Device uptime too high-paloaltonetworks-panos
Vendor: paloaltonetworks
OS: panos
Description:
Indeni will alert when a device’s uptime is too high
Remediation Steps:
Upgrade the device. You may also change the alert’s threshold, or disable the alert completely, if not needed.
How does this work?
This alert uses the Palo Alto Networks API to retrieve the current uptime (the equivalent of running “show system info” in the CLI).
Why is this important?
When a monitoring system loses connectivity to a device, it may be difficult for it to determine whether the device restarted, or is simply unreachable. To deal with that, the uptime is tracked. The uptime of a device resetting is a clear indicator of a device restart.
Without Indeni how would you find this?
An administrator will normally find out that a device has restarted when a service outage actually occurs.
panos-show-system-info-monitoring
name: panos-show-system-info-monitoring
description: Fetch system info for monitoring
type: monitoring
monitoring_interval: 5 minute
requires:
vendor: paloaltonetworks
os.name: panos
comments:
uptime-milliseconds:
why: |
When a monitoring system loses connectivity to a device, it may be difficult for it to determine whether the device restarted, or is simply unreachable. To deal with that, the uptime is tracked. The uptime of a device resetting is a clear indicator of a device restart.
how: |
This alert uses the Palo Alto Networks API to retrieve the current uptime (the equivalent of running "show system info" in the CLI).
can-with-snmp: true
can-with-syslog: true
software-eos-date:
why: |
Ensuring the software being used is always within the vendor's list of supported versions is critical. Otherwise, during a critical issue, the vendor may decline to provide technical support. Palo Alto Networks posts the list of supported software on their website ( https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-summary ). indeni tracks that list and updates this script to match.
how: |
This script uses the Palo Alto Networks API to retrieve the current software version (the equivalent of running "show system info" in CLI) and based on the software version and the Palo Alto Networks provided information at https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-summary the correct end of support date is used.
can-with-snmp: false
can-with-syslog: false
hardware-eos-date:
why: |
Ensuring the hardware being used is always within the vendor's list of supported models is critical. Otherwise, during a critical issue, the vendor may decline to provide technical support ( https://www.paloaltonetworks.com/services/support/end-of-life-announcements/hardware-end-of-life-dates ). indeni tracks that list and updates this script to match.
how: |
This script uses the Palo Alto Networks API to retrieve the current hardware model (the equivalent of running "show system info" in CLI) and based on the model and the Palo Alto Networks provided information at https://www.paloaltonetworks.com/services/support/end-of-life-announcements/hardware-end-of-life-dates the correct end of support date is used.
can-with-snmp: false
can-with-syslog: false
vpn-software-eos-date:
why: |
Ensuring the vpn software being used is always within the vendor's list of supported versions is critical. Otherwise, during a critical issue, the vendor may decline to provide technical support. Palo Alto Networks posts the list of supported software on their website ( https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-summary ). indeni tracks that list and updates this script to match.
how: |
This script uses the Palo Alto Networks API to retrieve the current vpn software version (the equivalent of running "show system info" in CLI) and based on the software version and the Palo Alto Networks provided information at https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-summary the correct end of support date is used.
can-with-snmp: false
can-with-syslog: false
current-datetime:
why: |
The clock of a Palo Alto Networks firewall should always be accurate, as inaccuracies may result in issues with some features, as well as causing a mess in log analysis. Normally, administrators are encouraged to use NTP to keep the clock in sync (and indeni has a script for verifying NTP is working). If NTP is not used, one should still verify that the clock is set correctly.
how: |
This script uses the Palo Alto Networks API to retrieve the current date and time (the equivalent of running "show system info" in CLI). indeni then compares the result to its own clock to find possible discrepancies.
can-with-snmp: false
can-with-syslog: false
os-version:
why: |
Two or more devices which operate as part of a single cluster must be running the same version of software.
how: |
This script uses the Palo Alto Networks API to retrieve the software version installed on the device. indeni then compares the result to the same script run on other members of the same cluster.
can-with-snmp: false
can-with-syslog: false
model:
why: |
Two or more devices which operate as part of a single cluster must be running on the same hardware.
how: |
This script uses the Palo Alto Networks API to retrieve the hardware model of the device. indeni then compares the result to the same script run on other members of the same cluster.
can-with-snmp: false
can-with-syslog: false
os-name:
why: |
Two or more devices which operate as part of a single cluster must be running the same version of software.
how: |
This script uses the Palo Alto Networks API to retrieve the software name and version installed on the device. indeni then compares the result to the same script run on other members of the same cluster.
can-with-snmp: false
can-with-syslog: false
panw-panos-panorama-cert-expr:
why: |
On April 3rd, 2017, Palo Alto Networks notified all customers that an upgrade to Panorama may be necessary to ensure uninterrupted communications between the Panorama device and the firewalls. Knowing which Panorama installations are affected is important.
how: |
This script uses the Palo Alto Networks API to retrieve the software name and version installed on the device.
can-with-snmp: false
can-with-syslog: false
panw-installed-app-release-date:
why: |
With an application/threat package release date it is important to keep track of the vendor release trains and subsequently the corresponding features.
how: |
This script uses the Palo Alto Networks API to retrieve the release date of the application package installed on the device.
can-with-snmp: false
can-with-syslog: false
panw-installed-av-release-date:
why: |
With an anti-virus package release date it is important to keep track of the vendor release trains and subsequently the corresponding features.
how: |
This script uses the Palo Alto Networks API to retrieve the release date of the anti-virus package installed on the device.
can-with-snmp: false
can-with-syslog: false
vendor:
why: |
Capture the device vendor name.
how: |
Tha vendor name is set to "Palo Alto Networks".
can-with-snmp: false
can-with-syslog: false
serial-numbers:
why: |
Capture the device's serial number. This makes inventory tracking and opening support cases with the vendor easier.
how: |
This script uses the Palo Alto Networks API to retrieve the serial number.
can-with-snmp: false
can-with-syslog: false
concurrent-ssl-decryption-limit:
why: |
It is important to track the capacity limits of each device.
how: |
This script uses the Palo Alto Networks API to retrieve the ssl decryption limit of the device.
steps:
- run:
type: HTTP
command: /api?type=op&cmd=<show><system><info></info></system></show>&key=${api-key}
parse:
type: XML
file: show-system-info-monitoring.parser.1.xml.yaml
cross_vendor_uptime_high
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/crossvendor/cross_vendor_uptime_high.scala