High ARP cache usage-paloaltonetworks-panos

error
health-checks
panos
paloaltonetworks
High ARP cache usage-paloaltonetworks-panos
0

#1

High ARP cache usage-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Description:
Indeni will alert when the number of ARP entries stored by a device is nearing the allowed limit.

Remediation Steps:
Identify the cause of the large ARP table. If it is due to a legitimate cause, such as a high number of hosts visible on the available networks, please contact your technical support provider.

How does this work?
This alert uses the Palo Alto Networks API to retrieve the current utilization of the ARP cache - number of entries in it vs the total limit.

Why is this important?
A network device which forwards traffic needs to know the MAC addresses of devices it is directly connected to, so it can send traffic on layer 2. To do this, it uses ARP requests. The ARP replys are stored in a cache which allows the device to avoid doing ARP requests again and again for the same destination IP. The ARP cache has a finite size to avoid using up all of the available memory. If the ARP cache fills up with entries, some traffic may be dropped or drastically slowed down.

Without Indeni how would you find this?
An administrator could write a script to leverage the Palo Alto Networks API to collect this data periodically and alert appropriately. Alternatively, wait for an issue to occur and check the ARP cache status by running “show arp all”.

panos-show-arp-all

#! META
name: panos-show-arp-all
description: fetch the arp data
type: monitoring
monitoring_interval: 5 minutes
requires:
    vendor: paloaltonetworks
    os.name: panos
    product: firewall

#! COMMENTS
arp-total-entries:
    why: |
        A network device which forwards traffic needs to know the MAC addresses of devices it is directly connected to, so it can send traffic on layer 2. To do this, it uses ARP requests. The ARP replys are stored in a cache which allows the device to avoid doing ARP requests again and again for the same destination IP. The ARP cache has a finite size to avoid using up all of the available memory. If the ARP cache fills up with entries, some traffic may be dropped or drastically slowed down.
    how: |
        This alert uses the Palo Alto Networks API to retrieve the current utilization of the ARP cache - number of entries in it vs the total limit.
    without-indeni: |
        An administrator could write a script to leverage the Palo Alto Networks API to collect this data periodically and alert appropriately. Alternatively, wait for an issue to occur and check the ARP cache status by running "show arp all".
    can-with-snmp: false
    can-with-syslog: false
arp-table:
    why: |
        Tracking the ARP entry can indicate when certain hosts are failing to repsond to ARP requests. If that host is actually a next hop router, traffic may not reach its final destination. In addition, if there's a sudden jump in the number of ARP entries that are failing, it may indicate a connectivity issue at layer 2.
    how: |
        This alert uses the Palo Alto Networks API to retrieve the full ARP table for a Palo Alto Networks firewall, excluding the ARP table of the management interface (normally retrieved via \"show arp management").
    without-indeni: |
        An administrator could write a script to leverage the Palo Alto Networks API to collect this data periodically and alert appropriately. Alternatively, wait for an issue to occur and check the ARP cache status by running "show arp all".
    can-with-snmp: false
    can-with-syslog: false
arp-limit:
    skip-documentation: true

#! REMOTE::HTTP
url: /api?type=op&cmd=<show><arp><entry+name+%3D+%27all%27%2F><%2Farp><%2Fshow>&key=${api-key}
protocol: HTTPS

#! PARSER::XML
_vars:
    root: /response/result
_metrics:
    -
        _value.double:
            _text: ${root}/total
        _tags:
            "im.name":
                _constant: "arp-total-entries"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "ARP Cache - Current Entries"
            "im.dstype.displayType":
                _constant: "number"
    -
        _value.double:
            _text: ${root}/max
        _tags:
            "im.name":
                _constant: "arp-limit"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "ARP Cache - Limit"
            "im.dstype.displayType":
                _constant: "number"
    -
        _groups:
            "/response/result/entries/entry":
                _tags:
                    "im.name":
                        _constant: "arp-table"
                _temp:
                    "status":
                        _text: "status"
                _value.complex:
                    "targetip":
                        _text: ip
                    "mac":
                        _text: mac
                    "interface":
                        _text: "interface"
        _transform:
            _value.complex:
                "success": |
                    {
                        if (trim(temp("status")) == "i") { print "0"} else { print "1" }
                    }
        _value: complex-array

panos-show-arp-all

#! META
name: panos-show-arp-all
description: fetch the arp data
type: monitoring
monitoring_interval: 5 minutes
requires:
    vendor: paloaltonetworks
    os.name: panos
    product: firewall

#! COMMENTS
arp-total-entries:
    why: |
        A network device which forwards traffic needs to know the MAC addresses of devices it is directly connected to, so it can send traffic on layer 2. To do this, it uses ARP requests. The ARP replys are stored in a cache which allows the device to avoid doing ARP requests again and again for the same destination IP. The ARP cache has a finite size to avoid using up all of the available memory. If the ARP cache fills up with entries, some traffic may be dropped or drastically slowed down.
    how: |
        This alert uses the Palo Alto Networks API to retrieve the current utilization of the ARP cache - number of entries in it vs the total limit.
    without-indeni: |
        An administrator could write a script to leverage the Palo Alto Networks API to collect this data periodically and alert appropriately. Alternatively, wait for an issue to occur and check the ARP cache status by running "show arp all".
    can-with-snmp: false
    can-with-syslog: false
arp-table:
    why: |
        Tracking the ARP entry can indicate when certain hosts are failing to repsond to ARP requests. If that host is actually a next hop router, traffic may not reach its final destination. In addition, if there's a sudden jump in the number of ARP entries that are failing, it may indicate a connectivity issue at layer 2.
    how: |
        This alert uses the Palo Alto Networks API to retrieve the full ARP table for a Palo Alto Networks firewall, excluding the ARP table of the management interface (normally retrieved via \"show arp management").
    without-indeni: |
        An administrator could write a script to leverage the Palo Alto Networks API to collect this data periodically and alert appropriately. Alternatively, wait for an issue to occur and check the ARP cache status by running "show arp all".
    can-with-snmp: false
    can-with-syslog: false
arp-limit:
    skip-documentation: true

#! REMOTE::HTTP
url: /api?type=op&cmd=<show><arp><entry+name+%3D+%27all%27%2F><%2Farp><%2Fshow>&key=${api-key}
protocol: HTTPS

#! PARSER::XML
_vars:
    root: /response/result
_metrics:
    -
        _value.double:
            _text: ${root}/total
        _tags:
            "im.name":
                _constant: "arp-total-entries"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "ARP Cache - Current Entries"
            "im.dstype.displayType":
                _constant: "number"
    -
        _value.double:
            _text: ${root}/max
        _tags:
            "im.name":
                _constant: "arp-limit"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "ARP Cache - Limit"
            "im.dstype.displayType":
                _constant: "number"
    -
        _groups:
            "/response/result/entries/entry":
                _tags:
                    "im.name":
                        _constant: "arp-table"
                _temp:
                    "status":
                        _text: "status"
                _value.complex:
                    "targetip":
                        _text: ip
                    "mac":
                        _text: mac
                    "interface":
                        _text: "interface"
        _transform:
            _value.complex:
                "success": |
                    {
                        if (trim(temp("status")) == "i") { print "0"} else { print "1" }
                    }
        _value: complex-array

arp_neighbor_overflow

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.{ConditionalRemediationSteps, NearingCapacityTemplateRule}

/**
  *
  */
case class arp_neighbor_overflow() extends NearingCapacityTemplateRule(
  ruleName = "arp_neighbor_overflow",
  ruleFriendlyName = "All Devices: High ARP cache usage",
  ruleDescription = "Indeni will alert when the number of ARP entries stored by a device is nearing the allowed limit.",
  usageMetricName = "arp-total-entries",
  limitMetricName = "arp-limit",
  threshold = 80.0,
  alertDescriptionFormat = "The ARP table has %.0f entries where the limit is %.0f.\n\nThis alert was added per the request of Mart Khizner (Leumi Card).",
  baseRemediationText = "Identify the cause of the large ARP table. If it is due to a legitimate cause, such as a high number of hosts visible on the available networks, please contact your technical support provider.")(
  ConditionalRemediationSteps.VENDOR_CP -> "Review sk43772: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk43772",
  ConditionalRemediationSteps.OS_NXOS ->
    """|
      |1. Use the "show iparp" NX-OS  command to display the Address Resolution Protocol (ARP) table statistics. Note: You must use the feature interface-vlan command before you can display the ARP information for VLAN interfaces.
      |2. Review the ARP table for unknown hosts which may saturate the ARP table of the switch.
      |3. If the number of ARP entries is normal then consider to upgrade the Nexus switch since it is close to the ARP limit capacity.
      |4. For more information review the next Cisco Configuration  guide: https://www.cisco.com/c/m/en_us/techdoc/dc/reference/cli/n5k/commands/show-ip-arp.html""".stripMargin
)