Device uptime too high-fortinet-FortiOS

Device uptime too high-fortinet-FortiOS
0

Device uptime too high-fortinet-FortiOS

Vendor: fortinet

OS: FortiOS

Description:
Indeni will alert when a device’s uptime is too high

Remediation Steps:
Upgrade the device. You may also change the alert’s threshold, or disable the alert completely, if not needed.

How does this work?
Indeni uses the built-in Fortinet “get system performance status” command to retrieve the current device up-time.

Why is this important?
Capture the uptime of the device. If the uptime is lower than the previous sample, the device must have reloaded.

Without Indeni how would you find this?
An administrator could login and manually run the command via CLI, check the system resources widget via the GUI, enable SNMP, or use Fortinet FortiAnalyzer.

fortios-get-system-performance-status

name: fortios-get-system-performance-status
description: Performance metrics based on "get system performance status" command
    on Fortinet firewall
type: monitoring
monitoring_interval: 1 minute
includes_resource_data: true
requires:
    vendor: fortinet
    os.name: FortiOS
    product: firewall
comments:
    memory-usage:
        why: |
            If the firewall memory becomes fully utilized, performance may be impacted and traffic may be dropped, and in extreme cases the firewall could crash. It is critical to monitor the memory usage and handle the issue prior to resource exhaustion.
        how: |
            Indeni uses the built-in Fortinet "get system performance status" command to retrieve the device memory utilization.
        without-indeni: |
            An administrator could login and manually run the command via CLI, check the system resources widget via the GUI, enable SNMP, configure a syslog server for a log message every 5 minutes containing the utilization, or use Fortinet FortiAnalyzer.
        can-with-snmp: true
        can-with-syslog: true
    cpu-usage:
        why: |
            If the firewall CPU becomes fully utilized, performance may be impacted and traffic may be dropped, and in extreme cases the firewall could crash. It is critical to monitor the memory usage and handle the issue prior to resource exhaustion.
        how: |
            Indeni uses the built-in Fortinet "get system performance status" command to retrieve the device CPU utilization.
        without-indeni: |
            An administrator could login and manually run the command via CLI, check the system resources widget via the GUI, enable SNMP, configure a syslog server for a log message every 5 minutes containing the utilization, or use Fortinet FortiAnalyzer.
        can-with-snmp: true
        can-with-syslog: true
    uptime-milliseconds:
        why: |
            Capture the uptime of the device. If the uptime is lower than the previous sample, the device must have reloaded.
        how: |
            Indeni uses the built-in Fortinet "get system performance status" command to retrieve the current device up-time.
        without-indeni: |
            An administrator could login and manually run the command via CLI, check the system resources widget via the GUI, enable SNMP, or use Fortinet FortiAnalyzer.
        can-with-snmp: true
        can-with-syslog: false
    memory-free-kbytes:
        skip-documentation: true
    memory-total-kbytes:
        skip-documentation: true
    memory-used-kbytes:
        skip-documentation: true
steps:
-   run:
        type: SSH
        command: get system performance status
    parse:
        type: AWK
        file: get_system_performance_status.parser.1.awk

cross_vendor_uptime_high

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.apidata.time.TimeSpan
import com.indeni.apidata.time.TimeSpan.TimePeriod
import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.TimeIntervalThresholdOnDoubleMetricTemplateRule
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity
import com.indeni.server.rules.ThresholdDirection
import com.indeni.server.rules.RemediationStepCondition

/**
  *
  */
case class cross_vendor_uptime_high() extends TimeIntervalThresholdOnDoubleMetricTemplateRule(
  ruleName = "cross_vendor_uptime_high",
  ruleFriendlyName = "All Devices: Device uptime too high",
  ruleDescription = "Indeni will alert when a device's uptime is too high",
  severity = AlertSeverity.ERROR,
  metricName = "uptime-milliseconds",
  metricUnits = TimePeriod.MILLISECOND,
  threshold = TimeSpan.fromDays(365 * 10),
  thresholdDirection = ThresholdDirection.ABOVE,
  alertDescriptionFormat = "The current uptime is %.0f seconds. This alert identifies when a device has been up for a very long time and may need an upgrade.",
  alertDescriptionValueUnits = TimePeriod.SECOND,
  baseRemediationText = "Upgrade the device. You may also change the alert's threshold, or disable the alert completely, if not needed.")(
  RemediationStepCondition.VENDOR_CISCO ->
    """|
       |1. Use the "show version" NX-OS command to display the current system uptime.
       |2. Run the "show system reset-reason" to check the reason for the last reboot of the device.
       |3. Check if the installed NX-OS version is supported and review it for software bugs.""".stripMargin
)