enh(network::paloalto::api) Add host discovery to handle Panorama

src/centreon/plugins/constants.pm

@@ -40,7 +40,7 @@ use constant {
 
     # Only used with COUNTER_TYPE_MULTIPLE counters
     COUNTER_MULTIPLE_INSTANCE    => 0, # counter global to the instance
-    COUNTER_MULTIPLE_SUBINSTANCE => 1, # counter defined per subinstance
+    COUNTER_MULTIPLE_SUBINSTANCE => 1, # counter defined per sub instance
 
     # Define the nature of a counter ( numeric or text )
     COUNTER_KIND_METRIC  => 1, # numeric counter with thesholds and perfdata

src/centreon/plugins/values.pm

@@ -166,7 +166,8 @@ sub output {
         }
     }
 
-    return sprintf($self->{output_template}, $value, $unit);
+    my $output_template = $self->{output_template} =~ s!%\{([A-Za-z0-9_]+)\}! $self->{result_values}->{$1} // '' !ger;
+    return sprintf($output_template, $value, $unit);
 }
 
 sub use_instances {
@@ -194,7 +195,9 @@ sub perfdata {
         my $cast_int = (defined($perf->{cast_int}) && $perf->{cast_int} == 1) ? 1 : 0;
         my $template = '%s';
 
-        $template = $perf->{template} if (defined($perf->{template}));
+        $template = $perf->{template}=~ s!%\{([A-Za-z0-9_]+)\}! $self->{result_values}->{$1} // '' !ger
+            if defined $perf->{template};
+
         $label = $perf->{label} if (defined($perf->{label}));
         if (defined($perf->{min})) {
             $min = ($perf->{min} =~ /[^0-9.-]/) ? $self->{result_values}->{$perf->{min}} : $perf->{min};

src/network/paloalto/api/custom/api.pm

@@ -29,7 +29,7 @@ use XML::Simple;
 use MIME::Base64 qw(encode_base64);
 use URI::Escape qw(uri_escape);
 use Digest::SHA qw(sha256_hex);
-use centreon::plugins::misc qw(is_empty);
+use centreon::plugins::misc qw(is_empty value_of);
 
 sub new {
     my ($class, %options) = @_;
@@ -53,6 +53,7 @@ sub new {
             'username:s'             => { name => 'username',             default => '' },
             'password:s'             => { name => 'password',             default => '' },
             'timeout:s'              => { name => 'timeout',              default => 30 },
+            'target:s'               => { name => 'target',               default => '' },
             'unknown-http-status:s'  => { name => 'unknown_http_status',  default => '%{http_code} < 200 or %{http_code} >= 300' },
             'warning-http-status:s'  => { name => 'warning_http_status',  default => '' },
             'critical-http-status:s' => { name => 'critical_http_status', default => '' }
@@ -78,17 +79,10 @@ sub set_defaults {}
 sub check_options {
     my ($self, %options) = @_;
 
-    $self->{hostname}             = $self->{option_results}->{hostname};
-    $self->{port}                 = $self->{option_results}->{port};
-    $self->{proto}                = $self->{option_results}->{proto};
-    $self->{auth_type}            = $self->{option_results}->{auth_type};
-    $self->{api_key}              = $self->{option_results}->{api_key};
-    $self->{username}             = $self->{option_results}->{username};
-    $self->{password}             = $self->{option_results}->{password};
-    $self->{timeout}              = $self->{option_results}->{timeout};
-    $self->{unknown_http_status}  = $self->{option_results}->{unknown_http_status};
-    $self->{warning_http_status}  = $self->{option_results}->{warning_http_status};
-    $self->{critical_http_status} = $self->{option_results}->{critical_http_status};
+    $self->{$_} = $self->{option_results}->{$_} foreach qw/hostname port proto timeout
+                                                           auth_type api_key username password
+                                                           target
+                                                           unknown_http_status warning_http_status critical_http_status/;
 
     $self->{output}->option_exit(short_msg => "Need to specify --hostname option.")
         if $self->{hostname} eq '';
@@ -135,9 +129,9 @@ sub generate_api_key {
     my $content = $self->{http}->request(
         url_path        => '/api/',
         method          => 'POST',
-        get_param       => ['type=keygen'],
+        get_param       => [ 'type=keygen' ],
         query_form_post => 'user=' . uri_escape($self->{username}) . '&password=' . uri_escape($self->{password}),
-        header          => ['Content-Type: application/x-www-form-urlencoded'],
+        header          => [ 'Content-Type: application/x-www-form-urlencoded' ],
         unknown_status  => '',
         warning_status  => '',
         critical_status => ''
@@ -191,12 +185,17 @@ sub _build_auth_header {
 sub _http_request {
     my ($self, %options) = @_;
 
+    my %params = (
+        'type' => $options{type}
+    );
+    $params{'cmd'} = $options{cmd} if $options{cmd};
+    $params{'action'} = $options{action} if $options{action};
+    $params{'xpath'} = $options{xpath} if $options{xpath};
+    $params{'target'} = $self->{target} if $self->{target};
+
     return $self->{http}->request(
         url_path  => '/api/',
-        get_params => {
-            'type' => $options{type},
-            'cmd' => $options{cmd}
-        },
+        get_params => \%params,
         header => [
             $self->_build_auth_header(),
             'Accept: application/xml'
@@ -215,20 +214,17 @@ sub _parse_xml {
     $self->{output}->option_exit( short_msg => "API returns empty content [code: '" . $self->{http}->get_code() . "'] [message: '" . $self->{http}->get_message() . "']")
         if is_empty($content);
 
-    $self->{output}->option_exit(short_msg => "Cannot find XML response in API reply.")
-        unless $content =~ /(<response status=["'](.*?)["']>.*<\/response>)/ms;
-
-    my ($xml, $status) = ($1, $2);
-    $self->{output}->option_exit(short_msg => "API response status: $status")
-        unless $status eq 'success';
-
     my $result;
     eval {
-        $result = XMLin($xml, ForceArray => $options{ForceArray} // [], KeyAttr => []);
+        $result = XMLin($content, ForceArray => $options{ForceArray} // [], KeyAttr => []);
     };
+
     $self->{output}->option_exit(short_msg => "Cannot decode XML response: $@")
         if $@;
 
+    $self->{output}->option_exit(short_msg => "API response status: ".value_of($result, "->{status}", "UNKNOWN"))
+        unless ref $result eq 'HASH' && $result->{status} && $result->{status} eq 'success';
+
     return $result->{result};
 }
 
@@ -304,6 +300,10 @@ Also used with --auth-type=api-key to auto-generate or regenerate the API key.
 
 Password.
 
+=item B<--target>
+
+Firewall serial number to monitor. Only applicable when the hostname points to Panorama.
+
 =item B<--timeout>
 
 HTTP request timeout in seconds (default: 30).

src/network/paloalto/api/mode/certificate.pm

@@ -0,0 +1,252 @@
+#
+# Copyright 2026-Present Centreon (http://www.centreon.com/)
+#
+# Centreon is a full-fledged industry-strength solution that meets
+# the needs in IT infrastructure and application monitoring for
+# service performance.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+package network::paloalto::api::mode::certificate;
+
+use base qw(centreon::plugins::templates::counter);
+
+use strict;
+use warnings;
+use centreon::plugins::templates::catalog_functions qw(catalog_status_threshold_ng);
+use centreon::plugins::constants qw(:counters);
+use DateTime::Format::Strptime;
+use centreon::plugins::misc qw(is_excluded is_empty);
+
+sub prefix_device_output {
+    my ($self, %options) = @_;
+    return "Device '" . $options{instance_value}->{hostname} . "' (" . $options{instance_value}->{serial} . ") ";
+}
+
+sub set_counters {
+    my ($self, %options) = @_;
+
+    $self->{maps_counters_type} = [
+        { name => 'devices', type => COUNTER_TYPE_INSTANCE, cb_prefix_output => 'prefix_device_output',
+          message_multiple => 'All device certificates are OK' }
+    ];
+
+    $self->{maps_counters}->{devices} = [
+        {
+            label => 'certificate-status',
+            type  => COUNTER_KIND_TEXT,
+            critical_default => '%{cert_status} !~ /valid|ok/i',
+            set => {
+                key_values => [ { name => 'cert_status' }, { name => 'serial' }, { name => 'hostname' }, { name => 'connected' } ],
+                output_template => 'certificate status: %{cert_status}',
+                closure_custom_threshold_check => \&catalog_status_threshold_ng
+            }
+        },
+        {
+            label => 'certificate-subject',
+            type  => COUNTER_KIND_TEXT,
+            display_ok => 0,
+            set => {
+                key_values => [ { name => 'cert_subject' }, { name => 'serial' }, { name => 'hostname' }, { name => 'connected' } ],
+                output_template => 'subject: %{cert_subject}',
+                closure_custom_threshold_check => \&catalog_status_threshold_ng
+            }
+        },
+        {
+            label => 'certificate-expiry',
+            nlabel => 'device.certificate.expiry.days',
+            set => {
+                key_values => [ { name => 'cert_expiry_days' }, { name => 'serial' }, { name => 'hostname' }, { name => 'connected' } ],
+                output_template => 'expires in: %{cert_expiry_days} days',
+                perfdatas => [
+                    { template => '%s', unit => 'd', min => 0, instance_use => 'hostname', label_extra_instance => 1 }
+                ]
+            }
+        },
+        {
+            label => 'certificate-custom-usage',
+            type  => COUNTER_KIND_TEXT,
+            display_ok => 0,
+            set => {
+                key_values => [ { name => 'custom_cert_usage' }, { name => 'serial' }, { name => 'hostname' }, { name => 'connected' } ],
+                output_template => 'custom certificate usage: %{custom_cert_usage}',
+                closure_custom_threshold_check => \&catalog_status_threshold_ng
+            }
+        }
+    ];
+}
+
+sub new {
+    my ($class, %options) = @_;
+    my $self = $class->SUPER::new(package => __PACKAGE__, %options, force_new_perfdata => 1);
+    bless $self, $class;
+
+    $options{options}->add_options(arguments => {
+        'include-device-serial:s'     => { name => 'include_device_serial',   default => '' },
+        'exclude-device-serial:s'     => { name => 'exclude_device_serial',   default => '' },
+        'include-device-hostname:s'   => { name => 'include_device_hostname', default => '' },
+        'exclude-device-hostname:s'   => { name => 'exclude_device_hostname', default => '' },
+        'connected-only'              => { name => 'connected_only' }
+    });
+
+    return $self;
+}
+
+sub manage_selection {
+    my ($self, %options) = @_;
+
+    my $filter = $self->{option_results}->{connected_only} ? 'connected' : 'all';
+    my $result = $options{custom}->request_api(
+        type => 'op',
+        cmd  => "<show><devices><$filter></$filter></devices></show>",
+        ForceArray => [ 'entry' ]
+    );
+
+    $self->{devices} = {};
+
+    $self->{output}->option_exit(short_msg => "No certificates found !")
+        unless $result && ref $result->{devices} eq 'HASH';
+
+    foreach my $device (@{$result->{devices}->{entry}}) {
+        my $serial = $device->{name};
+        my $hostname = $device->{hostname} // '';
+
+        next if is_excluded($serial, $self->{option_results}->{include_device_serial}, $self->{option_results}->{exclude_device_serial}, output => $self->{output}) ||
+                is_excluded($hostname, $self->{option_results}->{include_device_hostname}, $self->{option_results}->{exclude_device_hostname}, output => $self->{output});
+
+        my $connected = lc($device->{connected} // 'no');
+        my $cert_expiry_days = -1;
+        $cert_expiry_days = $self->_calculate_days_until_expiry($device->{'certificate-expiry'})
+            if exists $device->{'certificate-expiry'};
+
+        $self->{devices}->{$serial} = {
+            serial              => $serial,
+            hostname            => $hostname,
+            connected           => $connected,
+            cert_status         => $device->{'certificate-status'} // '',
+            cert_subject        => $device->{'certificate-subject-name'} // '',
+            cert_expiry_days    => $cert_expiry_days,
+            custom_cert_usage   => $device->{'custom-certificate-usage'} // '',
+        };
+    }
+}
+
+sub _calculate_days_until_expiry {
+    my ($self, $expiry_str) = @_;
+
+    return -1 if is_empty($expiry_str);
+
+    my $parser = DateTime::Format::Strptime->new(
+        pattern => '%b %d, %Y',
+        on_error => 'undef',
+        time_zone => 'UTC'
+    );
+
+    my $expiry_dt = $parser->parse_datetime($expiry_str);
+    return -1 unless $expiry_dt;
+
+    return int(($expiry_dt->epoch() - time()) / 86400);
+}
+
+1;
+
+__END__
+
+=head1 MODE
+
+Check Palo Alto Panorama managed devices certificate information.
+
+=over 8
+
+=item B<--filter-counters>
+
+Only display some counters (regexp can be used).
+Example: --filter-counters='^certificate-status$'
+
+=item B<--include-device-serial>
+
+Include only specific device by serial number (regexp can be used).
+
+=item B<--exclude-device-serial>
+
+Exclude specific device by serial number (regexp can be used).
+
+=item B<--include-device-hostname>
+
+Include only specific device by hostname (regexp can be used).
+
+=item B<--exclude-device-hostname>
+
+Exclude specific device by hostname (regexp can be used).
+
+=item B<--connected-only>
+
+Only check connected devices.
+
+=item B<--unknown-certificate-status>
+
+Define the conditions to match for the status to be UNKNOWN.
+You can use the following variables: %{cert_status}, %{serial}, %{hostname}, %{connected}
+
+=item B<--warning-certificate-status>
+
+Define the conditions to match for the status to be WARNING.
+You can use the following variables: %{cert_status}, %{serial}, %{hostname}, %{connected}
+
+=item B<--critical-certificate-status>
+
+Define the conditions to match for the status to be CRITICAL (default: '%{cert_status} !~ /valid|ok/i').
+You can use the following variables: %{cert_status}, %{serial}, %{hostname}, %{connected}
+
+=item B<--unknown-certificate-subject>
+
+Define the conditions to match for the status to be UNKNOWN.
+You can use the following variables: %{cert_subject}, %{serial}, %{hostname}, %{connected}
+
+=item B<--warning-certificate-subject>
+
+Define the conditions to match for the status to be WARNING.
+You can use the following variables: %{cert_subject}, %{serial}, %{hostname}, %{connected}
+
+=item B<--critical-certificate-subject>
+
+Define the conditions to match for the status to be CRITICAL.
+You can use the following variables: %{cert_subject}, %{serial}, %{hostname}, %{connected}
+
+=item B<--warning-certificate-expiry>
+
+Warning threshold for certificate expiry in days.
+
+=item B<--critical-certificate-expiry>
+
+Critical threshold for certificate expiry in days.
+
+=item B<--unknown-certificate-custom-usage>
+
+Define the conditions to match for the status to be UNKNOWN.
+You can use the following variables: %{custom_cert_usage}, %{serial}, %{hostname}, %{connected}
+
+=item B<--warning-certificate-custom-usage>
+
+Define the conditions to match for the status to be WARNING.
+You can use the following variables: %{custom_cert_usage}, %{serial}, %{hostname}, %{connected}
+
+=item B<--critical-certificate-custom-usage>
+
+Define the conditions to match for the status to be CRITICAL.
+You can use the following variables: %{custom_cert_usage}, %{serial}, %{hostname}, %{connected}
+
+=back
+
+=cut