License usage limit approaching-paloaltonetworks-panos

error
ongoing-maintenance
panos
paloaltonetworks
License usage limit approaching-paloaltonetworks-panos
0

#1

License usage limit approaching-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Description:
Some licenses are limited to a certain number of elements (such as maximum users). If any of the licenses is nearing its limit, an alert will be issued.

Remediation Steps:
Consider purchasing additional licenses.

panos-show_config_running-monitoring-xml

#! META
name: panos-show_config_running-monitoring-xml
description: Fetch the running config (xml)
type: monitoring
monitoring_interval: 60 minute
requires:
    vendor: paloaltonetworks
    os.name: panos

#! COMMENTS
certificate-expiration:
    why: |
        Palo Alto Networks firewalls use certificate for a variety of different purposes. One purpose, for example, is inbound SSL inspection. If the certificate used by the firewall expires, certain services may be unavailable to external users.
    how: |
        This script pulls the Palo Alto Networks firewall's active configuration, reviews the certificates saved and retrieves their subject and expiration date.
    without-indeni: |
        An administrator may manually review the certificates and their expiration dates, by looking at the web interface.
    can-with-snmp: true
    can-with-syslog: true
timezone:
    why: |
        Most configurations in Palo Alto Networks firewalls are synchronized across cluster members. Some are not, the timezone is one of them. It is important to verify that the timezone is the same on all cluster members to avoid confusion or issues.
    how: |
        This script pulls the Palo Alto Networks firewall's active configuration and extracts the timezone from there.
    without-indeni: |
        An administrator may write a script to pull this data from cluster members and compare it.
    can-with-snmp: false
    can-with-syslog: false
domain:
    why: |
        Most configurations in Palo Alto Networks firewalls are synchronized across cluster members. Some are not, the domain name is one of them. It is important to verify that the domain name is the same on all cluster members to avoid confusion or issues.
    how: |
        This script pulls the Palo Alto Networks firewall's active configuration and extracts the timezone from there.
    without-indeni: |
        An administrator may write a script to pull this data from cluster members and compare it.
    can-with-snmp: false
    can-with-syslog: false
login-banner:
    why: |
        Most configurations in Palo Alto Networks firewalls are synchronized across cluster members. Some are not, the login banner is one of them. It is important to verify that the login banner is the same on all cluster members to avoid confusion or issues.
    how: |
        This script pulls the Palo Alto Networks firewall's active configuration and extracts the timezone from there.
    without-indeni: |
        An administrator may write a script to pull this data from cluster members and compare it.
    can-with-snmp: false
    can-with-syslog: false
syslog-servers:
    why: |
        Tracking the currently configured Syslog servers on all devices is important to ensure consistent logging.
    how: |
        This script pulls the Palo Alto Networks firewall's active configuration and extracts the configured Syslog servers from there.
    without-indeni: |
        An administrator may write a script to pull this data from devices and compare against a gold configuration.
    can-with-snmp: false
    can-with-syslog: false
radius-servers:
    why: |
        Tracking the currently configured RADIUS servers on all devices is important to ensure consistent authentication and access.
    how: |
        This script pulls the Palo Alto Networks firewall's active configuration and extracts the configured RADIUS servers from there.
    without-indeni: |
        An administrator may write a script to pull this data from devices and compare against a gold configuration.
    can-with-snmp: false
    can-with-syslog: false
dns-servers:
    why: |
        Tracking the currently configured DNS servers on all devices is important to ensure consistent name resolution.
    how: |
        This script pulls the Palo Alto Networks firewall's active configuration and extracts the configured DNS servers from there.
    without-indeni: |
        An administrator may write a script to pull this data from devices and compare against a gold configuration.
    can-with-snmp: false
    can-with-syslog: false
ntp-servers:
    why: |
        Tracking the currently configured NTP servers on all devices is important to ensure consistent time sync.
    how: |
        This script pulls the Palo Alto Networks firewall's active configuration and extracts the configured NTP servers from there.
    without-indeni: |
        An administrator may write a script to pull this data from devices and compare against a gold configuration.
    can-with-snmp: false
    can-with-syslog: false
unencrypted-snmp-configured:
    why: |
        SNMPv2c is an unsecure protocol and should not be used. Users should prefer the more secure SNMPv3.
    how: |
        This script pulls the Palo Alto Networks firewall's active configuration and extracts the configured services from there.
    without-indeni: |
        An administrator may write a script to pull this data from devices and compare against a gold configuration.
    can-with-snmp: false
    can-with-syslog: false
telnet-enabled:
    why: |
        Telnet is an unsecure protocol and should not be used. Users may enable telnet unintentionally and should be alerted if they do so.
    how: |
        This script pulls the Palo Alto Networks firewall's active configuration and extracts the configured services from there.
    without-indeni: |
        An administrator may write a script to pull this data from devices and compare against a gold configuration.
    can-with-snmp: false
    can-with-syslog: false
http-server-enabled:
    why: |
        HTTP is an unsecure protocol and should not be used. Users may enable HTTP unintentionally and should be alerted if they do so.
    how: |
        This script pulls the Palo Alto Networks firewall's active configuration and extracts the configured services from there.
    without-indeni: |
        An administrator may write a script to pull this data from devices and compare against a gold configuration.
    can-with-snmp: false
    can-with-syslog: false
license-elements-used:
    skip-documentation: true
app-update-acceptable-lag:
    skip-documentation: true

#! REMOTE::HTTP
url: /api?type=op&cmd=<show><config><running></running></config></show>&key=${api-key}
protocol: HTTPS

#! PARSER::XML
_vars:
    root: /response/result/config
_metrics:
    -
        _groups:
            ${root}/shared/certificate/entry:
                _value.double:
                    _text: "expiry-epoch"
                _tags:
                    name:
                        _text: "subject"
                    "im.name":
                        _constant: "certificate-expiration"
                    "live-config":
                        _constant: "true"
                    "display-name":
                        _constant: "Certificate Expiration"
                    "im.dstype.displayType":
                        _constant: "date"
                    "im.identity-tags":
                        _constant: "name"
    -
        _value.complex:
            value:
                _text: "${root}/devices/entry/deviceconfig/system/timezone"
        _tags:
            "im.name":
                _constant: "timezone"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "Timezone"
    -
        _value.complex:
            value:
                _text: "${root}/devices/entry/deviceconfig/system/domain"
        _tags:
            "im.name":
                _constant: "domain"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "Domain"
    -
        _value.complex:
            value:
                _text: "${root}/devices/entry/deviceconfig/system/login-banner"
        _tags:
            "im.name":
                _constant: "login-banner"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "Login Banner"
    -
        _tags:
            "im.name":
                _constant: "app-update-acceptable-lag"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "Application Packages - Acceptable Lag"
            "im.dstype.displayType":
                _constant: "duration"
        _temp:
            isweekly:
                _count: "${root}/devices/entry/deviceconfig/system/update-schedule/threats/recurring/weekly"
            ishourly:
                _count: "${root}/devices/entry/deviceconfig/system/update-schedule/threats/recurring/hourly"
            isdaily:
                _count: "${root}/devices/entry/deviceconfig/system/update-schedule/threats/recurring/daily"
            threshold:
                # This is a hack. The threshold may, or may not exist.
                # If we were to refer to it directly and it didn't exist, the entire metric
                # would have been aborted. So instead, we "name" the text of it, as well as
                # another, related node. If the threshold exists, we'll be getting its value.
                # If it doesn't, we'll get "recurring" (the name of the node in the second path)
                _name: "${root}/devices/entry/deviceconfig/system/update-schedule/threats/recurring/threshold/text() | ${root}/devices/entry/deviceconfig/system/update-schedule/threats/recurring[not(threshold)]"
        _transform:
            _value.double: |
                    {
                        # The acceptable lag depends on the kind of schedule used
                        acceptablelag=0
                        if (temp("isweekly") == "1") {
                            acceptablelag=8*24*3600
                        } else if (temp("ishourly") == "1") {
                            acceptablelag=2*3600
                        } else if (temp("isdaily") == "1") {
                            acceptablelag=47*3600
                        }

                        # Add threshold
                        if (temp("threshold") != "recurring") {
                            acceptablelag = acceptablelag + (temp("threshold") * 3600)
                        }

                        print acceptablelag
                    }
    -
        _tags:
            "im.name":
                _constant: "panw-app-update-action"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "Application Packages - Update Action"
            "im.dstype.displayType":
                _constant: "string"
        _value.complex:
            value:
                _text: "${root}/devices/entry/deviceconfig/system/update-schedule/threats/recurring/*/action"
    -
        _groups:
            "${root}//syslog/entry/server/entry":
                _value.complex:
                    "host":
                        _text: "server"
                    "severity":
                        _text: "facility"
                _tags:
                    "im.name":
                        _constant: "syslog-servers"
                    "live-config":
                        _constant: "true"
                    "display-name":
                        _constant: "Syslog Servers"
        _value: complex-array
    -
        _groups:
            "${root}//radius/entry/server/entry":
                _value.complex:
                    "host":
                        _text: "ip-address"
                    "port":
                        _text: "port"
                _tags:
                    "im.name":
                        _constant: "radius-servers"
                    "live-config":
                        _constant: "true"
                    "display-name":
                        _constant: "RADIUS Servers"
        _value: complex-array
    -
        _groups:
            "/response/result/config/devices/entry/deviceconfig/system/dns-setting/servers/*":
                _value.complex:
                    "ipaddress":
                        _text: .
                _tags:
                    "im.name":
                        _constant: "dns-servers"
                    "live-config":
                        _constant: "true"
                    "display-name":
                        _constant: "DNS Servers"
        _value: complex-array
    -
        _groups:
            "/response/result/config/devices/entry/deviceconfig/system/ntp-servers/*/ntp-server-address":
                _value.complex:
                    "ipaddress":
                        _text: .
                _tags:
                    "im.name":
                        _constant: "ntp-servers"
                    "live-config":
                        _constant: "true"
                    "display-name":
                        _constant: "NTP Servers"
        _value: complex-array
    -
        _value.double:
            _count: /response/result/config/devices/entry/vsys/entry
        _tags:
            "name":
                _constant: "vsys"
            "im.name":
                _constant: "license-elements-used"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "Licenses - Usage"
            "im.dstype.displayType":
                _constant: "number"
            "im.identity-tags":
                _constant: "name"
    -
        _tags:
            "im.name":
                _constant: "unencrypted-snmp-configured"
        _temp:
            hasSnmpV2c:
                _count: "/response/result/config/devices/entry/deviceconfig/system/snmp-setting/access-setting/version/v2c"
        _transform:
            _value.complex:
                value: |
                    {
                        if (temp("hasSnmpV2c") == "1") {
                            print "true"
                        } else {
                            print "false"
                        }
                    }
    -
        _tags:
            "im.name":
                _constant: "telnet-enabled"
        _temp:
            hasTelnetAtNo:
                _count: "${root}/devices/entry/deviceconfig/system/service/disable-telnet[text() = 'no']"
        _transform:
            _value.complex:
                value: |
                    {
                        if (temp("hasTelnetAtNo") == "1") {
                            print "true"
                        } else {
                            print "false"
                        }
                    }
    -
        _tags:
            "im.name":
                _constant: "http-server-enabled"
        _temp:
            hasHttpAtNo:
                _count: "${root}/devices/entry/deviceconfig/system/service/disable-http[text() = 'no']"
        _transform:
            _value.complex:
                value: |
                    {
                        if (temp("hasHttpAtNo") == "1") {
                            print "true"
                        } else {
                            print "false"
                        }
                    }

panos-show-system-state

#! META
name: panos-show-system-state
description: fetch state information
type: monitoring
monitoring_interval: 10 minutes
requires:
    vendor: paloaltonetworks
    os.name: panos
    product: firewall

#! COMMENTS
routes-limit:
    why: |
        The routing table on a device requires a considerable amount of memory and so is limited in size. If the limit is hit, some routes may be missing and service disruption may occur.
    how: |
        This alert logs into the Palo Alto Networks firewall through SSH and retrieves the state table. In there it looks for the maximum number of routes allowed.
    without-indeni: |
        An administrator would be required to write a script. Alternatively, once an outage occurs, the administrator may see that the routing table is too big.
    can-with-snmp: false
    can-with-syslog: false
license-elements-limit:
    why: |
        Certain features have a license limitation on a Palo Alto Networks firewall. One such feature is the "vsys" feature ( https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/virtual-systems/virtual-systems-overview ). Knowing when the limitation on number of possible vsys's is nearing would help avoid issues during a maintenance.
    how: |
        This alert logs into the Palo Alto Networks firewall through SSH and retrieves the state table. In there it looks for the maximum number of vsys's allowed.
    without-indeni: |
        An administrator would be required to write a script. Alternatively, when creating a new vsys after the limit was reached, the web interface will provide an error message.
    can-with-snmp: false
    can-with-syslog: false

#! REMOTE::SSH
show system state

#! PARSER::AWK

function parseValue(_val) {
	if (_val ~ /0x/) {
		_h=tolower(_val);
		sub(/^0x/,"", _h)
        _v = 0
  		for(_i=1;_i<=length(_h);++_i){
    		_x=index("0123456789abcdef",substr(_h,_i,1))
    		if (!_x) return "NaN"
    		_v=(16*_v)+_x-1
  		}
  		return _v
	} else {
		return _val
	}
}

BEGIN {
}

# cfg.general.max-route: 0x3e8 
/cfg.general.max-route\:/ {
    value = parseValue($NF)
    if (value > 0) {
        writeDoubleMetricWithLiveConfig("routes-limit", null, "gauge", "600", value, "Routes - Limit", "number", "")
    }
}

# cfg.general.licensed-vsys: 0x1
/cfg.general.licensed-vsys/ {
	licensetags["name"] = "vsys"
    value = parseValue($NF)
    if (value > 0) {
        writeDoubleMetricWithLiveConfig("license-elements-limit", licensetags, "gauge", "600", value, "Licenses - Limit", "number", "name")
    }
}

license_usage_limit

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.ConditionalRemediationSteps
import com.indeni.server.rules.library.templates.NearingCapacityWithItemsTemplateRule

/**
  *
  */
case class license_usage_limit() extends NearingCapacityWithItemsTemplateRule(
  ruleName = "license_usage_limit",
  ruleFriendlyName = "All Devices: License usage limit approaching",
  ruleDescription = "Some licenses are limited to a certain number of elements (such as maximum users). If any of the licenses is nearing its limit, an alert will be issued.",
  usageMetricName = "license-elements-used",
  limitMetricName = "license-elements-limit",
  applicableMetricTag = "name",
  threshold = 80.0,
  minimumValueToAlert = 2.0, // We don't want to alert if the license capacity is 1 and we're using one item, this is a common occurence and isn't an issue
  alertDescription = "Some licenses are nearing their limit. Review the list below.",
  alertItemDescriptionFormat = "The number of elements in use is %.0f where the limit is %.0f.",
  baseRemediationText = "Consider purchasing additional licenses.",
  alertItemsHeader = "Affected Licenses")(
  ConditionalRemediationSteps.OS_NXOS ->
    """|
      |1. Run the "show license usage" NX-OS command to display information about the current license usage and the expire date.
      |2. Run the "show license" NX-OS command to view the installed licenses.
      |3. Run the "show license usage XXX" NX-OS command e.g." sh license usage ENHANCED_LAYER2_PKG" to display information about the activated features which utilize this license.
      |4. Consider activate the grace-period for the license.
      |5. Order new license from the CISCO.
      |6. For more information please review the next Cisco guide:
      |https://www.cisco.com/c/m/en_us/techdoc/dc/reference/cli/nxos/commands/fund/show-license-usage.html
    """.stripMargin
)