Concurrent connection limit nearing-paloaltonetworks-panos

error
health-checks
panos
paloaltonetworks
Concurrent connection limit nearing-paloaltonetworks-panos
0

#1

Concurrent connection limit nearing-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Description:
Indeni will alert the number of connections for a device is too high.

Remediation Steps:
Review why this may be happening and consider upgrading the device or redirecting traffic.
||Compare the products and the maximum sessions allowed: <a target="_blank" href=“https://www.paloaltonetworks.com/products/product-selection”>Compare Firewalls

How does this work?
This alert uses the Palo Alto Networks API to retrieve the current utilization of the number of sessions allowed in total.

Why is this important?
Tracking the number of concurrent connections is helpful in understanding traffic patterns and load.

Without Indeni how would you find this?
To know what is the current utilization of sessions on a Palo Alto Networks firewall, the user will normally use the CLI. A script could be written to track this data on an ongoing basis.

panos-show-session-info

#! META
name: panos-show-session-info
description: fetch the status of sessions
type: monitoring
monitoring_interval: 1 minute
requires:
    vendor: paloaltonetworks
    os.name: panos
    product: firewall

#! COMMENTS
concurrent-connections-limit:
    why: |
        Each device has a limit to the number of concurrent sessions or connections it supports. Across the Palo Alto Networks product line, different devices are sized for different amounts of sessoins. Reaching the maximum number of sessions allowed may result in an outage.
    how: |
        This alert uses the Palo Alto Networks API to retrieve the current utilization of the number of sessions allowed in total.
    without-indeni: |
        To know what is the current utilization of sessions on a Palo Alto Networks firewall, the user will normally use the CLI.
    can-with-snmp: true
    can-with-syslog: true
concurrent-connections:
    why: |
        Tracking the number of concurrent connections is helpful in understanding traffic patterns and load.
    how: |
        This alert uses the Palo Alto Networks API to retrieve the current utilization of the number of sessions allowed in total.
    without-indeni: |
        To know what is the current utilization of sessions on a Palo Alto Networks firewall, the user will normally use the CLI. A script could be written to track this data on an ongoing basis.
    can-with-snmp: true
    can-with-syslog: true
connections-per-second:
    skip-documentation: true

#! REMOTE::HTTP
url: /api?type=op&cmd=<show><session><info><%2Finfo><%2Fsession><%2Fshow>&key=${api-key}
protocol: HTTPS

#! PARSER::XML
_vars:
    root: /response/result
_metrics:
    -
        _value.double:
            _text: ${root}/num-active
        _tags:
            "im.name":
                _constant: "concurrent-connections"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "Sessions - Current"
            "im.dstype.displayType":
                _constant: "number"
    -
        _value.double:
            _text: ${root}/num-max
        _tags:
            "im.name":
                _constant: "concurrent-connections-limit"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "Sessions - Limit"
            "im.dstype.displayType":
                _constant: "number"
    -
        _value.double:
            _text: ${root}/cps
        _tags:
            "im.name":
                _constant: "connections-per-second"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "CPS"
            "im.dstype.displayType":
                _constant: "number"

panos-show-session-info

#! META
name: panos-show-session-info
description: fetch the status of sessions
type: monitoring
monitoring_interval: 1 minute
requires:
    vendor: paloaltonetworks
    os.name: panos
    product: firewall

#! COMMENTS
concurrent-connections-limit:
    why: |
        Each device has a limit to the number of concurrent sessions or connections it supports. Across the Palo Alto Networks product line, different devices are sized for different amounts of sessoins. Reaching the maximum number of sessions allowed may result in an outage.
    how: |
        This alert uses the Palo Alto Networks API to retrieve the current utilization of the number of sessions allowed in total.
    without-indeni: |
        To know what is the current utilization of sessions on a Palo Alto Networks firewall, the user will normally use the CLI.
    can-with-snmp: true
    can-with-syslog: true
concurrent-connections:
    why: |
        Tracking the number of concurrent connections is helpful in understanding traffic patterns and load.
    how: |
        This alert uses the Palo Alto Networks API to retrieve the current utilization of the number of sessions allowed in total.
    without-indeni: |
        To know what is the current utilization of sessions on a Palo Alto Networks firewall, the user will normally use the CLI. A script could be written to track this data on an ongoing basis.
    can-with-snmp: true
    can-with-syslog: true
connections-per-second:
    skip-documentation: true

#! REMOTE::HTTP
url: /api?type=op&cmd=<show><session><info><%2Finfo><%2Fsession><%2Fshow>&key=${api-key}
protocol: HTTPS

#! PARSER::XML
_vars:
    root: /response/result
_metrics:
    -
        _value.double:
            _text: ${root}/num-active
        _tags:
            "im.name":
                _constant: "concurrent-connections"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "Sessions - Current"
            "im.dstype.displayType":
                _constant: "number"
    -
        _value.double:
            _text: ${root}/num-max
        _tags:
            "im.name":
                _constant: "concurrent-connections-limit"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "Sessions - Limit"
            "im.dstype.displayType":
                _constant: "number"
    -
        _value.double:
            _text: ${root}/cps
        _tags:
            "im.name":
                _constant: "connections-per-second"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "CPS"
            "im.dstype.displayType":
                _constant: "number"

concurrent_connection_limit_novsx

package com.indeni.server.rules.library

import com.indeni.ruleengine.expressions.OptionalExpression
import com.indeni.ruleengine.expressions.conditions.GreaterThanOrEqual
import com.indeni.ruleengine.expressions.core._
import com.indeni.ruleengine.expressions.data.{SelectTagsExpression, SelectTimeSeriesExpression, TimeSeriesExpression}
import com.indeni.ruleengine.expressions.math.{DivExpression, TimesExpression}
import com.indeni.server.common.ParameterValue
import com.indeni.server.common.data.conditions.Equals
import com.indeni.server.params.ParameterDefinition
import com.indeni.server.params.ParameterDefinition.UIType
import com.indeni.server.rules._
import com.indeni.server.rules.library.core.PerDeviceRule
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity


case class ConcurrentConnectionsUsageNoVsxRule() extends PerDeviceRule with RuleHelper {

  private val highThresholdParameterName = "High_Threshold_of_Connection_usage"
  private val highThresholdParameter = new ParameterDefinition(highThresholdParameterName,
    "",
    "High Threshold of Concurrent Connection Usage",
    "What is the threshold for the concurrent connection usage for which once it is crossed an issue will be triggered.",
    UIType.DOUBLE,
    new ParameterValue((80.0).asInstanceOf[Object])
  )

  override val metadata: RuleMetadata = RuleMetadata.builder("concurrent_connection_limit_novsx", "All Devices: Concurrent connection limit nearing",
    "indeni will trigger an issue the number of connections for a device is too high.", AlertSeverity.ERROR).configParameter(highThresholdParameter).build()

  override def expressionTree(context: RuleContext): StatusTreeExpression = {
    val actualValue = TimeSeriesExpression[Double]("concurrent-connections").last
    val threshold: OptionalExpression[Double] = getParameterDouble(highThresholdParameter)
    val limit = TimeSeriesExpression[Double]("concurrent-connections-limit").last

    StatusTreeExpression(
      // Which objects to pull (normally, devices)
      SelectTagsExpression(context.metaDao, Set(DeviceKey), !Equals("vsx", "true")),

      StatusTreeExpression(
        // The time-series we check the test condition against:
        SelectTimeSeriesExpression[Double](context.tsDao, Set("concurrent-connections", "concurrent-connections-limit"), denseOnly = false),

        // The condition which, if true, we have an issue. Checked against the time-series we've collected
        GreaterThanOrEqual(
          actualValue,
          TimesExpression(limit, DivExpression(threshold, ConstantExpression(Some(100.0)))))

      ).withRootInfo(
        getHeadline(),
        scopableStringFormatExpression("This device has a high number of concurrent connections: %.0f (vs limit of %.0f) which is above the threshold of %.0f%%.\n\nThis issue was added per the request of <a target=\"_blank\" href=\"http://il.linkedin.com/in/motisagey\">Moti Sagey</a>.", actualValue, limit, threshold),
        ConditionalRemediationSteps("Review why this may be happening and consider upgrading the device or redirecting traffic.",
          ConditionalRemediationSteps.VENDOR_CP -> "Consider enabling aggressive aging if it is not yet enabled: <a target=\"blank\" href=\"https://sc1.checkpoint.com/documents/R76/CP_R76_IPS_AdminGuide/12857.htm#o12861\">Aggressive Aging Configurations</a>",
          ConditionalRemediationSteps.VENDOR_PANOS -> "Compare the products and the maximum sessions allowed: <a target=\"_blank\" href=\"https://www.paloaltonetworks.com/products/product-selection\">Compare Firewalls</a>",
          ConditionalRemediationSteps.VENDOR_BLUECOAT ->
            """The number of current connected clients has reached the device limit.
              |1. Login to the device's web interface and click on "Statistics" -> "Advanced" -> "HTTP" -> "Show HTTP Statistics".
              |2. Check  the currently established client connections value and compare it to the maximum acceptable concurrent client connections.
              |3. Limit the number of users or upgrade your license or appliance after consulting with Symantec support.""".stripMargin,
          ConditionalRemediationSteps.VENDOR_JUNIPER ->
            """|1. Each device has a limit for concurrent sessions or connections based on the hardware capacity. Exceeding this limit will cause traffic drops.
               |2. Run the "show security flow session summary" to review the current number of sessions.
               |3. Consider enabling aggressive aging if it is not yet enabled.
               |4. Review the following articles on Juniper TechLibrary for more information: <a target="_blank" href="https://www.juniper.net/documentation/en_US/junos/topics/concept/security-session-capacity-device-expanding.html">Expanding Session Capacity by Device</a>
               |<a target="_blank" href="https://www.juniper.net/documentation/en_US/junos/topics/example/session-termination-for-srx-series-controlling-cli.html">Example: Controlling Session Termination for SRX Series Services Gateways</a>
               |5. If the problem persists, contact the Juniper Networks Technical Assistance Center (JTAC).""".stripMargin
        )
      ).asCondition()
    ).withoutInfo()
  }
}