certificate discovery

Name Description Type Key and additional info

Device certificate discovery

Name	Description	Type	Key and additional info
Device certificate discovery	Discovers device certificate metrics. Note that superuser privileges are required to obtain the device certificate data.	Dependent item	pan.pa440.certificate.device.discovery Preprocessing JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`

Discovers device certificate metrics. Note that superuser privileges are required to obtain the device certificate data.

Dependent item

pan.pa440.certificate.device.discovery

Preprocessing

JavaScript: The text is too long. Please see the template.
Discard unchanged with heartbeat: 3h

Item prototypes for Device certificate discovery

Name Description Type Key and additional info

Device certificate: Expires in

Name	Description	Type	Key and additional info
Device certificate: Expires in	The time in seconds until the device certificate expiration.	Dependent item	pan.pa440.certificate.device.expires_in[{#SINGLETON}] Preprocessing JSON Path: `$.response.result['device-certificate']['seconds-to-expire']`
Device certificate: Expires on	The expiration date of the device certificate.	Dependent item	pan.pa440.certificate.device.expires[{#SINGLETON}] Preprocessing JSON Path: `$.response.result['device-certificate']['not_valid_after']` Discard unchanged with heartbeat: `12h`

The time in seconds until the device certificate expiration.

Dependent item

pan.pa440.certificate.device.expires_in[{#SINGLETON}]

Preprocessing

JSON Path: $.response.result['device-certificate']['seconds-to-expire']

Device certificate: Expires on

The expiration date of the device certificate.

Dependent item

pan.pa440.certificate.device.expires[{#SINGLETON}]

Preprocessing

JSON Path: $.response.result['device-certificate']['not_valid_after']
Discard unchanged with heartbeat: 12h

Trigger prototypes for Device certificate discovery

Name	Description	Expression	Severity	Dependencies and additional info
PA-440: Device certificate: Expires soon	The device certificate will expire in less than `{$PAN.PA440.CERT.DEVICE.EXPIRY.WARN}`.	`last(/Palo Alto PA-440 by HTTP/pan.pa440.certificate.device.expires_in[{#SINGLETON}])<{$PAN.PA440.CERT.DEVICE.EXPIRY.WARN}`	Warning

LLD rule Certificate discovery

Name Description Type Key and additional info

Certificate discovery

Name	Description	Type	Key and additional info
Certificate discovery	Discovers certificates on the device. Only the certificates with an expiration date are discovered.	Dependent item	pan.pa440.certificates.discovery Preprocessing JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`

Discovers certificates on the device. Only the certificates with an expiration date are discovered.

Dependent item

pan.pa440.certificates.discovery

Preprocessing

JavaScript: The text is too long. Please see the template.
Discard unchanged with heartbeat: 3h

Item prototypes for Certificate discovery

Name Description Type Key and additional info

Certificate [{#CERTNAME}]: Expires on

Name	Description	Type	Key and additional info
Certificate [{#CERTNAME}]: Expires on	The expiration date for the certificate.	Dependent item	pan.pa440.certificate.expires[{#CERTNAME}] Preprocessing JSON Path: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `12h`

The expiration date for the certificate.

Dependent item

pan.pa440.certificate.expires[{#CERTNAME}]

Preprocessing

JSON Path: The text is too long. Please see the template.
Discard unchanged with heartbeat: 12h

Trigger prototypes for Certificate discovery

Name	Description	Expression	Severity	Dependencies and additional info
PA-440: Certificate [{#CERTNAME}]: Expires soon	The certificate will expire in less than `{$PAN.PA440.CERT.EXPIRY.WARN:"{#CERTNAME}"}`.	`(last(/Palo Alto PA-440 by HTTP/pan.pa440.certificate.expires[{#CERTNAME}]) - now())<{$PAN.PA440.CERT.EXPIRY.WARN:"{#CERTNAME}"}`	Warning	Depends on: PA-440: Certificate [{#CERTNAME}]: Has expired
PA-440: Certificate [{#CERTNAME}]: Has expired	The certificate has expired.	`(last(/Palo Alto PA-440 by HTTP/pan.pa440.certificate.expires[{#CERTNAME}]) - now())<0`	High

Feedback

Please report any issues with the template at https://support.zabbix.com

You can also provide feedback, discuss the template, or ask for help at ZABBIX forums

This template is for Zabbix version: 7.0

Also available for: 7.2

Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/net/paloalto/paloalto_pa440?at=release/7.0

Palo Alto PA-440 by HTTP

Overview

This template is designed for the effortless deployment of Palo Alto PA-440 monitoring by Zabbix via XML API and doesn't require any external scripts.

For more details about PAN-OS API, refer to the official documentation.

Requirements

Zabbix version: 7.0 and higher.

Tested versions

This template has been tested on:

Palo Alto PA-440, PAN-OS 11.2.4-h1

Configuration

Zabbix should be configured according to the instructions in the Templates out of the box section.

Setup

Superuser privileges user (full access to all data):

Add a new administrator user. Go to Device > Administrators and click Add.
Enter the necessary details. Set the Administrator Type to Dynamic and select the built-in Superuser role. Commit the changes.

Limited privileges user (no access to device certificate data):

Create a new Admin Role. Go to Device > Admin Role and click Add.
Enter the necessary details. Adjust the list of permissions:

Restrict access to all sections in the Web UI tab
Allow access to the Configuration and Operational Requests sections in the XML API tab
Check that the access to CLI is set to None in the Command Line tab
Restrict access to all sections in the REST API tab

Add a new administrator user. Go to Device > Administrators and click Add.
Enter the necessary details. Set the Administrator Type to Role Based and select the profile that was created in the previous steps. Commit the changes.

Set the host macros:

Set the firewall XML API endpoint URL in the {$PAN.PA440.API.URL} macro in the format <scheme>://<host>[:port]/api (port is optional).
Set the name of the user that you created in the {$PAN.PA440.USER} macro.
Set the password of the user that you created in the {$PAN.PA440.PASSWORD} macro.

Macros used

Name	Description	Default
{$PAN.PA440.API.URL}	The firewall XML API endpoint in the format `<scheme>://<host>[:port]/api` (port is optional).
{$PAN.PA440.HTTP_PROXY}	The HTTP proxy for HTTP agent items (set if needed). If the macro is empty, then no proxy is used.
{$PAN.PA440.TIMEOUT}	The timeout threshold for the HTTP items that retrieve data from the API.	`15s`
{$PAN.PA440.USER}	The name of the user that is used for monitoring.	`zbx_monitor`
{$PAN.PA440.PASSWORD}	The password of the user that is used for monitoring.
{$PAN.PA440.HA.CONFIG_SYNC.THRESH}	The threshold for the configuration synchronization trigger. Can be set to an evaluation period in seconds (time suffixes can be used) or an evaluation range of the latest collected values (if preceded by a hash mark).	`#1`
{$PAN.PA440.HA.STATE.IGNORE_USER_SUSPENDED}	Controls whether the HA "suspended" state trigger should fire if the state is caused by the user request. "1" - ignored, "0" - not ignored.	`1`
{$PAN.PA440.IF.HW.IFNAME.MATCHES}	The interface name regex filter to use in hardware interface discovery - for including.	`.+`
{$PAN.PA440.IF.HW.IFNAME.NOT_MATCHES}	The interface name regex filter to use in hardware interface discovery - for excluding.	`^(?:tunnel\|vlan\|loopback)$`
{$PAN.PA440.IF.HW.CONTROL}	The link status triggers will fire only for hardware interfaces where the context macro equals "1".	`1`
{$PAN.PA440.IF.HW.ERRORS.WARN}	The warning threshold of the packet error rate for hardware interfaces. Can be used with the hardware interface name as context.	`2`
{$PAN.PA440.IF.HW.UTIL.MAX}	The threshold in the hardware interface utilization triggers.	`90`
{$PAN.PA440.IF.SW.IFNAME.MATCHES}	The interface name regex filter to use in logical interface discovery - for including.	`.+`
{$PAN.PA440.IF.SW.IFNAME.NOT_MATCHES}	The interface name regex filter to use in logical interface discovery - for excluding.	`^(?:tunnel\|vlan\|loopback)$`
{$PAN.PA440.IF.SW.IFZONE.MATCHES}	The interface zone name regex filter to use in logical interface discovery - for including.	`.+`
{$PAN.PA440.IF.SW.IFZONE.NOT_MATCHES}	The interface zone name regex filter to use in logical interface discovery - for excluding.	`CHANGE_IF_NEEDED`
{$PAN.PA440.IF.SW.VSYS.MATCHES}	The interface virtual system name regex filter to use in logical interface discovery - for including.	`.+`
{$PAN.PA440.IF.SW.VSYS.NOT_MATCHES}	The interface virtual system name regex filter to use in logical interface discovery - for excluding.	`CHANGE_IF_NEEDED`
{$PAN.PA440.IF.SW.ERRORS.WARN}	The warning threshold of the packet error rate for logical interfaces. Can be used with the logical interface name as context.	`2`
{$PAN.PA440.BGP.PEER.NAME.MATCHES}	The BGP peer name regex filter to use in BGP peer discovery - for including.	`.+`
{$PAN.PA440.BGP.PEER.NAME.NOT_MATCHES}	The BGP peer name regex filter to use in BGP peer discovery - for excluding.	`CHANGE_IF_NEEDED`
{$PAN.PA440.BGP.PEER.GROUP.MATCHES}	The BGP peer group regex filter to use in BGP peer discovery - for including.	`.+`
{$PAN.PA440.BGP.PEER.GROUP.NOT_MATCHES}	The BGP peer group regex filter to use in BGP peer discovery - for excluding.	`CHANGE_IF_NEEDED`
{$PAN.PA440.BGP.CONTROL}	The BGP session triggers will fire only for peers where the context macro equals "1".	`1`
{$PAN.PA440.OSPF.NEIGHBOR.ADDR.MATCHES}	The OSPF neighbor address regex filter to use in OSPF neighbor discovery - for including.	`.+`
{$PAN.PA440.OSPF.NEIGHBOR.ADDR.NOT_MATCHES}	The OSPF neighbor address regex filter to use in OSPF neighbor discovery - for excluding.	`CHANGE_IF_NEEDED`
{$PAN.PA440.OSPF.NEIGHBOR.AREA.MATCHES}	The OSPF neighbor area regex filter to use in OSPF neighbor discovery - for including.	`.+`
{$PAN.PA440.OSPF.NEIGHBOR.AREA.NOT_MATCHES}	The OSPF neighbor area regex filter to use in OSPF neighbor discovery - for excluding.	`CHANGE_IF_NEEDED`
{$PAN.PA440.OSPF.CONTROL}	The OSPF neighbor triggers will fire only for neighbors where the context macro equals "1".	`1`
{$PAN.PA440.OSPFV3.NEIGHBOR.ADDR.MATCHES}	The OSPFv3 neighbor address regex filter to use in OSPFv3 neighbor discovery - for including.	`.+`
{$PAN.PA440.OSPFV3.NEIGHBOR.ADDR.NOT_MATCHES}	The OSPFv3 neighbor address regex filter to use in OSPFv3 neighbor discovery - for excluding.	`CHANGE_IF_NEEDED`
{$PAN.PA440.OSPFV3.NEIGHBOR.AREA.MATCHES}	The OSPFv3 neighbor area regex filter to use in OSPFv3 neighbor discovery - for including.	`.+`
{$PAN.PA440.OSPFV3.NEIGHBOR.AREA.NOT_MATCHES}	The OSPFv3 neighbor area regex filter to use in OSPFv3 neighbor discovery - for excluding.	`CHANGE_IF_NEEDED`
{$PAN.PA440.OSPFV3.CONTROL}	The OSPFv3 neighbor triggers will fire only for neighbors where the context macro equals "1".	`1`
{$PAN.PA440.LICENSE.FEATURE.MATCHES}	The license feature name regex filter to use in license discovery - for including.	`.+`
{$PAN.PA440.LICENSE.FEATURE.NOT_MATCHES}	The license feature name regex filter to use in license discovery - for excluding.	`CHANGE_IF_NEEDED`
{$PAN.PA440.LICENSE.DESC.MATCHES}	The license feature description regex filter to use in license discovery - for including.	`.+`
{$PAN.PA440.LICENSE.DESC.NOT_MATCHES}	The license feature description regex filter to use in license discovery - for excluding.	`CHANGE_IF_NEEDED`
{$PAN.PA440.LICENSE.EXPIRY.WARN}	The time threshold until the license expires; used in the license expiry trigger. Can be set to an evaluation period in seconds (time suffixes can be used). Can be used with the license feature name as context.	`7d`
{$PAN.PA440.CERT.DEVICE.EXPIRY.WARN}	The time threshold until the device certificate expires; used in the device certificate expiry trigger. Can be set to an evaluation period in seconds (time suffixes can be used).	`7d`
{$PAN.PA440.CERT.NAME.MATCHES}	The certificate name regex filter to use in certificate discovery - for including.	`.+`
{$PAN.PA440.CERT.NAME.NOT_MATCHES}	The certificate name regex filter to use in certificate discovery - for excluding.	`CHANGE_IF_NEEDED`
{$PAN.PA440.CERT.EXPIRY.WARN}	The time threshold until the certificate expires; used in the certificate expiry trigger. Can be set to an evaluation period in seconds (time suffixes can be used). Can be used with the certificate name as context.	`7d`

Items

Name	Description	Type	Key and additional info
Get system info	Get the general system information.	HTTP agent	pan.pa440.system_info.get Preprocessing XML to JSON
Get session info	Get the information about sessions.	HTTP agent	pan.pa440.session_info.get Preprocessing XML to JSON
Get system state	Get the system state information. Used with a filter to retrieve CPU utilization metrics.	HTTP agent	pan.pa440.system_state.get Preprocessing XML to JSON
Get system environmentals	Get the system environment state information.	HTTP agent	pan.pa440.environmentals.get Preprocessing XML to JSON
Get HA info	Get the high availability information.	HTTP agent	pan.pa440.ha.get Preprocessing XML to JSON
Get OSPF neighbors	Get the OSPF neighbor information.	HTTP agent	pan.pa440.ospf.neighbors.get Preprocessing XML to JSON JavaScript: `The text is too long. Please see the template.`
Get OSPFv3 neighbors	Get the OSPFv3 neighbor information.	HTTP agent	pan.pa440.ospfv3.neighbors.get Preprocessing XML to JSON JavaScript: `The text is too long. Please see the template.`
Get licenses	Get the information about installed licenses.	HTTP agent	pan.pa440.licenses.get Preprocessing XML to JSON JavaScript: `The text is too long. Please see the template.`
Get device certificate	Get the information about the device certificate. Note that superuser privileges are required to obtain the device certificate data.	HTTP agent	pan.pa440.certificate.device.get Preprocessing XML to JSON
Get certificates	Get the information about the certificates on the device.	HTTP agent	pan.pa440.certificate.get Preprocessing XML to JSON JavaScript: `The text is too long. Please see the template.`
Get system info check	Data collection check. Check the latest values for details.	Dependent item	pan.pa440.system_info.get.check Preprocessing JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`
Get session info check	Data collection check. Check the latest values for details.	Dependent item	pan.pa440.session_info.get.check Preprocessing JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`
Get system state check	Data collection check. Check the latest values for details.	Dependent item	pan.pa440.system_state.get.check Preprocessing JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`
Get system environmental check	Data collection check. Check the latest values for details.	Dependent item	pan.pa440.environmentals.get.check Preprocessing JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`
Get HA info check	Data collection check. Check the latest values for details.	Dependent item	pan.pa440.ha.get.check Preprocessing JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`
Get OSPF neighbor check	Data collection check. Check the latest values for details.	Dependent item	pan.pa440.ospf.neighbors.get.check Preprocessing JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`
Get OSPFv3 neighbor check	Data collection check. Check the latest values for details.	Dependent item	pan.pa440.ospfv3.neighbors.get.check Preprocessing JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`
Get license check	Data collection check. Check the latest values for details.	Dependent item	pan.pa440.licenses.get.check Preprocessing JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`
Get device certificate check	Data collection check. Check the latest values for details.	Dependent item	pan.pa440.certificate.device.get.check Preprocessing JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`
Get certificate check	Data collection check. Check the latest values for details.	Dependent item	pan.pa440.certificate.get.check Preprocessing JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`
App-ID version	Currently installed application definition version. If no application definition is found, 0 is returned.	Dependent item	pan.pa440.app_id.version Preprocessing JSON Path: `$.response.result.system['app-version']` Discard unchanged with heartbeat: `12h`
App-ID release date	Currently installed application definition release date. If no release date is found, the value is discarded.	Dependent item	pan.pa440.app_id.release_date Preprocessing JSON Path: `$.response.result.system['app-release-date']` ⛔️Custom on fail: Discard value Discard unchanged with heartbeat: `12h`
GlobalProtect client package version	Currently installed GlobalProtect client package version. If package is not installed, "0.0.0" is returned.	Dependent item	pan.pa440.gp.client.version Preprocessing JSON Path: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `12h`
Threat version	Currently installed threat definition version. If no threat definition is found, "0" is returned.	Dependent item	pan.pa440.threat.version Preprocessing JSON Path: `$.response.result.system['threat-version']` Discard unchanged with heartbeat: `12h`
URL filtering version	Currently installed URL filtering version. If no URL filtering is installed, "0" is returned.	Dependent item	pan.pa440.url_filtering.version Preprocessing JSON Path: `$.response.result.system['url-filtering-version']` Discard unchanged with heartbeat: `12h`
PAN-OS version	Full software version. The first two components of the full version are the major and minor versions. The third component indicates the maintenance release number.	Dependent item	pan.pa440.os.version Preprocessing JSON Path: `$.response.result.system['sw-version']` Discard unchanged with heartbeat: `12h`
Serial number	The serial number of the unit. If not available, an empty string is returned.	Dependent item	pan.pa440.serial_number Preprocessing JSON Path: `$.response.result.system.serial` Discard unchanged with heartbeat: `12h`
Host name	The host name of the system.	Dependent item	pan.pa440.hostname Preprocessing JSON Path: `$.response.result.system.hostname` Discard unchanged with heartbeat: `12h`
Uptime	The system uptime.	Dependent item	pan.pa440.uptime Preprocessing JSON Path: `$.response.result.system.uptime` JavaScript: `The text is too long. Please see the template.`
Sessions: Supported, total	Total number of supported sessions.	Dependent item	pan.pa440.sessions.supported.total Preprocessing JSON Path: `$.response.result['num-max']` Discard unchanged with heartbeat: `12h`
Sessions: Active, total	Total number of active sessions.	Dependent item	pan.pa440.sessions.active.total Preprocessing JSON Path: `$.response.result['num-active']`
Sessions: Session table utilization, in %	Session table utilization in percent.	Dependent item	pan.pa440.sessions.table_util Preprocessing JavaScript: `The text is too long. Please see the template.`
Sessions: TCP, active	Total number of active TCP sessions.	Dependent item	pan.pa440.sessions.tcp.active Preprocessing JSON Path: `$.response.result['num-tcp']`
Sessions: UDP, active	Total number of active UDP sessions.	Dependent item	pan.pa440.sessions.udp.active Preprocessing JSON Path: `$.response.result['num-udp']`
Sessions: ICMP, active	Total number of active ICMP sessions.	Dependent item	pan.pa440.sessions.icmp.active Preprocessing JSON Path: `$.response.result['num-icmp']`
Data Plane: CPU utilization, in %	The average percentage of time over the last minute that this processor was not idle. Implementations may approximate this one-minute smoothing period if necessary.	Dependent item	pan.pa440.data_plane.cpu.util Preprocessing JSON Path: `$.response.result` Regular expression: `(?m)^sys\.monitor\.s1\.dp0\.exports:.1minavg'?:\s(\d+) \1`
Management Plane: CPU utilization, in %	The average percentage of time over the last minute that this processor was not idle. Implementations may approximate this one-minute smoothing period if necessary.	Dependent item	pan.pa440.management_plane.cpu.util Preprocessing JSON Path: `$.response.result` Regular expression: `(?m)^sys\.monitor\.s1\.mp\.exports:.1minavg'?:\s(\d+) \1`
CPU temperature	The CPU temperature in degrees Celsius.	Dependent item	pan.pa440.cpu.temp Preprocessing JSON Path: `$.response.result.thermal.Slot1.entry.DegreesC`

Triggers

Name	Description	Expression	Severity
PA-440: Failed to get system info data from the API	Failed to get data from the API. Check the latest values for details.	`length(last(/Palo Alto PA-440 by HTTP/pan.pa440.system_info.get.check))>0`	High
PA-440: Failed to get session info data from the API	Failed to get data from the API. Check the latest values for details.	`length(last(/Palo Alto PA-440 by HTTP/pan.pa440.session_info.get.check))>0`	High
PA-440: Failed to get system state data from the API	Failed to get data from the API. Check the latest values for details.	`length(last(/Palo Alto PA-440 by HTTP/pan.pa440.system_state.get.check))>0`	High
PA-440: Failed to get environmental data from the API	Failed to get data from the API. Check the latest values for details.	`length(last(/Palo Alto PA-440 by HTTP/pan.pa440.environmentals.get.check))>0`	High
PA-440: Failed to get HA data from the API	Failed to get data from the API. Check the latest values for details.	`length(last(/Palo Alto PA-440 by HTTP/pan.pa440.ha.get.check))>0`	High
PA-440: Failed to get OSPF neighbor data from the API	Failed to get data from the API. Check the latest values for details.	`length(last(/Palo Alto PA-440 by HTTP/pan.pa440.ospf.neighbors.get.check))>0`	High
PA-440: Failed to get OSPFv3 neighbor data from the API	Failed to get data from the API. Check the latest values for details.	`length(last(/Palo Alto PA-440 by HTTP/pan.pa440.ospfv3.neighbors.get.check))>0`	High
PA-440: Failed to get license data from the API	Failed to get data from the API. Check the latest values for details.	`length(last(/Palo Alto PA-440 by HTTP/pan.pa440.licenses.get.check))>0`	High
PA-440: Failed to get device certificate data from the API	Failed to get data from the API. Check the latest values for details.	`length(last(/Palo Alto PA-440 by HTTP/pan.pa440.certificate.device.get.check))>0`	High
PA-440: Failed to get certificate data from the API	Failed to get data from the API. Check the latest values for details.	`length(last(/Palo Alto PA-440 by HTTP/pan.pa440.certificate.get.check))>0`	High

LLD rule HA metric discovery

Name Description Type Key and additional info

HA metric discovery

Name	Description	Type	Key and additional info
HA metric discovery	Discovers high availability metrics.	Dependent item	pan.pa440.ha.discovery Preprocessing JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `12h`

Discovers high availability metrics.

Dependent item

pan.pa440.ha.discovery

Preprocessing

JavaScript: The text is too long. Please see the template.
Discard unchanged with heartbeat: 12h

Item prototypes for HA metric discovery

Name	Description	Type	Key and additional info
HA state	The current state of high availability. Information about high availability states: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-firewall-states	Dependent item	pan.pa440.ha.local[state{#SINGLETON}] Preprocessing JSON Path: `$.response.result.group['local-info'].state` JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `1h`
HA state reason	The reason for the current state of high availability. May be absent in the master item data in some cases; set to an empty string if not found. Information about high availability states: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-firewall-states	Dependent item	pan.pa440.ha.local[state_reason{#SINGLETON}] Preprocessing JSON Path: `$.response.result.group['local-info']['state-reason']` ⛔️Custom on fail: Set value to: Discard unchanged with heartbeat: `1h`
HA peer state	The current peer state of high availability. Information about high availability states: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-firewall-states	Dependent item	pan.pa440.ha.peer[state{#SINGLETON}] Preprocessing JSON Path: `$.response.result.group['peer-info'].state` JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `1h`
HA configuration synchronization status	The current state of the running configuration synchronization.	Dependent item	pan.pa440.ha[config_sync_status{#SINGLETON}] Preprocessing JSON Path: `$.response.result.group['running-sync']`
HA mode	The current mode of high availability. Possible values: 0 - Active-Passive 1 - Active-Active 2 - Unknown	Dependent item	pan.pa440.ha[mode{#SINGLETON}] Preprocessing JSON Path: `$.response.result.group.mode` JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `1d`

Trigger prototypes for HA metric discovery

Name	Description	Expression	Severity
PA-440: HA state has been changed	The high availability state has changed. The following state transitions are checked: 1. Active-Passive HA mode: - "passive" > "active" - "active" > "passive" 2. Active-Active HA mode: - "active-secondary" > "active-primary" - "active-primary" > "active-secondary" Information about high availability states: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-firewall-states	(last(/Palo Alto PA-440 by HTTP/pan.pa440.ha.local[state{#SINGLETON}])=1 and last(/Palo Alto PA-440 by HTTP/pan.pa440.ha.local[state{#SINGLETON}],#2)=2) or (last(/Palo Alto PA-440 by HTTP/pan.pa440.ha.local[state{#SINGLETON}])=2 and last(/Palo Alto PA-440 by HTTP/pan.pa440.ha.local[state{#SINGLETON}],#2)=1) or (last(/Palo Alto PA-440 by HTTP/pan.pa440.ha.local[state{#SINGLETON}])=3 and last(/Palo Alto PA-440 by HTTP/pan.pa440.ha.local[state{#SINGLETON}],#2)=4) or (last(/Palo Alto PA-440 by HTTP/pan.pa440.ha.local[state{#SINGLETON}])=4 and last(/Palo Alto PA-440 by HTTP/pan.pa440.ha.local[state{#SINGLETON}],#2)=3)	High
PA-440: HA is in "non-functional" state	Error state due to a dataplane failure or a configuration mismatch such as: only one firewall configured for packet forwarding, VR sync, or QoS sync. In active/passive mode, all of the causes listed for the tentative state cause the non-functional state: - Failure of a firewall. - Failure of a monitored object (a link or path). - The firewall leaves the suspended or non-functional state. Information about high availability states: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-firewall-states	`last(/Palo Alto PA-440 by HTTP/pan.pa440.ha.local[state{#SINGLETON}])=6 and length(last(/Palo Alto PA-440 by HTTP/pan.pa440.ha.local[state_reason{#SINGLETON}]))>0`	High
PA-440: HA is in "tentative" state	State of a firewall (in an active/active configuration) caused by one of the following: - Failure of a firewall. - Failure of a monitored object (a link or path). - The firewall leaves the suspended or non-functional state. A firewall in the tentative state synchronizes sessions and configurations from the peer. Information about high availability states: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-firewall-states	`last(/Palo Alto PA-440 by HTTP/pan.pa440.ha.local[state{#SINGLETON}])=5 and length(last(/Palo Alto PA-440 by HTTP/pan.pa440.ha.local[state_reason{#SINGLETON}]))>0`	Average
PA-440: HA is in "suspended" state	The device is disabled and won't pass data traffic; although HA communications still occur, the device doesn't participate in the HA election process. It can't move to a HA functional state without user intervention. The following case is excluded from the trigger's logic by default (can be changed by setting the `{$PAN.PA440.HA.STATE.IGNORE_USER_SUSPENDED}` macro value to "0"): the user suspends the device for HA manually. Information about high availability states: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-firewall-states	`last(/Palo Alto PA-440 by HTTP/pan.pa440.ha.local[state{#SINGLETON}])=7 and not (find(/Palo Alto PA-440 by HTTP/pan.pa440.ha.local[state_reason{#SINGLETON}],,"iregexp","^User requested$")=1 and {$PAN.PA440.HA.STATE.IGNORE_USER_SUSPENDED}=1)`	Average
PA-440: Configuration is not synchronized with HA peer	This trigger indicates that the configuration cannot be synchronized with the HA peer. Please debug this manually by checking the logs (Monitor > Logs > System).	`count(/Palo Alto PA-440 by HTTP/pan.pa440.ha[config_sync_status{#SINGLETON}],{$PAN.PA440.HA.CONFIG_SYNC.THRESH},"iregexp","^(?:synchronized\|synchronization in progress)$")=0`	High

LLD rule HA link discovery

Name Description Type Key and additional info

HA link discovery

Name	Description	Type	Key and additional info
HA link discovery	Discovers high availability link metrics. Information about high availability links: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-concepts/ha-links-and-backup-links	Dependent item	pan.pa440.ha.links.discovery Preprocessing JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`

Discovers high availability link metrics.

Information about high availability links:

https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-concepts/ha-links-and-backup-links

Dependent item

pan.pa440.ha.links.discovery

Preprocessing

JavaScript: The text is too long. Please see the template.
Discard unchanged with heartbeat: 3h

Item prototypes for HA link discovery

Name Description Type Key and additional info

HA link [{#HALINK}]: Status

Name	Description	Type	Key and additional info
HA link [{#HALINK}]: Status	The current state of the high availability link. Information about high availability links: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-concepts/ha-links-and-backup-links	Dependent item	pan.pa440.ha.peer.link.state[{#HALINK}] Preprocessing JSON Path: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `1h`

The current state of the high availability link.

Information about high availability links:

https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-concepts/ha-links-and-backup-links

Dependent item

pan.pa440.ha.peer.link.state[{#HALINK}]

Preprocessing

JSON Path: The text is too long. Please see the template.
Discard unchanged with heartbeat: 1h

Trigger prototypes for HA link discovery

Name	Description	Expression	Severity	Dependencies and additional info
PA-440: HA link [{#HALINK}]: Link down	The status of the high availability link is "down".	`last(/Palo Alto PA-440 by HTTP/pan.pa440.ha.peer.link.state[{#HALINK}])="down"`	High

LLD rule Hardware network interface discovery

Name Description Type Key and additional info

Hardware network interface discovery

Name	Description	Type	Key and additional info
Hardware network interface discovery	Discovers hardware network interfaces.	HTTP agent	pan.pa440.if.hw.discovery Preprocessing XML to JSON JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`

Discovers hardware network interfaces.

HTTP agent

pan.pa440.if.hw.discovery

Preprocessing

XML to JSON
JavaScript: The text is too long. Please see the template.
Discard unchanged with heartbeat: 3h

Item prototypes for Hardware network interface discovery

Name	Description	Type	Key and additional info
Interface [{#IFNAME}]: Get data	Get the interface statistics.	HTTP agent	pan.pa440.if.hw.get[{#IFNAME}] Preprocessing XML to JSON
Interface [{#IFNAME}]: Status	The current state of the interface.	Dependent item	pan.pa440.if.hw.status[{#IFNAME}] Preprocessing JSON Path: `$.response.result.hw.state` Discard unchanged with heartbeat: `1h`
Interface [{#IFNAME}]: Speed	The current bandwidth of the interface. The item is created only for interfaces that report the actual speed in units of 1,000,000 bits.	Dependent item	pan.pa440.if.hw.speed[{#IFNAME}] Preprocessing JSON Path: `$.response.result.hw.speed` Custom multiplier: `1000000` Discard unchanged with heartbeat: `1h`
Interface [{#IFNAME}]: Bits received, per second	The number of bits received per second by the interface.	Dependent item	pan.pa440.if.hw.bits.in.rate[{#IFNAME}] Preprocessing JSON Path: `$.response.result.ifnet.counters.hw.entry.port['rx-bytes']` Change per second Custom multiplier: `8`
Interface [{#IFNAME}]: Bits sent, per second	The number of bits sent per second by the interface.	Dependent item	pan.pa440.if.hw.bits.out.rate[{#IFNAME}] Preprocessing JSON Path: `$.response.result.ifnet.counters.hw.entry.port['tx-bytes']` Change per second Custom multiplier: `8`
Interface [{#IFNAME}]: Inbound packets discarded, per second	The number of inbound packets per second which were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher-layer protocol.	Dependent item	pan.pa440.if.hw.packets.in.discards.rate[{#IFNAME}] Preprocessing JSON Path: `The text is too long. Please see the template.` Change per second
Interface [{#IFNAME}]: Inbound packets with errors, per second	The number of inbound packets per second that contained errors preventing them from being deliverable to a higher-layer protocol.	Dependent item	pan.pa440.if.hw.packets.in.errors.rate[{#IFNAME}] Preprocessing JSON Path: `$.response.result.ifnet.counters.hw.entry.port['rx-error']` Change per second
Interface [{#IFNAME}]: Outbound packets with errors, per second	The number of outbound packets per second that contained errors preventing them from being deliverable to a higher-layer protocol.	Dependent item	pan.pa440.if.hw.packets.out.errors.rate[{#IFNAME}] Preprocessing JSON Path: `$.response.result.ifnet.counters.hw.entry.port['tx-error']` Change per second

Trigger prototypes for Hardware network interface discovery

Name	Description	Expression	Severity	Dependencies and additional info
PA-440: Interface [{#IFNAME}]: Link down	This trigger expression works as follows: 1. It can be triggered if the operational status is "down". 2. `{$PAN.PA440.IF.HW.CONTROL:"{#IFNAME}"}=1` - a user can redefine the context macro to "0", marking this interface as not important. No new trigger will be fired if this interface is down. 3. `last(/TEMPLATE_NAME/METRIC)<>last(/TEMPLATE_NAME/METRIC,#2)` - the trigger fires only if the operational status has changed to "down" from some other state (it does not fire for "eternal off" interfaces). WARNING: if closed manually - it will not fire again on the next poll because of `last(/TEMPLATE_NAME/METRIC)<>last(/TEMPLATE_NAME/METRIC,#2)`.	`{$PAN.PA440.IF.HW.CONTROL:"{#IFNAME}"}=1 and last(/Palo Alto PA-440 by HTTP/pan.pa440.if.hw.status[{#IFNAME}])="down" and (last(/Palo Alto PA-440 by HTTP/pan.pa440.if.hw.status[{#IFNAME}])<>last(/Palo Alto PA-440 by HTTP/pan.pa440.if.hw.status[{#IFNAME}],#2))`	Average	Manual close: Yes
PA-440: Interface [{#IFNAME}]: High bandwidth usage	The utilization of the network interface is close to its estimated maximum bandwidth.	`(avg(/Palo Alto PA-440 by HTTP/pan.pa440.if.hw.bits.in.rate[{#IFNAME}],15m)>({$PAN.PA440.IF.HW.UTIL.MAX:"{#IFNAME}"}/100)last(/Palo Alto PA-440 by HTTP/pan.pa440.if.hw.speed[{#IFNAME}]) or avg(/Palo Alto PA-440 by HTTP/pan.pa440.if.hw.bits.out.rate[{#IFNAME}],15m)>({$PAN.PA440.IF.HW.UTIL.MAX:"{#IFNAME}"}/100)last(/Palo Alto PA-440 by HTTP/pan.pa440.if.hw.speed[{#IFNAME}])) and last(/Palo Alto PA-440 by HTTP/pan.pa440.if.hw.speed[{#IFNAME}])>0`	Warning	Manual close: Yes Depends on: PA-440: Interface [{#IFNAME}]: Link down
PA-440: Interface [{#IFNAME}]: High error rate	It recovers when it is below 80% of the `{$PAN.PA440.IF.HW.ERRORS.WARN:"{#IFNAME}"}` threshold.	`min(/Palo Alto PA-440 by HTTP/pan.pa440.if.hw.packets.in.errors.rate[{#IFNAME}],5m)>{$PAN.PA440.IF.HW.ERRORS.WARN:"{#IFNAME}"} or min(/Palo Alto PA-440 by HTTP/pan.pa440.if.hw.packets.out.errors.rate[{#IFNAME}],5m)>{$PAN.PA440.IF.HW.ERRORS.WARN:"{#IFNAME}"}`	Warning	Manual close: Yes Depends on: PA-440: Interface [{#IFNAME}]: Link down

LLD rule Logical network interface discovery

Name Description Type Key and additional info

Logical network interface discovery

Name	Description	Type	Key and additional info
Logical network interface discovery	Discovers logical network interfaces.	HTTP agent	pan.pa440.if.sw.discovery Preprocessing XML to JSON JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`

Discovers logical network interfaces.

HTTP agent

pan.pa440.if.sw.discovery

Preprocessing

XML to JSON
JavaScript: The text is too long. Please see the template.
Discard unchanged with heartbeat: 3h

Item prototypes for Logical network interface discovery

Name	Description	Type	Key and additional info
VSYS [{#VSYS}]: Interface [{#IFNAME}]: Get data	Get the interface statistics.	HTTP agent	pan.pa440.if.sw.get[{#VSYS}, {#IFNAME}] Preprocessing XML to JSON
VSYS [{#VSYS}]: Interface [{#IFNAME}]: Bits received, per second	The number of bits received per second by the interface.	Dependent item	pan.pa440.if.sw.bits.in.rate[{#VSYS}, {#IFNAME}] Preprocessing JSON Path: `$.response.result.ifnet.counters.ifnet.entry.ibytes` Change per second Custom multiplier: `8`
VSYS [{#VSYS}]: Interface [{#IFNAME}]: Bits sent, per second	The number of bits sent by the interface.	Dependent item	pan.pa440.if.sw.bits.out.rate[{#VSYS}, {#IFNAME}] Preprocessing JSON Path: `$.response.result.ifnet.counters.ifnet.entry.obytes` Change per second Custom multiplier: `8`
VSYS [{#VSYS}]: Interface [{#IFNAME}]: Inbound packets dropped, per second	The number of inbound packets per second which were chosen to be dropped even though no errors had been detected to prevent their being deliverable to a higher-layer protocol.	Dependent item	pan.pa440.if.sw.packets.in.drops.rate[{#VSYS}, {#IFNAME}] Preprocessing JSON Path: `$.response.result.ifnet.counters.ifnet.entry.idrops` Change per second
VSYS [{#VSYS}]: Interface [{#IFNAME}]: Inbound packets with errors, per second	The number of inbound packets per second that contained errors preventing them from being deliverable to a higher-layer protocol.	Dependent item	pan.pa440.if.sw.packets.in.errors.rate[{#VSYS}, {#IFNAME}] Preprocessing JSON Path: `$.response.result.ifnet.counters.ifnet.entry.ierrors` Change per second

Trigger prototypes for Logical network interface discovery

Name	Description	Expression	Severity	Dependencies and additional info
PA-440: VSYS [{#VSYS}]: Interface [{#IFNAME}]: High error rate	It recovers when it is below 80% of the `{$PAN.PA440.IF.SW.ERRORS.WARN:"{#IFNAME}"}` threshold.	`min(/Palo Alto PA-440 by HTTP/pan.pa440.if.sw.packets.in.errors.rate[{#VSYS}, {#IFNAME}],5m)>{$PAN.PA440.IF.SW.ERRORS.WARN:"{#IFNAME}"}`	Warning	Manual close: Yes

LLD rule BGP peer discovery

Name Description Type Key and additional info

BGP peer discovery

Name	Description	Type	Key and additional info
BGP peer discovery	Discovers BGP peers.	HTTP agent	pan.pa440.bgp.peer.discovery Preprocessing XML to JSON JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `3h`

Discovers BGP peers.

HTTP agent

pan.pa440.bgp.peer.discovery

Preprocessing

XML to JSON
JavaScript: The text is too long. Please see the template.
Discard unchanged with heartbeat: 3h

Item prototypes for BGP peer discovery

Name Description Type Key and additional info

BGP peer [{#PEER}]: Get data

Name	Description	Type	Key and additional info
BGP peer [{#PEER}]: Get data	Get the information about the peer.	HTTP agent	pan.pa440.bgp.peer.get[{#PEERGROUP}, {#PEERADDR}, {#PEER}] Preprocessing XML to JSON
BGP peer [{#PEER}]: Status	The current state of the BGP peer.	Dependent item	pan.pa440.bgp.peer.status[{#PEERGROUP}, {#PEERADDR}, {#PEER}] Preprocessing JSON Path: `$.response.result.entry.status` JavaScript: `The text is too long. Please see the template.` Discard unchanged with heartbeat: `1h`
BGP peer [{#PEER}]: Status duration	The duration of the current state of the BGP peer.	Dependent item	pan.pa440.bgp.peer.status.duration[{#PEERGROUP}, {#PEERADDR}, {#PEER}] Preprocessing JSON Path: `$.response.result.entry['status-duration']`

Get the information about the peer.

HTTP agent

pan.pa440.bgp.peer.get[{#PEERGROUP}, {#PEERADDR}, {#PEER}]

Preprocessing

XML to JSON

BGP peer [{#PEER}]: Status

The current state of the BGP peer.

Dependent item

pan.pa440.bgp.peer.status[{#PEERGROUP}, {#PEERADDR}, {#PEER}]

Preprocessing

JSON Path: $.response.result.entry.status
JavaScript: The text is too long. Please see the template.
Discard unchanged with heartbeat: 1h

BGP peer [{#PEER}]: Status duration

The duration of the current state of the BGP peer.

Dependent item

pan.pa440.bgp.peer.status.duration[{#PEERGROUP}, {#PEERADDR}, {#PEER}]

Preprocessing

JSON Path: $.response.result.entry['status-duration']

Trigger prototypes for BGP peer discovery

Name	Description	Expression	Severity	Dependencies and additional info
PA-440: BGP peer [{#PEER}]: Session is not Established or Idle	The session with the peer is not "Established" or "Idle".	`{$PAN.PA440.BGP.CONTROL:"{#PEER}"}=1 and last(/Palo Alto PA-440 by HTTP/pan.pa440.bgp.peer.status[{#PEERGROUP}, {#PEERADDR}, {#PEER}])<>5 and last(/Palo Alto PA-440 by HTTP/pan.pa440.bgp.peer.status[{#PEERGROUP}, {#PEERADDR}, {#PEER}])<>0`	High
PA-440: BGP peer [{#PEER}]: Session status duration has been reset	The duration of the session status with the peer has been reset.	`{$PAN.PA440.BGP.CONTROL:"{#PEER}"}=1 and last(/Palo Alto PA-440 by HTTP/pan.pa440.bgp.peer.status.duration[{#PEERGROUP}, {#PEERADDR}, {#PEER}])<10m`	Average

LLD rule OSPF neighbor discovery

Name Description Type Key and additional info

OSPF neighbor discovery

Discovers OSPF neighbors.

Dependent item

pan.pa440.ospf.neighbor.discovery

Preprocessing

JavaScript: The text is too long. Please see the template.
Discard unchanged with heartbeat: 3h

Item prototypes for OSPF neighbor discovery

Name Description Type Key and additional info

OSPF neighbor [{#NEIGHBORADDR}]: Status

The current state of the OSPF neighbor.

Dependent item

pan.pa440.ospf.neighbor.status[{#NEIGHBORAREA}, {#NEIGHBORADDR}]

Preprocessing

JSON Path: The text is too long. Please see the template.

Trigger prototypes for OSPF neighbor discovery

Name	Description	Expression	Severity	Dependencies and additional info
PA-440: OSPF neighbor [{#NEIGHBORADDR}]: Neighbor is not found anymore	The neighbor is not found anymore and the neighborship is gone. Please investigate if this is planned.	`{$PAN.PA440.OSPF.CONTROL:"{#NEIGHBORADDR}"}=1 and nodata(/Palo Alto PA-440 by HTTP/pan.pa440.ospf.neighbor.status[{#NEIGHBORAREA}, {#NEIGHBORADDR}],5m)=1`	High
PA-440: OSPF neighbor [{#NEIGHBORADDR}]: Status is not full or 2way	The status of the neighbor is not "full" or "2way". This may indicate issues with the OSPF session.	`{$PAN.PA440.OSPF.CONTROL:"{#NEIGHBORADDR}"}=1 and last(/Palo Alto PA-440 by HTTP/pan.pa440.ospf.neighbor.status[{#NEIGHBORAREA}, {#NEIGHBORADDR}])<>"full" and last(/Palo Alto PA-440 by HTTP/pan.pa440.ospf.neighbor.status[{#NEIGHBORAREA}, {#NEIGHBORADDR}])<>"2way"`	High

LLD rule OSPFv3 neighbor discovery

Name Description Type Key and additional info

OSPFv3 neighbor discovery

Discovers OSPFv3 neighbors.

Dependent item

pan.pa440.ospfv3.neighbor.discovery

Preprocessing

JavaScript: The text is too long. Please see the template.
Discard unchanged with heartbeat: 3h

Item prototypes for OSPFv3 neighbor discovery

Name Description Type Key and additional info

OSPFv3 neighbor [{#NEIGHBORADDR}]: Status

The current status of the OSPFv3 neighbor.

Dependent item

pan.pa440.ospfv3.neighbor.status[{#NEIGHBORAREA}, {#NEIGHBORADDR}]

Preprocessing

JSON Path: The text is too long. Please see the template.

Trigger prototypes for OSPFv3 neighbor discovery

Name	Description	Expression	Severity	Dependencies and additional info
PA-440: OSPFv3 neighbor [{#NEIGHBORADDR}]: Neighbor is not found anymore	The neighbor is not found anymore and the neighborship is gone. Please investigate if this is planned.	`{$PAN.PA440.OSPFV3.CONTROL:"{#NEIGHBORADDR}"}=1 and nodata(/Palo Alto PA-440 by HTTP/pan.pa440.ospfv3.neighbor.status[{#NEIGHBORAREA}, {#NEIGHBORADDR}],5m)=1`	High
PA-440: OSPFv3 neighbor [{#NEIGHBORADDR}]: Status is not full or 2way	The status of the neighbor is not "full" or "2way". This may indicate issues with the OSPF session.	`{$PAN.PA440.OSPFV3.CONTROL:"{#NEIGHBORADDR}"}=1 and last(/Palo Alto PA-440 by HTTP/pan.pa440.ospfv3.neighbor.status[{#NEIGHBORAREA}, {#NEIGHBORADDR}])<>"full" and last(/Palo Alto PA-440 by HTTP/pan.pa440.ospfv3.neighbor.status[{#NEIGHBORAREA}, {#NEIGHBORADDR}])<>"2way"`	High

LLD rule License discovery

Name Description Type Key and additional info

License discovery

Discovers licenses installed on the device. Only the licenses with an expiration date are discovered.

Dependent item

pan.pa440.licenses.discovery

Preprocessing

JavaScript: The text is too long. Please see the template.
Discard unchanged with heartbeat: 3h

Item prototypes for License discovery

Name Description Type Key and additional info

License [{#FEATURE}]: Expires on

The expiration date for the license {#DESCRIPTION}.

Dependent item

pan.pa440.license.expires[{#FEATURE}]

Preprocessing

JSON Path: The text is too long. Please see the template.
Discard unchanged with heartbeat: 12h

License [{#FEATURE}]: Expired

Indicates whether the license {#DESCRIPTION} has expired.

Dependent item

pan.pa440.license.expired[{#FEATURE}]

Preprocessing

JSON Path: The text is too long. Please see the template.
Boolean to decimal
Discard unchanged with heartbeat: 12h

Trigger prototypes for License discovery

Name	Description	Expression	Severity	Dependencies and additional info
PA-440: License [{#FEATURE}]: Expires soon	The license will expire in less than `{$PAN.PA440.LICENSE.EXPIRY.WARN:"{#FEATURE}"}`.	`(last(/Palo Alto PA-440 by HTTP/pan.pa440.license.expires[{#FEATURE}]) - now())<{$PAN.PA440.LICENSE.EXPIRY.WARN:"{#FEATURE}"}`	Warning
PA-440: License [{#FEATURE}]: Has expired	The license `{#DESCRIPTION}` has expired.	`last(/Palo Alto PA-440 by HTTP/pan.pa440.license.expired[{#FEATURE}])=1`	High	Manual close: Yes

LLD rule Device certificate discovery

Name Description Type Key and additional info

Device certificate discovery

Discovers device certificate metrics. Note that superuser privileges are required to obtain the device certificate data.

Dependent item

pan.pa440.certificate.device.discovery

Preprocessing

JavaScript: The text is too long. Please see the template.
Discard unchanged with heartbeat: 3h

Item prototypes for Device certificate discovery

Name Description Type Key and additional info

Device certificate: Expires in

The time in seconds until the device certificate expiration.

Dependent item

pan.pa440.certificate.device.expires_in[{#SINGLETON}]

Preprocessing

JSON Path: $.response.result['device-certificate']['seconds-to-expire']

Device certificate: Expires on

The expiration date of the device certificate.

Dependent item

pan.pa440.certificate.device.expires[{#SINGLETON}]

Preprocessing

JSON Path: $.response.result['device-certificate']['not_valid_after']
Discard unchanged with heartbeat: 12h

Trigger prototypes for Device certificate discovery

Name	Description	Expression	Severity	Dependencies and additional info
PA-440: Device certificate: Expires soon	The device certificate will expire in less than `{$PAN.PA440.CERT.DEVICE.EXPIRY.WARN}`.	`last(/Palo Alto PA-440 by HTTP/pan.pa440.certificate.device.expires_in[{#SINGLETON}])<{$PAN.PA440.CERT.DEVICE.EXPIRY.WARN}`	Warning

LLD rule Certificate discovery

Name Description Type Key and additional info

Certificate discovery

Discovers certificates on the device. Only the certificates with an expiration date are discovered.

Dependent item

pan.pa440.certificates.discovery

Preprocessing

JavaScript: The text is too long. Please see the template.
Discard unchanged with heartbeat: 3h

Item prototypes for Certificate discovery

Name Description Type Key and additional info

Certificate [{#CERTNAME}]: Expires on

The expiration date for the certificate.

Dependent item

pan.pa440.certificate.expires[{#CERTNAME}]

Preprocessing

JSON Path: The text is too long. Please see the template.
Discard unchanged with heartbeat: 12h

Trigger prototypes for Certificate discovery

Name	Description	Expression	Severity	Dependencies and additional info
PA-440: Certificate [{#CERTNAME}]: Expires soon	The certificate will expire in less than `{$PAN.PA440.CERT.EXPIRY.WARN:"{#CERTNAME}"}`.	`(last(/Palo Alto PA-440 by HTTP/pan.pa440.certificate.expires[{#CERTNAME}]) - now())<{$PAN.PA440.CERT.EXPIRY.WARN:"{#CERTNAME}"}`	Warning	Depends on: PA-440: Certificate [{#CERTNAME}]: Has expired
PA-440: Certificate [{#CERTNAME}]: Has expired	The certificate has expired.	`(last(/Palo Alto PA-440 by HTTP/pan.pa440.certificate.expires[{#CERTNAME}]) - now())<0`	High

Feedback

Please report any issues with the template at https://support.zabbix.com

You can also provide feedback, discuss the template, or ask for help at ZABBIX forums

Link	Source	Compatibility	Type, Technology	Created Updated	Rating
Zabbix template for Palo Alto Networks Next-Generation firewall The template to monitor Palo Alto Networks NGFW PAN-OS by Zabbix using SNMP v2c. For Zabbix version: 5.2 and higher. It may work with older versions, but was not tested. In case of errors at older Zabbix versions please choose "Zabbix_old" branch. github.com/mrRobit/Zabbix_templates	GitHub 10		Template	2016-07-20 1 y	Vendor
Palo Alto SNMPv2 64-bit counters Hi everyone,I created this template because i updated two Palo Alto from 8.1.4 to 9.0.3 and some counter went from 32 to 64bitsI just modified the template below from Pavol Rehak so check it out (for details details and trap configuration) :https://share.zabbix.com/network_devices/palo-alto/paloalto-snmpv3-zabbix4-0I ... template_palo_alto_with_64-bit_counters_(snmpv2)	GitHub Community Templates	5.0+
Palo Alto SNMPv3 Auth Priv Uses SNMPv3Predefined Auth and Priv method : SHA and AESVariables under Macros, just one time update during host addition template_palo_alto_snmpv3	GitHub Community Templates	5.0+
Template_Palo_Alto_PA200 template_palo_alto_pa-200_pan-os_ver.6.0.x	GitHub Community Templates	5.0+
Template_Palo_Alto_Firewall template_palo_alto_firewall	GitHub Community Templates	5.0+

See all Zabbix community templates

Zabbix + Palo Alto Networks

Palo Alto Networks

Available solutions

Palo Alto PA-440 by HTTP

Overview

Requirements

Tested versions

Configuration

Setup

Macros used

Items

Triggers

LLD rule HA metric discovery

Item prototypes for HA metric discovery

Trigger prototypes for HA metric discovery

LLD rule HA link discovery

Item prototypes for HA link discovery

Trigger prototypes for HA link discovery

LLD rule Hardware network interface discovery

Item prototypes for Hardware network interface discovery

Trigger prototypes for Hardware network interface discovery

LLD rule Logical network interface discovery

Item prototypes for Logical network interface discovery

Trigger prototypes for Logical network interface discovery

LLD rule BGP peer discovery

Item prototypes for BGP peer discovery

Trigger prototypes for BGP peer discovery

LLD rule OSPF neighbor discovery

Item prototypes for OSPF neighbor discovery

Trigger prototypes for OSPF neighbor discovery

LLD rule OSPFv3 neighbor discovery

Item prototypes for OSPFv3 neighbor discovery

Trigger prototypes for OSPFv3 neighbor discovery

LLD rule License discovery

Item prototypes for License discovery

Trigger prototypes for License discovery

LLD rule Device certificate discovery

Item prototypes for Device certificate discovery

Trigger prototypes for Device certificate discovery

LLD rule Certificate discovery

Item prototypes for Certificate discovery

Trigger prototypes for Certificate discovery

Feedback

Palo Alto PA-440 by HTTP

Overview

Requirements

Tested versions

Configuration

Setup

Macros used

Items

Triggers

LLD rule HA metric discovery

Item prototypes for HA metric discovery

Trigger prototypes for HA metric discovery

LLD rule HA link discovery

Item prototypes for HA link discovery

Trigger prototypes for HA link discovery

LLD rule Hardware network interface discovery

Item prototypes for Hardware network interface discovery

Trigger prototypes for Hardware network interface discovery

LLD rule Logical network interface discovery

Item prototypes for Logical network interface discovery

Trigger prototypes for Logical network interface discovery

LLD rule BGP peer discovery

Item prototypes for BGP peer discovery

Trigger prototypes for BGP peer discovery

LLD rule OSPF neighbor discovery

Item prototypes for OSPF neighbor discovery

Trigger prototypes for OSPF neighbor discovery

LLD rule OSPFv3 neighbor discovery

Item prototypes for OSPFv3 neighbor discovery

Trigger prototypes for OSPFv3 neighbor discovery

LLD rule License discovery

Item prototypes for License discovery

Trigger prototypes for License discovery

LLD rule Device certificate discovery

Item prototypes for Device certificate discovery

Trigger prototypes for Device certificate discovery

LLD rule Certificate discovery