DNS servers used do not match across cluster members-paloaltonetworks-panos

DNS servers used do not match across cluster members-paloaltonetworks-panos
3.0 1

DNS servers used do not match across cluster members-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Description:
Indeni will identify when two devices are part of a cluster and alert if the DNS servers they are using are different.

Remediation Steps:
Review the DNS configuration on each device to ensure they match.

How does this work?
This script pulls the Palo Alto Networks firewall’s active configuration and extracts the configured DNS servers from there.

Why is this important?
Tracking the currently configured DNS servers on all devices is important to ensure consistent name resolution.

Without Indeni how would you find this?
An administrator may write a script to pull this data from devices and compare against a gold configuration.

panos-show_config_running-monitoring-xml

name: panos-show_config_running-monitoring-xml
description: Fetch the running config (xml)
type: monitoring
monitoring_interval: 60 minute
requires:
    vendor: paloaltonetworks
    os.name: panos
    product: firewall
comments:
    certificate-expiration:
        why: |
            Palo Alto Networks firewalls use certificate for a variety of different purposes. One purpose, for example, is inbound SSL inspection. If the certificate used by the firewall expires, certain services may be unavailable to external users.
        how: |
            This script pulls the Palo Alto Networks firewall's active configuration, reviews the certificates saved and retrieves their subject and expiration date.
        without-indeni: |
            An administrator may manually review the certificates and their expiration dates, by looking at the web interface.
        can-with-snmp: true
        can-with-syslog: true
    timezone:
        why: |
            Most configurations in Palo Alto Networks firewalls are synchronized across cluster members. Some are not, the timezone is one of them. It is important to verify that the timezone is the same on all cluster members to avoid confusion or issues.
        how: |
            This script pulls the Palo Alto Networks firewall's active configuration and extracts the timezone from there.
        without-indeni: |
            An administrator may write a script to pull this data from cluster members and compare it.
        can-with-snmp: false
        can-with-syslog: false
    domain:
        why: |
            Most configurations in Palo Alto Networks firewalls are synchronized across cluster members. Some are not, the domain name is one of them. It is important to verify that the domain name is the same on all cluster members to avoid confusion or issues.
        how: |
            This script pulls the Palo Alto Networks firewall's active configuration and extracts the timezone from there.
        without-indeni: |
            An administrator may write a script to pull this data from cluster members and compare it.
        can-with-snmp: false
        can-with-syslog: false
    login-banner:
        why: |
            Most configurations in Palo Alto Networks firewalls are synchronized across cluster members. Some are not, the login banner is one of them. It is important to verify that the login banner is the same on all cluster members to avoid confusion or issues.
        how: |
            This script pulls the Palo Alto Networks firewall's active configuration and extracts the timezone from there.
        without-indeni: |
            An administrator may write a script to pull this data from cluster members and compare it.
        can-with-snmp: false
        can-with-syslog: false
    syslog-servers:
        why: |
            Tracking the currently configured Syslog servers on all devices is important to ensure consistent logging.
        how: |
            This script pulls the Palo Alto Networks firewall's active configuration and extracts the configured Syslog servers from there.
        without-indeni: |
            An administrator may write a script to pull this data from devices and compare against a gold configuration.
        can-with-snmp: false
        can-with-syslog: false
    radius-servers:
        why: |
            Tracking the currently configured RADIUS servers on all devices is important to ensure consistent authentication and access.
        how: |
            This script pulls the Palo Alto Networks firewall's active configuration and extracts the configured RADIUS servers from there.
        without-indeni: |
            An administrator may write a script to pull this data from devices and compare against a gold configuration.
        can-with-snmp: false
        can-with-syslog: false
    dns-servers:
        why: |
            Tracking the currently configured DNS servers on all devices is important to ensure consistent name resolution.
        how: |
            This script pulls the Palo Alto Networks firewall's active configuration and extracts the configured DNS servers from there.
        without-indeni: |
            An administrator may write a script to pull this data from devices and compare against a gold configuration.
        can-with-snmp: false
        can-with-syslog: false
    ntp-servers:
        why: |
            Tracking the currently configured NTP servers on all devices is important to ensure consistent time sync.
        how: |
            This script pulls the Palo Alto Networks firewall's active configuration and extracts the configured NTP servers from there.
        without-indeni: |
            An administrator may write a script to pull this data from devices and compare against a gold configuration.
        can-with-snmp: false
        can-with-syslog: false
    unencrypted-snmp-configured:
        why: |
            SNMPv2c is an unsecure protocol and should not be used. Users should prefer the more secure SNMPv3.
        how: |
            This script pulls the Palo Alto Networks firewall's active configuration and extracts the configured services from there.
        without-indeni: |
            An administrator may write a script to pull this data from devices and compare against a gold configuration.
        can-with-snmp: false
        can-with-syslog: false
    telnet-enabled:
        why: |
            Telnet is an unsecure protocol and should not be used. Users may enable telnet unintentionally and should be alerted if they do so.
        how: |
            This script pulls the Palo Alto Networks firewall's active configuration and extracts the configured services from there.
        without-indeni: |
            An administrator may write a script to pull this data from devices and compare against a gold configuration.
        can-with-snmp: false
        can-with-syslog: false
    http-server-enabled:
        why: |
            HTTP is an unsecure protocol and should not be used. Users may enable HTTP unintentionally and should be alerted if they do so.
        how: |
            This script pulls the Palo Alto Networks firewall's active configuration and extracts the configured services from there.
        without-indeni: |
            An administrator may write a script to pull this data from devices and compare against a gold configuration.
        can-with-snmp: false
        can-with-syslog: false
    license-elements-used:
        skip-documentation: true
    app-update-acceptable-lag:
        skip-documentation: true
steps:
-   run:
        type: HTTP
        command: /api?type=op&cmd=<show><config><running></running></config></show>&key=${api-key}
    parse:
        type: XML
        file: show-config-running-m.parser.1.xml.yaml

cross_vendor_dns_servers_comparison

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.SnapshotComparisonTemplateRule
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity

/**
  *
  */
case class cross_vendor_dns_servers_comparison() extends SnapshotComparisonTemplateRule(
  ruleName = "cross_vendor_dns_servers_comparison",
  ruleFriendlyName = "Clustered Devices: DNS servers used do not match across cluster members",
  ruleDescription = "Indeni will identify when two devices are part of a cluster and alert if the DNS servers they are using are different.",
  severity = AlertSeverity.WARN,
  metricName = "dns-servers",
  isArray = true,
  alertDescription = "Devices that are part of a cluster must have the same DNS servers used. Review the differences below.",
  baseRemediationText = "Review the DNS configuration on each device to ensure they match.")()

It is important to note when DNS servers may accidentally be misconfigured or even missing between HA peers. However, in some architecturally specific use cases such as business continuity or disaster recovery, unique DNS servers may be required. The primary’s DNS servers may not become available in the new site if they are not load balanced but are instead synchronized redundantly.

This is going to be a unique alert to the Indeni platform. If anyone knows of other systems that monitor this situation please comment. Also, if you have a DR/BC scenario where you wish not to receive this alert you can simply set the alert to be ignored for those devices only.