Bond/LACP interface down-paloaltonetworks-panos

error
high-availability
panos
paloaltonetworks
Bond/LACP interface down-paloaltonetworks-panos
0

#1

Bond/LACP interface down-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Description:
indeni will alert if a bond interface is down.

Remediation Steps:
Review the cause for the interfaces being down.
Use the “show lacp” command to get additional information.

How does this work?
This alert uses the Palo Alto Networks API to retrieve the current status all LACP (ae) interfaces (the equivalent of running “show lacp aggregate-ethernet all” in CLI).

Why is this important?
Link aggregation (LACP) is used to provide redundancy at the interface level. Instead of relying on a specific interface to work 100% of the time on a given device, an administrator could define multiple physical interfaces to behave as one group. While providing additional stability, the challenge with this mode of operation is that many times there are hidden failures which are ignored. Imagine, for example, if one of the physical interfaces were to be disconnected. Traffic would continue to flow without an issue (thanks to LACP) but the level of redundancy has been descreased. Knowing about such events is therefore, important.

Without Indeni how would you find this?
An administrator could write a script to leverage the Palo Alto Networks API to collect this data periodically and alert appropriately.

panos-show-lacp-aggregate-ethernet-all

#! META
name: panos-show-lacp-aggregate-ethernet-all
description: fetch the status of LACP interfaces
type: monitoring
monitoring_interval: 1 minute
requires:
    vendor: paloaltonetworks
    os.name: panos

#! COMMENTS
bond-state:
    why: |
        Link aggregation (LACP) is used to provide redundancy at the interface level. Instead of relying on a specific interface to work 100% of the time on a given device, an administrator could define multiple physical interfaces to behave as one group. While providing additional stability, the challenge with this mode of operation is that many times there are hidden failures which are ignored. Imagine, for example, if one of the physical interfaces were to be disconnected. Traffic would continue to flow without an issue (thanks to LACP) but the level of redundancy has been descreased. Knowing about such events is therefore, important.
    how: |
        This alert uses the Palo Alto Networks API to retrieve the current status all LACP (ae) interfaces (the equivalent of running "show lacp aggregate-ethernet all" in CLI).
    without-indeni: |
        An administrator could write a script to leverage the Palo Alto Networks API to collect this data periodically and alert appropriately.
    can-with-snmp: true
    can-with-syslog: true
bond-slave-state:
    skip-documentation: true

#! REMOTE::HTTP
url: /api?type=op&cmd=<show><lacp><aggregate-ethernet>all</aggregate-ethernet></lacp></show>&key=${api-key}
protocol: HTTPS

#! PARSER::XML
_vars:
    root: /response/result
_optional_metrics:
    -
        _groups:
            ${root}/entry:
                _temp:
                    slavesDown:
                        _count: entry[lacp-state = 'not active']
                _tags:
                    name:
                        _attribute:
                            _name: "name"
                    "im.name":
                        _constant: "bond-state"
                    "live-config":
                       _constant: "true"
                    "display-name":
                        _constant: "LACP - State"
                    "im.dstype.displayType":
                        _constant: "state"
                    "im.identity-tags":
                        _constant: "name"
        _transform:
            _value.double: |
                {
                    if (temp("slavesDown") == "0") { print "1" } else { print "0" }
                }
    -
        _groups:
            ${root}/entry/entry:
                _temp:
                    state:
                        _text: lacp-state
                _tags:
                    name:
                        _attribute:
                            _name: "name"
                    "bond-name":
                        _attribute:
                            _name: "name"
                            _path: "parent::entry[1]"
                    "im.name":
                        _constant: "bond-slave-state"
                    "live-config":
                       _constant: "true"
                    "display-name":
                        _constant: "LACP Slaves - State"
                    "im.dstype.displayType":
                        _constant: "state"
                    "im.identity-tags":
                        _constant: "name,bond-name"
        _transform:
            _value.double: |
                {
                    if (temp("state") != "not active") { print "1" } else { print "0" }
                }

cross_vendor_bond_down

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.{ConditionalRemediationSteps, StateDownTemplateRule}

/**
  *
  */
case class cross_vendor_bond_down() extends StateDownTemplateRule(
  ruleName = "cross_vendor_bond_down",
  ruleFriendlyName = "All Devices: Bond/LACP interface down",
  ruleDescription = "indeni will alert if a bond interface is down.",
  metricName = "bond-state",
  applicableMetricTag = "name",
  alertItemsHeader = "Interfaces Affected",
  descriptionStringFormat = "",
  alertDescription = "One or more bond interfaces are down.",
  baseRemediationText = "Review the cause for the interfaces being down.")(
  ConditionalRemediationSteps.VENDOR_CP -> "Use the \"cphaconf show_bond\" command to get additional information.",
  ConditionalRemediationSteps.VENDOR_PANOS -> "Use the \"show lacp\" command to get additional information."
)