paloalto_panos and dedicated panorama log collector appliances

[gittyjr]

Connecting to dedicated panorama log collector fails after the command "show admins" is attempted to be ran

Setup

Netmiko version

(Paste verbatim output from pip freeze | grep netmiko between quotes below)

Name: netmiko
Version: 4.3.0
Summary: Multi-vendor library to simplify legacy CLI connections to network devices
Home-page: https://github.com/ktbyers/netmiko
Author: Kirk Byers
Author-email: [email protected]
License: MIT
Location: C:\Program Files\Python311\Lib\site-packages
Requires: ntc-templates, paramiko, pyserial, pyyaml, scp, textfsm
Required-by:

Netmiko device_type (if relevant to the issue)

(Paste device_type between quotes below)

paloalto_panos

Steps to Reproduce the Issue

build a connection handler for a palo alto panorama log collector appliance ( I am using virtual appliances )
try to run any command (show clock for example)

Error Traceback

(Paste the complete traceback of the exception between quotes below)

Traceback (most recent call last):
  File "c:\palo-automation\log-collector-check-reset.py", line 15, in <module>
    net_connect = ConnectHandler(**paloalto_connect)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Program Files\Python311\Lib\site-packages\netmiko\ssh_dispatcher.py", line 399, in ConnectHandler
    return ConnectionClass(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Program Files\Python311\Lib\site-packages\netmiko\base_connection.py", line 488, in __init__
    self._open()
  File "C:\Program Files\Python311\Lib\site-packages\netmiko\base_connection.py", line 494, in _open
    self._try_session_preparation()
    self._test_channel_read(pattern=r"Client")
  File "C:\Program Files\Python311\Lib\site-packages\netmiko\base_connection.py", line 1235, in _test_channel_read
    return self.read_until_pattern(pattern=pattern, read_timeout=20)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Program Files\Python311\Lib\site-packages\netmiko\base_connection.py", line 746, in read_until_pattern
    raise ReadTimeout(msg)
netmiko.exceptions.ReadTimeout:

Pattern not detected: 'Client' in output.

Things you might try to fix this:
1. Adjust the regex pattern to better identify the terminating string. Note, in
many situations the pattern is automatically based on the network device's prompt.
2. Increase the read_timeout to a larger value.

You can also look at the Netmiko session_log or debug log for more information.

Relevant Python code

(Please try to essentialize your Python code to the minimum code needed to reproduce the issue)
(Paste the code between the quotes below)

from netmiko import ConnectHandler
import logging

paloalto_connect = {
    "device_type" : "paloalto_panos",
    "host" : "hostname",
    "username" : "admin",
    "password" : "password",
    "session_log" : "./session.log",
    "port" : 22,
}

logging.basicConfig(level=logging.DEBUG)
net_connect = ConnectHandler(**paloalto_connect)

output1 = net_connect.send_command("show clock")
output2 = net_connect.send_command("show log-collector-es-cluster health | match as_number")

print(output1)
print(output2)
temp_var = output2.split(":")
shard_percent = temp_var[1].rstrip()
print(f"Percent complete: {shard_percent}%")

I am happy to test any suggestions. I've used terminal_server which has some interesting other quirks, but I would prefer to leverage the paloalto_panos handler. I have access to many different models of palo firewalls, as well as panorama management appliances as well as panorama dedicated log collectors.

[ktbyers]

@gittyjr What does the CLI of the panorama log collector look like?

What happens if you type show admins at the CLI?

It is definitely possible/probably that the paloalto_panos device_type does not work with Panorama log-collector (since netmiko is expecting the behavior of the panos firewall).

[gittyjr]

@ktbyers ,

It looks very similar to management panoramas and firewalls. the show admins is not a valid command on a log collector but is on the firewall and the management / hybrid panorama.

[gittyjr]

If you need any other output from a log collector, please let me know. I have access to quite a few currently.

[Jack-xizhan]

@ktbyers ,
I have the same requirement to collect basic information from Palo Alto Firewall and Panorama log-collector using Netmiko. The command I'm using is show system info.

As mentioned above, the show admins command is invalid on the Panorama log-collector. However, using paloalto_panos does not allow bypassing this step, and resulting in the same error.

Is there a way to resolve this issue? Or are there any recommended alternatives for gathering this information?

Thank you!

[opachano]

@ktbyers I have run into this same issue, and I found a solution here (#2934) I tested it locally and is working for firewall and log collectors. Since log collectors don't support show admins, switching to a different command (show system info) works for both types of devices. Here is the PR link: #3535