Model mismatch across cluster members-paloaltonetworks-panos

Model mismatch across cluster members-paloaltonetworks-panos
3.0 2

Model mismatch across cluster members-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Description:
Indeni will identify when two devices are part of a cluster and alert if the model of device in use is different.

Remediation Steps:
Replace one of the devices to match the other.

How does this work?
This script uses the Palo Alto Networks API to retrieve the hardware model of the device. indeni then compares the result to the same script run on other members of the same cluster.

Why is this important?
Two or more devices which operate as part of a single cluster must be running on the same hardware.

Without Indeni how would you find this?
Manual tracking by an administrator is usually the only method for knowing when two devices are not running on the same hardware.

panos-show-system-info-monitoring

Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/parsers/src/panw/panos/show-system-info-monitoring.ind

cross_vendor_compare_model

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.SnapshotComparisonTemplateRule
import com.indeni.server.rules.RemediationStepCondition

/**
  *
  */
case class CrossVendorCompareModel() extends SnapshotComparisonTemplateRule(
  ruleName = "cross_vendor_compare_model",
  ruleFriendlyName = "Clustered Devices: Model mismatch across cluster members",
  ruleDescription = "Indeni will identify when two devices are part of a cluster and alert if the model of device in use is different.",
  metricName = "model",
  isArray = false,
  alertDescription = "The members of a cluster of devices must have the same device models in use.",
  baseRemediationText = "Replace one of the devices to match the other.")(
  RemediationStepCondition.VENDOR_JUNIPER ->
    """|1. Run "show version" command to review device model, operating system and software version.
       |2. Each node of SRX must have the same hardware.
       |3. Each node of SRX chassis cluster must be running the same version of Junos.
       |4. Review the following article on Juniper tech support site: <a target="_blank" href=" https://kb.juniper.net/InfoCenter/index?page=content&id=KB15911&actp=METADATA">SRX Getting Started - Troubleshoot High Availability (HA)</a>""".stripMargin
)

I can say from my research on this that you will find out very quickly this isn’t even possible unless you forgot to connect the HA1 interface between the two devices. Doing so with HA1 connected will force both firewalls into an HA suspended state.

The benefit of this rule would be that you’ll find out very quickly why your firewalls suddenly quit working.

That my fellow firewall guru is the benefit of Indeni right there, knowing exactly why something broke without having to spend time researching the cause.

"If you happen to connect 2 different models in the same HA Pair, you will see the following syslog message:

HA Group 1: Peer device platform model not matching; going to Suspended state"

Source: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClrsCAC

Agreed. one use case I can think of is someone may have missed pre-checked during RMA replacements :slight_smile: