Palo Alto Panorama ChatOps with Nautobot

Blog Detail

Here at Network to Code, we are continually developing new ChatOps integrations for the underlying Nautobot ChatOps Framework. We have recently released a new ChatOps integration for Palo Alto Panorama systems. This ChatOps application is used to interact with the Palo Alto Panorama system and comes prepackaged with various chat commands. You can now get specific information or run advanced ACL checks on Panorama using your existing ChatOps service including Slack, Team, Webex, and Mattermost.

For installation steps, refer to its README. To install the underlying Nautobot ChatOps framework, refer to the documentation found here.

Commands

The Nautobot ChatOps Panorama app extends the capabilities of the Nautobot ChatOps framework adding a new chat command: /panorama. As of version 1.1.0, (the current version as of this writing), there are seven commands available to use. They are:

  • capture-traffic
  • export-device-rules
  • get-device-rules
  • get-version
  • install-software
  • upload-software
  • validate-rule-exists
Commands

Capture Traffic

The capture-traffic subcommand will prompt the user to choose the interesting traffic that needs to be captured and the device name and interface to run the capture on. It will then gather the necessary information from Panorama and run the capture directly on the firewall. Then it will export the packet capture directly to the user via the ChatOps client as a .pcap file capable of being opened in Wireshark.

This is by far my favorite command available, as I’ve spent way too long trying to set up packet captures on firewalls over the years! One caveat to this command is that in order to use it Nautobot requires access to both Panorama and the management IP address of the Palo Alto device it’s running a capture on.

Export Device Rules

The export-device-rules subcommand will prompt the user to select a Palo Alto firewall, then generate a list of firewall rules on it and output it in chat in a CSV format.

Get Device Rules

The get-device-rules subcommand is similar to the previous command, in that it will prompt the user to select a Palo Alto firewall, then generate a list of firewall rules on it and output them to the chat client in an easy-to-read format.

Get Version

The get-version subcommand is one of the simplest commands available. It will simply return the current version of the Panorama system configured. It does not require any additional input or device selection.

Install Software

The install-software subcommand allows you to install a new OS version on a Palo Alto firewall that has been previously uploaded to it. As with any commands that make changes to a device, we recommend testing this on a lab or other non-production system first!

Upload Software

The upload-software subcommand allows you to upload a specific PanOS version to a Palo Alto firewall. This can be used prior to running the install-software command mentioned above.

Validate Rule Exists

The validate-rule-exists subcommand is another one of my favorites. It prompts the user to select a firewall device, as well as source and destination traffic information to check. It will then check the firewall rules to see whether there is a matching rule for this traffic. If found, it will return the results to the user. This can be very handy to quickly see whether a new rule being requested is already in place, helping prevent duplicate rule creations


Conclusion

These commands handle only a subset of the information that can be gathered by the Panorama chatbot. You can contribute more commands with minimal Python code! Because the Nautobot ChatOps plugin lowers the barrier of entry by already handling the interaction between Nautobot and chat applications like Mattermost, Microsoft Teams, Slack, and Webex, creating new commands is extremely easy. We encourage you to create your own commands by building on top of existing commands and plugins that we at NTC have created—or even create your own command to interact with something you use on a daily basis.

We also encourage, in the GitHub repo for the app, any feedback, feature requests, or reports of bugs you may find.

-Matt



ntc img
ntc img

Contact Us to Learn More

Share details about yourself & someone from our team will reach out to you ASAP!

Nautobot ChatOps for Grafana

Blog Detail

Two of the more intriguing topics I have heard lately that also seems to resonates with network engineers and network professionals is the insight telemetry provides, and the ease of use chat platforms such as Slack and Microsoft Teams deliver to your keyboard and fingertips. The Grafana ChatOps application is designed to provide the best of both worlds. Grafana ChatOps is a Nautobot extension used with the Nautobot ChatOps base framework to provide all the operational graphs provided by Grafana delivered via chat clients.

Today, we will walk through some of the features within the Grafana ChatOps integration, as well as some of the requirements and procedures to get up and running with Grafana ChatOps.

An important note on the architecture design choices with this ChatOps app (plugin) is that chat commands are defined dynamically based on the Grafana panels and dashboards (we’ll go into this a little later). When you launch the app for the first time, you will see that no chat commands have been defined yet. You can define commands automatically or manually and tie them to specific Grafana panels within a dashboard.

Installation

The package for the Grafana ChatOps app is available on PyPI and can be installed using pip.

Prior to installing the Nautobot Grafana Plugin, you should have the following installed:

For the full installation guide, please refer to the Grafana ChatOps repo Install Guide.

Usage

Building Grafana ChatOps commands can be done using a manual or automated approach. The automated approach uses the DiffSync library to synchronize Grafana dashboards, panels, and variables with the Nautobot Grafana ChatOps plugin.

Defining Commands

To define a command within the Grafana plugin for use with your chat client, there are two main components that we need to have populated.

  • Define at least one Grafana Dashboard.
  • Define at least one Grafana Panel within the Dashboard.

This tutorial will take you through the steps noted above to get a chat command exposed in your chat client.

The first step is to define a dashboard so that the Grafana plugin is aware of the dashboard that exists within Grafana. You can define a dashboard in Grafana in two ways: defining a dashboard manually or using the “Sync” feature to synchronize your Grafana dashboards automatically.

Defining a Dashboard Manually

To define a dashboard manually, you can go to Plugins > Dashboards and click the + Add button located in the upper right of the screen. In the form for a new dashboard, you need to define the sluguid, and Friendly Name.

New Dashboard

NOTE: You can find the slug and uid info by navigating to your Grafana instance and going to the desired dashboard, 

New Dashboard

Defining a Dashboard Using the Sync Method

Alternatively, you can define a set of dashboards by synchronizing your Grafana dashboard configuration to the Grafana plugin. To synchronize dashboards, within Nautobot, navigate to Plugins > Dashboards and click the Sync button.

This process will utilize the DiffSync library to synchronize, create, update, and delete dashboards in Nautobot with the Dashboards that are defined in the Grafana application. Once complete, you will see all dashboards imported into Nautobot.

Defining Grafana Panels

The second step to defining Grafana commands in Nautobot for your chat client is to define the panels you wish to expose via chat.

Panels are closely associated to chat commands, where there will be a chat command for each panel defined.

Similar to dashboards, you can define panels in two ways within Nautobot.

Defining a Panel Manually

To define a panel manually, go to Plugins > Panels and click the + Add button located in the upper right of the screen. In the modal for a new panel, you need to select the dashboard that the panel is defined under, then add a command name, along with a friendly name, and define the Panel ID.

The Active checkbox will allow the command to show up in your chat client. If the panel is marked as inactive, it will still be defined in Nautobot, but restricted from being shown in the chat client.

new panel

NOTE: You can find the panel id by navigating to your desired panel, selecting View, then looking at the URL. 

New Panel

Defining Panels Using the Sync Method

Alternatively, you can define a set of panels by synchronizing your Grafana panels configuration for a given dashboard to the Grafana plugin. To synchronize panels for a dashboard, within Nautobot, navigate to Plugins > Panels and click the Sync button.

This process will utilize the DiffSync library to synchronize, create, update, and delete panels in Nautobot with the Dashboard Panels that are defined in the Grafana application. Once complete, you will see all panels for a dashboard imported into Nautobot.

Panels are synchronized on a per-dashboard basis. All panels synchronized will be INACTIVE by default, you will need to set them to active to see them in Chat.

Once your dashboard and panels have been defined, and you activate the panels you wish to expose to the chat client, you will be able to see the available chat commands, as well as run commands to generate your panels. Chat Example

Advanced Usage

Additional functionality can be added to the Grafana ChatOps plugin if you have variables defined on your dashboards. Panel variables can also be imported via the “Sync” functionality and associated with a panel. Then you can go in and customize how the variables behave and even enrich the ChatOps experience using Nautobot as a Source of Truth for your variables!

To read more on the advanced usage of the Grafana ChatOps plugin with panel variables, refer to the Advanced Usage Guide in the repository.


Conclusion

ChatOps has given a conduit to retrieve and respond interactively using a platform that is already in place and used for communication across almost any device, while Grafana has provided a feature-rich observability platform. With the Nautobot Grafana integration, we can now have the best of both worlds. Let us know how you’re using the Grafana ChatOps or if you have any questions or issues in the GitHub repo.

-Josh Silvas



ntc img
ntc img

Contact Us to Learn More

Share details about yourself & someone from our team will reach out to you ASAP!

Nautobot Chatops for Cisco ACI

Blog Detail

We’re excited to announce the newest addition to our growing list of Nautobot Chatops Applications, the Cisco ACI Chatops Plugin! The Cisco ACI Chatops integration makes it possible to interact with the ACI controller, the APIC (Application Policy Infrastructure Controller), using chat commands in Slack, Mattermost, Cisco Webex, and Microsoft Teams. With this integration, network operations teams supporting Cisco ACI can use chat commands to:

  • execute commands against multiple different APIC clusters in different data centers and/or regions
  • register new leaf or spine switches in the fabric using chat commands
  • quickly glean useful data from an APIC for informational or troubleshooting purposes

Below, we’ll review some of the features and commands in this initial release.

Multi-Fabric Support

Multi-Fabric refers to the ability to provide support for multiple APIC clusters. While there is not currently support today for the Cisco Multi-Site Orchestrator (MSO), which provides a single point of management for multiple APIC clusters, the ACI Chatops app supports configuration of as many individual APIC controllers as needed. The chat platform will prompt for the APIC to execute a command against (it’s also open source, so contributions are more than welcome!):

APIC Selection Menu

In addition, the selection dialogue can be avoided, if desired, simply by providing the APIC cluster name as the second argument to the chat command. For example, to execute against the APIC cluster called ntcapic in our configuration, the command would be:

/aci get-tenants ntcapic

ntcapic is a friendly name assigned to our APIC cluster. Under the hood it informs the Chatops app which APIC hostname and credentials to use. The details can be found in the Installation Guide.

Node Registration

In Cisco ACI, when new Leaf and Spine switches are plugged into the ACI fabric for the first time, they are discovered using LLDP (Link Layer Discovery Protocol) and show up in the APIC as unregistered nodes. An administrator must then access the APIC GUI and register the new node by assigning it a name and unique ID number. The below set of chat commands could be used by network operators to view registered and pending nodes, and then register a newly discovered node in the fabric.

Get Nodes

Displays a list of all registered nodes in the fabric.

Get Nodes

Get Pending Nodes

Displays a list of any unregistered nodes that have been discovered.

Get Pending Nodes

Register Node

Register a new node in the ACI fabric.

Register Node

Information Gathering

The below chat commands can be used to retrieve and display configuration and operational details from the APIC.

Display APIC Details

Don’t remember the hostname or IP addressing details of the APIC? Need to look up the serial number or model information? No problem, just run the aci get-controllers command!

Get Controllers

Display Tenants

Get the list of tenants from an APIC using the command aci get-tenants.

Get Tenants

Display Application Profiles

Get the list of Application Profiles in a specified tenant using the aci get-aps command.

Get Aps

You can also specify all for the tenant field to get a list of all Application Profiles in the fabric across all tenants.

Get All Aps

Display Endpoint Groups (EPGs)

Get a list of all EPGs in a specified Application Profile using the aci get-epgs command.

Get EPGs

You can also specify all for the Application Profile selection dialogue to see EPGs for all Application Profiles in a tenant.

Get EPGs All APs

How about all EPGs across all tenants? Sure, just specify all for the Tenant dialogue…

Get EPGs All Tenants

Display Endpoint Group Details

The aci get-epg-details chat command provides useful information about a specified EPG, consolidating information from several API calls.

Get EPG Details

Display VRFs

The aci get-vrfs chat command displays the VRFs in use in a specified tenant.

Get VRFs

It is also possible to display all VRFs in the fabric by selecting all from the tenant selection dialogue.

Get VRFs All

Display Bridge Domains

The aci get-bds command displays Bridge Domains in a specified tenant and includes useful details from several API calls, such as the configured subnet, VRF, L2 Forwarding, and L3 Routing details.

Get BDs

You can also get a fabric-wide view of Bridge Domains by selecting all from the tenant selection dialogue.

Get BDs All

Display Interface State

The aci get-interfaces command can be used to quickly view interface state on a specified node.

Get Interfaces All

You can also filter for all operational or non-operational interfaces by selecting up or down from the Interface State selection dialogue.

Get Interfaces Up
Get Interfaces Down

Conclusion

With the commands developed so far, our main focus was on providing the ability to glean useful operational details from an ACI fabric; but we could easily implement any task using the extensible API that Cisco ACI provides. What other chat commands for Cisco ACI would you find useful? Please feel free to hit us up in the comments or in our Public Slack channel.

-Matt



ntc img
ntc img

Contact Us to Learn More

Share details about yourself & someone from our team will reach out to you ASAP!