: PAN-OS OpenConfig Support
Focus
Focus

PAN-OS OpenConfig Support

Table of Contents

PAN-OS OpenConfig Support

Learn about PAN-OS OpenConfig benefits and capabilities
Palo Alto Networks OpenConfig plugin allows you to programmatically access the firewall based on OpenConfig data models and protocols to automate configuration and telemetry retrieval. To Learn more about OpenConfig, visit https://www.openconfig.net. The OpenConfig interface uses gRPC Network Management Interface (gNMI) protocol for configuration management, telemetry based on the OpenConfig data models, and gRPC Network Operations Interface (gNOI) for operational services defined by OpenConfig.
Using the plugin, you can manage configuration, generate streaming telemetry, and carry out operational services on the firewall. The OpenConfig plugin is supported on the hardware and VM-Series firewalls.
The gMNI protocol uses a client-server messaging model. The OpenConfig plugin implements a gNMI server that listens for client requests and supports all of the gNMI request types: Set, Get, Subscribe, and Capabilities. The Set request carries out transaction based edit operations whether it be single or multiple requests.

Models Supported with v1.0.0

These models are supported with the first version of the plugin:
  • openconfig-bgp
  • openconfig-vlan
  • openconfig-platform
  • openconfig-system
  • openconfig-interfaces
  • openconfig-local-routing
  • openconfig-rib
  • openconfig-lacp
  • openconfig-lldp
Visit the YANG Repository on the Palo Alto Networks Github for a more comprehensive view of the models.

Installing the Plugin

  1. Download the plugin by selecting DevicePlugins on a PAN-OS firewall.
  2. Select the version of the plugin and click Install in the Actions column to install the plugin. PAN-OS will alert you when the plugin is complete.

Target Address

The PAN-OS OpenConfig plugin listens for requests on the management interface’s assigned IP address on port 9339. To send gNMI requests to the firewall, use the management IP address, for example: 10.0.0.1:9339.
If you want to change the IP address for gNMI requests, you should first configure the management interface for the firewall. How to Configure the Management Interface IP shows how you can set the management IP of a firewall.