Contract(s) has expired-paloaltonetworks-panos

warn
panos
paloaltonetworks
Contract(s) has expired-paloaltonetworks-panos
0

#1

Contract(s) has expired-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Description:
Indeni will alert when a contract has expired. " +
"Contracts that have expired more that a set number of days will be ignored. " +
"The threshold for the number of days after contract expiration can be adjusted by the user.

Remediation Steps:
Renew any contracts that need to be renewed.
||Review this article on Palo Alto Networks Support Site:
|Activate Licenses and Subscriptions.

How does this work?
This alert logs into the Palo Alto Networks firewall through SSH and retrieves the support information including the expiration date.

Why is this important?
To ensure the optimal performance of a device, it is critical to review the support periodically and make sure they are renewed on time.

Without Indeni how would you find this?
A manual review of the contracts is possible. Usually an organization’s purchasing team would also keep track of contracts and their expiration, but this is not always the case.

panos-request-support-info

#! META
name: panos-request-support-info
description: fetch support contract info
type: monitoring
monitoring_interval: 60 minute
requires:
    vendor: paloaltonetworks
    os.name: panos
	
#! COMMENTS
contract-expiration:
    why: |
        To ensure the optimal performance of a device, it is critical to review the support periodically and make sure they are renewed on time.
    how: |
        This alert logs into the Palo Alto Networks firewall through SSH and retrieves the support information including the expiration date.
    without-indeni: |
        A manual review of the contracts is possible. Usually an organization's purchasing team would also keep track of contracts and their expiration, but this is not always the case.
    can-with-snmp: true
    can-with-syslog: true

#! REMOTE::HTTP
url: /api?type=op&cmd=<request><support><info><%2Finfo><%2Fsupport><%2Frequest>&key=${api-key}
protocol: HTTPS

#! PARSER::XML
_vars:
    root: /response/result
_metrics:
    -
        _tags:
            "im.name":
                _constant: "contract-expiration"
            "name":
                _constant: "Support"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "Support Expiration"
            "im.dstype.displayType":
                _constant: "date"
            "im.identity-tags":
                _constant: "name"  
        _temp:
            expires:
                _text: "${root}/SupportInfoResponse/Support/ExpiryDate" # February 18, 2019
        _transform:
            _value.double: |
                {
                    # Parsing: February 18, 2019
                    datestring=temp("expires")

                    if (datestring != "Never") {
                        month = parseMonthThreeLetter(substr(datestring, 1, 3))
                        year = substr(datestring, length(datestring) - 4)
                        
                        day = datestring
                        sub(/^[A-Za-z]+ /, "", day)
                        sub(/,.*/, "", day)

                        licenseexpiration=date(year, month, day)
                        print licenseexpiration
                    } else {
                        print "0"
                    }
                }

RuleMetadata

.builder(
  "cross_vendor_contract_has_expired
package com.indeni.server.rules.library.crossvendor

import com.indeni.ruleengine.expressions.conditions.{And, GreaterThan, LesserThan}
import com.indeni.ruleengine.expressions.core.{StatusTreeExpression, _}
import com.indeni.ruleengine.expressions.data.{SelectTagsExpression, _}
import com.indeni.ruleengine.expressions.math.PlusExpression
import com.indeni.ruleengine.expressions.utility.NowExpression
import com.indeni.server.params.ParameterDefinition
import com.indeni.server.params.ParameterDefinition.UIType
import com.indeni.server.rules._
import com.indeni.server.rules.library.core.PerDeviceRule
import com.indeni.server.rules.library.{ConditionalRemediationSteps, RuleHelper}
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity
import com.indeni.server.common.data.conditions.True
import com.indeni.apidata.time.TimeSpan
import com.indeni.apidata.time.TimeSpan.TimePeriod

case class CrossVendorContractHasExpiredRule() extends PerDeviceRule with RuleHelper {

  private val highThresholdParameterName = "Effective_Duration_Threshold"
  private val highThresholdParameter = new ParameterDefinition(
    highThresholdParameterName,
    "",
    "Effective Duration Threshold",
    "How many days the contract expiration alert should be effective.",
    UIType.TIMESPAN,
    TimeSpan.fromDays(30)
  )

  override val metadata: RuleMetadata = RuleMetadata
    .builder(
      "cross_vendor_contract_has_expired",
      "All Devices: Contract(s) has expired",
      "Indeni will alert when a contract has expired. " +
        "Contracts that have expired more that a set number of days will be ignored. " +
        "The threshold for the number of days after contract expiration can be adjusted by the user.",
      AlertSeverity.WARN
    )
    .configParameter(highThresholdParameter)
    .build()

  override def expressionTree(context: RuleContext): StatusTreeExpression = {
    val actualValue = TimeSeriesExpression[Double]("contract-expiration").last.toTimeSpan(TimePeriod.SECOND)

    StatusTreeExpression(
      // Which objects to pull (normally, devices)
      SelectTagsExpression(context.metaDao, Set(DeviceKey), True),
      // What constitutes an issue
      StatusTreeExpression(
        // The additional tags we care about (we'll be including this in alert data)
        SelectTagsExpression(context.tsDao, Set("name"), withTagsCondition("contract-expiration")),
        StatusTreeExpression(
          // The time-series we check the test condition against:
          SelectTimeSeriesExpression[Double](context.tsDao, Set("contract-expiration"), denseOnly = false),
          // The condition which, if true, we have an issue. Checked against the time-series we've collected
          And(
            LesserThan(
              actualValue,
              NowExpression()
            ),
            GreaterThan(
              PlusExpression[TimeSpan](actualValue, getParameterTimeSpanForTimeSeries(highThresholdParameter)),
              NowExpression()
            )
          )

          // The Alert Item to add for this specific item
        ).withSecondaryInfo(
            scopableStringFormatExpression("${scope(\"name\")}"),
            scopableStringFormatExpression("Expired on %s", timeSpanToDateExpression(actualValue)),
            title = "Affected Contracts"
          )
          .asCondition()
      ).withoutInfo().asCondition()

      // Details of the alert itself
    ).withRootInfo(
      getHeadline(),
      ConstantExpression("One or more contracts has expired. See the list below."),
      ConditionalRemediationSteps(
        "Renew any contracts that need to be renewed.",
        ConditionalRemediationSteps.VENDOR_CP ->
          """Make sure you have purchased the required contracts and have updated them in your management server. Review:
            |<a target="_blank" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk33089">Solution sk33089 on Check Point Support Center</a>.""".stripMargin,
        ConditionalRemediationSteps.VENDOR_PANOS ->
          """Review this article on Palo Alto Networks Support Site:
            |<a target="_blank" href="https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/getting-started/activate-licenses-and-subscriptions">Activate Licenses and Subscriptions</a>.""".stripMargin
      )
    )
  }
}