Drastic drop in concurrent connections-paloaltonetworks-panos

error
health-checks
panos
paloaltonetworks
Drastic drop in concurrent connections-paloaltonetworks-panos
0

#1

Drastic drop in concurrent connections-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Description:
Alert when a drop was detected in the number of concurrent connections.

Remediation Steps:
Review why this may be happening.

How does this work?
This alert uses the Palo Alto Networks API to retrieve the current utilization of the number of sessions allowed in total.

Why is this important?
Tracking the number of concurrent connections is helpful in understanding traffic patterns and load.

Without Indeni how would you find this?
To know what is the current utilization of sessions on a Palo Alto Networks firewall, the user will normally use the CLI. A script could be written to track this data on an ongoing basis.

panos-show-session-info

#! META
name: panos-show-session-info
description: fetch the status of sessions
type: monitoring
monitoring_interval: 1 minute
requires:
    vendor: paloaltonetworks
    os.name: panos
    product: firewall

#! COMMENTS
concurrent-connections-limit:
    why: |
        Each device has a limit to the number of concurrent sessions or connections it supports. Across the Palo Alto Networks product line, different devices are sized for different amounts of sessoins. Reaching the maximum number of sessions allowed may result in an outage.
    how: |
        This alert uses the Palo Alto Networks API to retrieve the current utilization of the number of sessions allowed in total.
    without-indeni: |
        To know what is the current utilization of sessions on a Palo Alto Networks firewall, the user will normally use the CLI.
    can-with-snmp: true
    can-with-syslog: true
concurrent-connections:
    why: |
        Tracking the number of concurrent connections is helpful in understanding traffic patterns and load.
    how: |
        This alert uses the Palo Alto Networks API to retrieve the current utilization of the number of sessions allowed in total.
    without-indeni: |
        To know what is the current utilization of sessions on a Palo Alto Networks firewall, the user will normally use the CLI. A script could be written to track this data on an ongoing basis.
    can-with-snmp: true
    can-with-syslog: true
connections-per-second:
    skip-documentation: true

#! REMOTE::HTTP
url: /api?type=op&cmd=<show><session><info><%2Finfo><%2Fsession><%2Fshow>&key=${api-key}
protocol: HTTPS

#! PARSER::XML
_vars:
    root: /response/result
_metrics:
    -
        _value.double:
            _text: ${root}/num-active
        _tags:
            "im.name":
                _constant: "concurrent-connections"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "Sessions - Current"
            "im.dstype.displayType":
                _constant: "number"
    -
        _value.double:
            _text: ${root}/num-max
        _tags:
            "im.name":
                _constant: "concurrent-connections-limit"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "Sessions - Limit"
            "im.dstype.displayType":
                _constant: "number"
    -
        _value.double:
            _text: ${root}/cps
        _tags:
            "im.name":
                _constant: "connections-per-second"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "CPS"
            "im.dstype.displayType":
                _constant: "number"

concurrent_connections_drastic_change_down

package com.indeni.server.rules.library
/*

  * Rule is cancelled at the moment since we rewrote Change detection algorithm
  * Rule should be re written with the new algorithm


import com.indeni.apidata.data.conditions.True
import com.indeni.ruleengine._
import com.indeni.ruleengine.expressions.conditions.ResultsFound
import com.indeni.ruleengine.expressions.core.{StatusTreeExpression, _}
import com.indeni.ruleengine.expressions.data.{SelectTagsExpression, SelectTimeSeriesExpression, TimeSeriesExpression}
import com.indeni.ruleengine.expressions.scope.ScopableExpression
import com.indeni.ruleengine.expressions.Expression
import com.indeni.ruleengine.expressions.tools.changePointAnalysis.DropDetectionExpression
import com.indeni.server.params._
import com.indeni.server.rules._
import com.indeni.server.rules.library.ConcurrentConnectionsDrasticChangeDownRule._
import com.indeni.server.rules.library.core.PerDeviceRule
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity
import com.indeni.apidata.time.TimeSpan
*/
/**
  * Rule is cancelled at the moment since we rewrote Change detection algorithm
  * Rule should be re written with the new algorithm

case class ConcurrentConnectionsDrasticChangeDownRule(context: RuleContext) extends PerDeviceRule with RuleHelper {

  private val reviewedTimeframeParameter = new ParameterDefinition(REVIEWED_TIMEFRAME_PARAMETER_NAME,
    "",
    "Reviewed Timeframe",
    "The window of time we review to detect changes.",
    ParameterDefinition.UIType.TIMESPAN,
    TimeSpan.fromMinutes(120))


  override val metadata: RuleMetadata = RuleMetadata.builder(NAME, "All Devices: Drastic drop in concurrent connections", "Alert when a drop was detected in the number of concurrent connections.", AlertSeverity.ERROR).configParameter(reviewedTimeframeParameter).build()

  override def expressionTree: StatusTreeExpression = {
    val numOfConnectionsTimeSeries = TimeSeriesExpression[Double]("concurrent-connections")
    val actualValue = numOfConnectionsTimeSeries.last
    val lastChange = DropDetectionExpression(numOfConnectionsTimeSeries).withLazy

    StatusTreeExpression(
      // Which objects to pull (normally, devices)
      SelectTagsExpression(context.metaDao, Set(DeviceKey), True),

      StatusTreeExpression(
          // The time-series we check the test condition against:
          SelectTimeSeriesExpression[Double](context.tsDao, Set("concurrent-connections"), historyLength = getParameterTimeSpanForRule(reviewedTimeframeParameter)),

          // The condition which, if true, we have an issue. Checked against the time-series we've collected
          ResultsFound(lastChange)

          // The Alert Item to add for this specific item
      ).withRootInfo(
            getHeadline(),
            scopableStringFormatExpression("A drop has been detected in the number of concurrent connections. %s.", new ScopableExpression[Any] {

              override protected def evalWithScope(time: Long, scope: Scope): String = s"Changed from ${lastChange.eval(time).head.before} to ${lastChange.eval(time).head.after}"
              override def args: Set[Expression[_]] = Set(lastChange)
            }),
            ConstantExpression("Review why this may be happening.")
        ).asCondition()
    ).withoutInfo()
  }
}

object ConcurrentConnectionsDrasticChangeDownRule {

  /* --- Constants --- */

  private[library] val NAME = "concurrent_connections_drastic_change_down"

  private[library] val REVIEWED_TIMEFRAME_PARAMETER_NAME: String = "reviewed_timeframe"
}
  */