Description about PAN-OS OpenConfig benefits and capabilities
Palo Alto Networks OpenConfig plugin
allows you to programmatically access the firewall based on OpenConfig
data models and protocols to automate configuration and telemetry
retrieval. To Learn more about OpenConfig, visit https://www.openconfig.net.
The OpenConfig interface uses gRPC Network Management Interface
(gNMI) protocol for configuration management, telemetry based on
the OpenConfig data models, and gRPC Network Operations Interface
(gNOI) for operational services defined by OpenConfig.
Using the plugin, you can manage configuration, generate streaming
telemetry, and carry out operational services on the firewall. The
OpenConfig plugin is supported on the hardware and VM-Series firewalls.
The OpenConfig data models currently support up to Layer 4 networking.
The gMNI protocol uses a client-server messaging model. The OpenConfig
plugin implements a gNMI server that listens for client requests
and supports all of the gNMI request types: Set, Get, Subscribe,
and Capabilities. The Set request carries out transaction based
edit operations whether it be single or multiple requests.
If successful, the Set request is treated as an atomic operation
which takes effect immediately as an implicit commit request. The
Get request retrieves a model’s configuration and state data. The
Subscribe returns a model’s state data. The Capabilities request
can be used to determine the models supported by the firewall.
Familiarize yourself with each of the sections below before using
the OpenConfig plugin.
Commits
For successful set requests, the
effects take place immediately as part of a multi-request configuration
operation that deletes and updates certain specified paths and immediately commits
the operations.
The client returns a job ID if applicable
for the specific request.
If using the gNMIC client,
specify the --format prototext flag to return the job ID.
If
any part of the configuration is rejected, all of the operations
are reverted and no change takes place.
IP Address
The PAN-OS OpenConfig plugin
listens for requests on the management interface’s assigned IP address
on port 9339.To send gNMI requests to the firewall, use the management IP
address, for example: 10.1.1.1:9339.
If
you want to change the IP address for gNMI requests, you should
first configure the management interface for the firewall. How to Configure the Management
Interface IP shows how you can set the management IP of a
firewall.
Certificate Management
The PAN-OS OpenConfig
plugin uses the default self-signed certificate assigned to the
management interface. The certificate must be installed on the client
to send and receive requests from the firewall.
The Keys and Certificates section
of the PAN-OS Administrators guide provides more information about
the process for certificate management.
Client Authentication
As a best practice, Configure an Admin Role Profile to
use as the profile for gNMI requests to usea custom role-based administrator.
Enable XML API access for the admin role you configure forOpenConfig.
Request Formats
The OpenConfig plugin
supports both direct model data tree paths and JSON format for gNMI
requests sent to the firewall. The examples in this guide primarily
use the path and the JSON equivalent. The encoding type for all
of the examples is JSON_IETF.
Capabilities Request Type
The OpenConfig
plugin supports the capabilities call to get a list of models available
for use on the firewall.
Below is an example call used with
the gNMI client to retrieve models supported.
gnmic -a
networkip:9339 -u username -p Password --skip-verify capabilities
Third-Party gNMI Clients Used in Examples
All
examples in the PAN-OS OpenConfig guide use the gNMIC OpenConfig
client.
Third party gNMI clients you can use to test the examples
include:
