Drastic drop in concurrent connections-juniper-junos
Vendor: juniper
OS: junos
Description:
Alert when a drop was detected in the number of concurrent connections.
Remediation Steps:
Review why this may be happening.
How does this work?
This script runs the “show security flow session summary” command via ssh to retrieve the number of concurrent sessions.
Why is this important?
Concurrent-connections tell the number of connections going through the device. The administrator has to monitor the concurrent-connections to avoid traffic drops because of the high number of concurrent-connection.
Without Indeni how would you find this?
The administrator has to log on the device to retrieve the same information.
junos-show-security-flow-session-summary-cluster
name: junos-show-security-flow-session-summary-cluster
description: Retrieve security flow information for chassis cluster nodes
type: monitoring
monitoring_interval: 5 minute
requires:
vendor: juniper
os.name: junos
product: firewall
high-availability: true
comments:
concurrent-connections-limit:
why: "Each device has a limit for concurrent sessions or connections based\
\ on the hardware capability. Exceeding this limit will cause traffic\
\ drops. \n"
how: |
This script runs the "show security flow session summary" command via ssh to retrieve the limit for concurrent sessions.
can-with-snmp: true
can-with-syslog: false
concurrent-connections:
why: |
Concurrent-connections tell the number of connections going through the device. The administrator has to monitor the concurrent-connections to avoid traffic drops because of the high number of concurrent-connection.
how: |
This script runs the "show security flow session summary" command via ssh to retrieve the number of concurrent sessions.
can-with-snmp: true
can-with-syslog: false
steps:
- run:
type: SSH
command: show chassis hardware node local | display xml
parse:
type: XML
file: show-security-flow-session-summary-cluster.parser.1.xml.yaml
- run:
type: SSH
command: show security flow session summary node ${node} | display xml
parse:
type: XML
file: show-security-flow-session-summary-cluster.parser.2.xml.yaml
concurrent_connections_drastic_change_down
package com.indeni.server.rules.library
/*
* Rule is cancelled at the moment since we rewrote Change detection algorithm
* Rule should be re written with the new algorithm
import com.indeni.apidata.data.conditions.True
import com.indeni.ruleengine._
import com.indeni.ruleengine.expressions.conditions.ResultsFound
import com.indeni.ruleengine.expressions.core.{StatusTreeExpression, _}
import com.indeni.ruleengine.expressions.data.{SelectTagsExpression, SelectTimeSeriesExpression, TimeSeriesExpression}
import com.indeni.ruleengine.expressions.scope.ScopableExpression
import com.indeni.ruleengine.expressions.Expression
import com.indeni.ruleengine.expressions.tools.changePointAnalysis.DropDetectionExpression
import com.indeni.server.params._
import com.indeni.server.rules._
import com.indeni.server.rules.library.ConcurrentConnectionsDrasticChangeDownRule._
import com.indeni.server.rules.library.core.PerDeviceRule
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity
import com.indeni.apidata.time.TimeSpan
*/
/**
* Rule is cancelled at the moment since we rewrote Change detection algorithm
* Rule should be re written with the new algorithm
case class ConcurrentConnectionsDrasticChangeDownRule() extends PerDeviceRule with RuleHelper {
private val reviewedTimeframeParameter = new ParameterDefinition(REVIEWED_TIMEFRAME_PARAMETER_NAME,
"",
"Reviewed Timeframe",
"The window of time we review to detect changes.",
ParameterDefinition.UIType.TIMESPAN,
TimeSpan.fromMinutes(120))
override val metadata: RuleMetadata = RuleMetadata.builder(NAME, "All Devices: Drastic drop in concurrent connections", "Alert when a drop was detected in the number of concurrent connections.", AlertSeverity.ERROR).configParameter(reviewedTimeframeParameter).build()
override def expressionTree: StatusTreeExpression = {
val numOfConnectionsTimeSeries = TimeSeriesExpression[Double]("concurrent-connections")
val actualValue = numOfConnectionsTimeSeries.last
val lastChange = DropDetectionExpression(numOfConnectionsTimeSeries).withLazy
StatusTreeExpression(
// Which objects to pull (normally, devices)
SelectTagsExpression(context.metaDao, Set(DeviceKey), True),
StatusTreeExpression(
// The time-series we check the test condition against:
SelectTimeSeriesExpression[Double](context.tsDao, Set("concurrent-connections"), historyLength = getParameterTimeSpanForRule(reviewedTimeframeParameter)),
// The condition which, if true, we have an issue. Checked against the time-series we've collected
ResultsFound(lastChange)
// The Alert Item to add for this specific item
).withRootInfo(
getHeadline(),
scopableStringFormatExpression("A drop has been detected in the number of concurrent connections. %s.", new ScopableExpression[Any] {
override protected def evalWithScope(time: Long, scope: Scope): String = s"Changed from ${lastChange.eval(time).head.before} to ${lastChange.eval(time).head.after}"
override def args: Set[Expression[_]] = Set(lastChange)
}),
ConstantExpression("Review why this may be happening.")
).asCondition()
).withoutInfo()
}
}
object ConcurrentConnectionsDrasticChangeDownRule {
/* --- Constants --- */
private[library] val NAME = "concurrent_connections_drastic_change_down"
private[library] val REVIEWED_TIMEFRAME_PARAMETER_NAME: String = "reviewed_timeframe"
}
*/