Description about PAN-OS OpenConfig benefits and capabilities
Palo Alto Networks OpenConfig plugin
allows you to programmatically access the firewall based on OpenConfig
data models and protocols to automate configuration and telemetry
retrieval. To Learn more about OpenConfig, visit https://www.openconfig.net.
The OpenConfig interface uses gRPC Network Management Interface (gNMI)
protocol for configuration management, telemetry based on the OpenConfig data
models, and gRPC Network Operations Interface (gNOI) for operational services
defined by OpenConfig.
Using the plugin, you can manage configuration, generate streaming
telemetry, and carry out operational services on the firewall. The
OpenConfig plugin is supported on the hardware and VM-Series firewalls.
The OpenConfig data models currently support up to Layer 4 networking.
The gMNI protocol uses a client-server messaging model. The OpenConfig
plugin implements a gNMI server that listens for client requests
and supports all of the gNMI request types: Set, Get, Subscribe,
and Capabilities. The Set request carries out transaction based
edit operations whether it be single or multiple requests.
If successful, the Set request is treated as an atomic operation
which takes effect immediately as an implicit commit request. The
Get request retrieves a model’s configuration and state data. The
Subscribe returns a model’s state data. The Capabilities request
can be used to determine the models supported by the firewall.
Familiarize yourself with each of the sections below before using
the OpenConfig plugin.
The OpenConfig plugin is not supported on a firewall in
FIPS-CC mode.
Commits
For successful set requests, the
effects take place immediately as part of a multi-request configuration
operation that deletes and updates certain specified paths and immediately
commits the operations.
The client returns a job ID if applicable
for the specific request.
If using the gNMIC client,
specify the --format prototext flag to return the job ID.
If
any part of the configuration is rejected, all of the operations
are reverted and no change takes place.
IP Address
The PAN-OS OpenConfig plugin
listens for requests on the management interface’s assigned IP address
on port 9339.To send gNMI requests to the firewall, use the management
IP address, for example: 10.1.1.1:9339.
If
you want to change the IP address for gNMI requests, you should
first configure the management interface for the firewall. How to Configure the Management
Interface IP shows how you can set the management IP of a
firewall.
Certificate Management
The PAN-OS OpenConfig
plugin uses the default self-signed certificate assigned to the
management interface. The certificate must be installed on the client
to send and receive requests from the firewall.
The Keys and Certificates section
of the PAN-OS Administrators guide provides more information about
the process for certificate management.
Client Authentication
As a best practice, Configure an Admin Role Profile to use as
the profile for gNMI requests to usea custom role-based administrator. Enable XML
API access for the admin role you configure for OpenConfig.
Request Formats
The OpenConfig plugin supports both direct model data tree paths, JSON format for gNMI requests
sent to the firewall. The examples in this guide primarily use the path and the JSON
equivalent. The encoding type for all of the examples is JSON_IETF.
Response Formats
For subscribe requests, the Firewall supports Protocol Buffer (protobuf). The keys
are strings that line up with the requested system resources. The values identity
operational state behavior.
Capabilities Request Type
The OpenConfig
plugin supports the capabilities call to get a list of models available for
use on the firewall.
Below is an example call used with the
gNMI client to retrieve models supported.
gnmic -a networkip:9339
-u username -p Password --skip-verify capabilities
Third-Party gNMI Clients Used in Examples
All
examples in the PAN-OS OpenConfig guide use the gNMIC OpenConfig
client.
Third party gNMI clients you can use to test the examples
include:
