MAC cache usage high-paloaltonetworks-panos

error
panos
paloaltonetworks
MAC cache usage high-paloaltonetworks-panos
0

#1

MAC cache usage high-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Description:
indeni will alert when the number of MAC entries stored by a device is nearing the allowed limit.

Remediation Steps:
Identify the cause of the large MAC table. If it is due to a legitimate cause, such as a high number of hosts visible on the available networks, please contact your technical support provider.

panos-show-mac-all

#! META
name: panos-show-mac-all
description: fetch the mac data
type: monitoring
monitoring_interval: 5 minutes
requires:
    vendor: paloaltonetworks
    os.name: panos
    product: firewall

#! COMMENTS
mac-limit:
    why: |
        Switches and devices with switch-like functionality, need to track the MAC addresses of devices they are connected to in order to know which port to send data out through. To ensure the memory doesn't get fully utilized, a MAC cache is created with a finite size. If the cache gets fully utilized, some traffic may be dropped.
    how: |
        This alert uses the Palo Alto Networks API to retrieve the current utilization of the MAC cache - number of entries in it vs the total limit.
    without-indeni: |
        An administrator could write a script to leverage the Palo Alto Networks API to collect this data periodically and alert appropriately. Alternatively, wait for an issue to occur and check the MAC cache status by running "show mac all".
    can-with-snmp: false
    can-with-syslog: false
mac-total-entries:
    skip-documentation: true

#! REMOTE::HTTP
url: /api?type=op&cmd=<show><mac>all</mac></show>&key=${api-key}
protocol: HTTPS

#! PARSER::XML
_vars:
    root: /response/result
_metrics:
    -
        _value.double:
            _text: ${root}/total
        _tags:
            "im.name":
                _constant: "mac-total-entries"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "MAC Cache - Current Entries"
            "im.dstype.displayType":
                _constant: "number"
    -
        _value.double:
            _text: ${root}/max
        _tags:
            "im.name":
                _constant: "mac-limit"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "MAC Cache - Limit"
            "im.dstype.displayType":
                _constant: "number"

panos-show-mac-all

#! META
name: panos-show-mac-all
description: fetch the mac data
type: monitoring
monitoring_interval: 5 minutes
requires:
    vendor: paloaltonetworks
    os.name: panos
    product: firewall

#! COMMENTS
mac-limit:
    why: |
        Switches and devices with switch-like functionality, need to track the MAC addresses of devices they are connected to in order to know which port to send data out through. To ensure the memory doesn't get fully utilized, a MAC cache is created with a finite size. If the cache gets fully utilized, some traffic may be dropped.
    how: |
        This alert uses the Palo Alto Networks API to retrieve the current utilization of the MAC cache - number of entries in it vs the total limit.
    without-indeni: |
        An administrator could write a script to leverage the Palo Alto Networks API to collect this data periodically and alert appropriately. Alternatively, wait for an issue to occur and check the MAC cache status by running "show mac all".
    can-with-snmp: false
    can-with-syslog: false
mac-total-entries:
    skip-documentation: true

#! REMOTE::HTTP
url: /api?type=op&cmd=<show><mac>all</mac></show>&key=${api-key}
protocol: HTTPS

#! PARSER::XML
_vars:
    root: /response/result
_metrics:
    -
        _value.double:
            _text: ${root}/total
        _tags:
            "im.name":
                _constant: "mac-total-entries"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "MAC Cache - Current Entries"
            "im.dstype.displayType":
                _constant: "number"
    -
        _value.double:
            _text: ${root}/max
        _tags:
            "im.name":
                _constant: "mac-limit"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "MAC Cache - Limit"
            "im.dstype.displayType":
                _constant: "number"

cross_vendor_mac_table_limit

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.NearingCapacityTemplateRule

/**
  *
  */
case class cross_vendor_mac_table_limit() extends NearingCapacityTemplateRule(
  ruleName = "cross_vendor_mac_table_limit",
  ruleFriendlyName = "All Devices: MAC cache usage high",
  ruleDescription = "indeni will alert when the number of MAC entries stored by a device is nearing the allowed limit.",
  usageMetricName = "mac-total-entries",
  limitMetricName = "mac-limit",
  threshold = 80.0,
  alertDescriptionFormat = "The MAC table has %.0f entries where the limit is %.0f.",
  baseRemediationText = "Identify the cause of the large MAC table. If it is due to a legitimate cause, such as a high number of hosts visible on the available networks, please contact your technical support provider.")()