License expired-paloaltonetworks-panos

warn
panos
paloaltonetworks
License expired-paloaltonetworks-panos
0

#1

License expired-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Description:
indeni will trigger an issue when a license has expired. Licenses that have expired more that a set number of days will be ignored. The threshold for the number of days after licence expiration can be adjusted by the user.

Remediation Steps:
Renew any licenses that need to be renewed.
||Review this page on licensing: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/getting-started/activate-licenses-and-subscriptions

How does this work?
This alert logs into the Palo Alto Networks firewall through SSH and retrieves the list of applied licenses and expiration date.

Why is this important?
To ensure the optimal performance of a device, it is critical to review the licenses periodically and make sure they are renewed on time.

Without Indeni how would you find this?
A manual review of the licenses is common. Usually an organization’s purchasing team would also keep track of licenses and their expiration, but this is not always the case.

panos-request-license-info

#! META
name: panos-request-license-info
description: fetch license info
type: monitoring
monitoring_interval: 60 minute
requires:
    vendor: paloaltonetworks
    os.name: panos

#! COMMENTS
license-expiration:
    why: |
        To ensure the optimal performance of a device, it is critical to review the licenses periodically and make sure they are renewed on time.
    how: |
        This alert logs into the Palo Alto Networks firewall through SSH and retrieves the list of applied licenses and expiration date.
    without-indeni: |
        A manual review of the licenses is common. Usually an organization's purchasing team would also keep track of licenses and their expiration, but this is not always the case.
    can-with-snmp: true
    can-with-syslog: true

#! REMOTE::HTTP
url: /api?type=op&cmd=<request><license><info><%2Finfo><%2Flicense><%2Frequest>&key=${api-key}
protocol: HTTPS

#! PARSER::XML
_vars:
    root: /response/result
_metrics:
    -
        _groups:
            ${root}/licenses/entry[not(expires = 'Never')]:
                _tags:
                    "im.name":
                        _constant: "license-expiration"
                    "live-config":
                        _constant: "true"
                    "display-name":
                        _constant: "License Expiration"
                    "im.dstype.displayType":
                        _constant: "date"
                    "im.identity-tags":
                        _constant: "name"  
                _temp:
                    feature:
                        _text: "feature" # Threat Prevention
                    serial:
                        _text: "serial" # 001606056959
                    expires:
                        _text: "expires" # February 18, 2019
        _transform:
            _tags:
                name: |
                    {print temp("feature") " - serial: " temp("serial")}
            _value.double: |
                {
                    # Parsing: February 18, 2019
                    datestring=temp("expires")

                    month = parseMonthThreeLetter(substr(datestring, 1, 3))
                    year = substr(datestring, length(datestring) - 4)
                    day = datestring
                    sub(/^[A-Za-z]+ /, "", day)
                    sub(/,.*/, "", day)

                    licenseexpiration=date(year, month, day)
                    print licenseexpiration
                }

RuleMetadata

.builder(
  "cross_vendor_license_has_expired
package com.indeni.server.rules.library

import com.indeni.apidata.time.TimeSpan
import com.indeni.apidata.time.TimeSpan.TimePeriod
import com.indeni.ruleengine.expressions.conditions.{And, GreaterThan, LesserThan}
import com.indeni.ruleengine.expressions.core.{StatusTreeExpression, _}
import com.indeni.ruleengine.expressions.data._
import com.indeni.ruleengine.expressions.math.PlusExpression
import com.indeni.ruleengine.expressions.utility.NowExpression
import com.indeni.server.common.data.conditions.True
import com.indeni.server.params.ParameterDefinition
import com.indeni.server.params.ParameterDefinition.UIType
import com.indeni.server.rules._
import com.indeni.server.rules.library.core.PerDeviceRule
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity

case class LicenseHasExpiredRule() extends PerDeviceRule with RuleHelper {

  private val highThresholdParameterName = "Effective_Duration_Threshold"
  private val highThresholdParameter = new ParameterDefinition(
    highThresholdParameterName,
    "",
    "Effective Duration Threshold",
    "How many days the license expiration issue should be effective",
    UIType.TIMESPAN,
    TimeSpan.fromDays(30)
  )

  override val metadata: RuleMetadata = RuleMetadata
    .builder(
      "cross_vendor_license_has_expired",
      "All Devices: License expired",
      "indeni will trigger an issue when a license has expired. Licenses that have expired more that a set number of days will be ignored.  The threshold for the number of days after licence expiration can be adjusted by the user.",
      AlertSeverity.WARN
    )
    .configParameter(highThresholdParameter)
    .build()

  override def expressionTree(context: RuleContext): StatusTreeExpression = {
    val actualValue = TimeSeriesExpression[Double]("license-expiration").last.toTimeSpan(TimePeriod.SECOND)

    StatusTreeExpression(
      // Which objects to pull (normally, devices)
      SelectTagsExpression(context.metaDao, Set(DeviceKey), True),
      // What constitutes an issue
      StatusTreeExpression(
        // The additional tags we care about (we'll be including this in alert data)
        SelectTagsExpression(context.tsDao, Set("name"), withTagsCondition("license-expiration")),
        StatusTreeExpression(
          // The time-series we check the test condition against:
          SelectTimeSeriesExpression[Double](context.tsDao, Set("license-expiration"), denseOnly = false),
          // The condition which, if true, we have an issue. Checked against the time-series we've collected
          And(
            LesserThan(actualValue, NowExpression()),
            GreaterThan(NowExpression(),
                        PlusExpression(actualValue, getParameterTimeSpanForTimeSeries(highThresholdParameter)))
          )

          // The Alert Item to add for this specific item
        ).withSecondaryInfo(
            scopableStringFormatExpression("${scope(\"name\")}"),
            scopableStringFormatExpression("Expired on %s", timeSpanToDateExpression(actualValue)),
            title = "Affected Licenses"
          )
          .asCondition()
      ).withoutInfo().asCondition()
    ).withRootInfo(
      getHeadline(),
      ConstantExpression("One or more licenses have expired. See the list below."),
      ConditionalRemediationSteps(
        "Renew any licenses that need to be renewed.",
        ConditionalRemediationSteps.VENDOR_CP -> "Make sure you have purchased the required licenses and have updated them in your management server: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk33089",
        ConditionalRemediationSteps.VENDOR_PANOS -> "Review this page on licensing: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/getting-started/activate-licenses-and-subscriptions",
        ConditionalRemediationSteps.OS_NXOS ->
          """1. Run the “show license usage” NX-OS command to display information about the current license usage and the license expiration date.
            |2. Run the “show license” NX-OS command to view the installed licenses.
            |3. Run the “show license usage <feature>” NX-OS command e.g.” sh license usage ENHANCED_LAYER2_PKG” to display information about the activated features which utilize this license
            |4. Consider activating the grace-period for the license.
            |5. Order new license from CISCO.
            |6. For more information please review: <a target="_blank" href="https://www.cisco.com/c/m/en_us/techdoc/dc/reference/cli/nxos/commands/fund/show-license-usage.html">Cisco Guide</a> """.stripMargin,
        ConditionalRemediationSteps.VENDOR_FORTINET ->
          """
            |1. Login via ssh to the Fortinet firewall and execute the FortiOS “get system fortiguard-service status” and “diag autoupdate versions” commands to list current update package versions and license expiry status.
            |2. Login via https to the Fortinet firewall and go to the menu System > Dashboard > Status to locate the License Information widget. All subscribed services should have a green checkmark, indicating that connections are successful. A gray X indicates that the FortiGate unit cannot connect to the FortiGuard network, or that the FortiGate unit is not registered. A red X indicates that the FortiGate unit was able to connect but that a subscription has expired or has not been activated.
            |3. Login via https to the Fortinet firewall to view the FortiGuard connection status by going to System > Config > FortiGuard menu.
            |4. Purchase additional licenses if are needed.
            |5. Consider enabling the issue email setting to the Fortinet firewall in order to receive a issue email prior to FortiGuard license expiration (notification date range: 1 - 100 days). The current issue email status can be provided with the next command: “get alertemail setting”. More details can be found in the next link: https://docs.fortinet.com/uploaded/files/2798/fortigate-cli-ref-54.pdf
            |6. For more information about licensing review  the next  online article “Setting up FortiGuard services” : http://cookbook.fortinet.com/setting-fortiguard-services-54/
            |7. Contact Fortinet Technical support at https://support.fortinet.com/ for further assistance.""".stripMargin
      )
    )
  }
}