Model mismatch across cluster members-paloaltonetworks-panos

Model mismatch across cluster members-paloaltonetworks-panos
3.0 2

Model mismatch across cluster members-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Description:
Indeni will identify when two devices are part of a cluster and alert if the model of device in use is different.

Remediation Steps:
Replace one of the devices to match the other.

How does this work?
This script uses the Palo Alto Networks API to retrieve the hardware model of the device. indeni then compares the result to the same script run on other members of the same cluster.

Why is this important?
Two or more devices which operate as part of a single cluster must be running on the same hardware.

Without Indeni how would you find this?
Manual tracking by an administrator is usually the only method for knowing when two devices are not running on the same hardware.

panos-show-system-info-monitoring

name: panos-show-system-info-monitoring
description: Fetch system info for monitoring
type: monitoring
monitoring_interval: 5 minute
requires:
    vendor: paloaltonetworks
    os.name: panos
comments:
    uptime-milliseconds:
        why: |
            When a monitoring system loses connectivity to a device, it may be difficult for it to determine whether the device restarted, or is simply unreachable. To deal with that, the uptime is tracked. The uptime of a device resetting is a clear indicator of a device restart.
        how: |
            This alert uses the Palo Alto Networks API to retrieve the current uptime (the equivalent of running "show system info" in the CLI).
        without-indeni: |
            An administrator will normally find out that a device has restarted when a service outage actually occurs.
        can-with-snmp: true
        can-with-syslog: true
    software-eos-date:
        why: |
            Ensuring the software being used is always within the vendor's list of supported versions is critical. Otherwise, during a critical issue, the vendor may decline to provide technical support. Palo Alto Networks posts the list of supported software on their website ( https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-summary ). indeni tracks that list and updates this script to match.
        how: |
            This script uses the Palo Alto Networks API to retrieve the current software version (the equivalent of running "show system info" in CLI) and based on the software version and the Palo Alto Networks provided information at https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-summary the correct end of support date is used.
        without-indeni: |
            Manual tracking by an administrator is usually the only method for knowing when a given device may be nearing its software end of support and is in need of upgrading.
        can-with-snmp: false
        can-with-syslog: false
    hardware-eos-date:
        why: |
            Ensuring the hardware being used is always within the vendor's list of supported models is critical. Otherwise, during a critical issue, the vendor may decline to provide technical support ( https://www.paloaltonetworks.com/services/support/end-of-life-announcements/hardware-end-of-life-dates ). indeni tracks that list and updates this script to match.
        how: |
            This script uses the Palo Alto Networks API to retrieve the current hardware model (the equivalent of running "show system info" in CLI) and based on the model and the Palo Alto Networks provided information at https://www.paloaltonetworks.com/services/support/end-of-life-announcements/hardware-end-of-life-dates the correct end of support date is used.
        without-indeni: |
            Manual tracking by an administrator is usually the only method for knowing when a given device may be nearing its end of support and is in need of replacement.
        can-with-snmp: false
        can-with-syslog: false
    current-datetime:
        why: |
            The clock of a Palo Alto Networks firewall should always be accurate, as inaccuracies may result in issues with some features, as well as causing a mess in log analysis. Normally, administrators are encouraged to use NTP to keep the clock in sync (and indeni has a script for verifying NTP is working). If NTP is not used, one should still verify that the clock is set correctly.
        how: |
            This script uses the Palo Alto Networks API to retrieve the current date and time (the equivalent of running "show system info" in CLI). indeni then compares the result to its own clock to find possible discrepancies.
        without-indeni: |
            Manual tracking by an administrator is usually the only method for knowing when a given device's clock may be off.
        can-with-snmp: false
        can-with-syslog: false
    os-version:
        why: |
            Two or more devices which operate as part of a single cluster must be running the same version of software.
        how: |
            This script uses the Palo Alto Networks API to retrieve the software version installed on the device. indeni then compares the result to the same script run on other members of the same cluster.
        without-indeni: |
            Manual tracking by an administrator is usually the only method for knowing when two devices are not running the same version of software.
        can-with-snmp: false
        can-with-syslog: false
    model:
        why: |
            Two or more devices which operate as part of a single cluster must be running on the same hardware.
        how: |
            This script uses the Palo Alto Networks API to retrieve the hardware model of the device. indeni then compares the result to the same script run on other members of the same cluster.
        without-indeni: |
            Manual tracking by an administrator is usually the only method for knowing when two devices are not running on the same hardware.
        can-with-snmp: false
        can-with-syslog: false
    os-name:
        why: |
            Two or more devices which operate as part of a single cluster must be running the same version of software.
        how: |
            This script uses the Palo Alto Networks API to retrieve the software name and version installed on the device. indeni then compares the result to the same script run on other members of the same cluster.
        without-indeni: |
            Manual tracking by an administrator is usually the only method for knowing when two devices are not running the same version of software.
        can-with-snmp: false
        can-with-syslog: false
    panw-panos-panorama-cert-expr:
        why: |
            On April 3rd, 2017, Palo Alto Networks notified all customers that an upgrade to Panorama may be necessary to ensure uninterrupted communications between the Panorama device and the firewalls. Knowing which Panorama installations are affected is important.
        how: |
            This script uses the Palo Alto Networks API to retrieve the software name and version installed on the device.
        without-indeni: |
            An administrator would need to be aware of the issue and manually look at the software version of all Panorama installations.
        can-with-snmp: false
        can-with-syslog: false
    panw-installed-app-release-date:
        why: |
            With an application/threat package release date it is important to keep track of the vendor release trains and subsequently the corresponding features.
        how: |
            This script uses the Palo Alto Networks API to retrieve the release date of the application package installed on the device.
        without-indeni: |
            Manual tracking by an administrator is usually the only method to know the application package release date. You may also track with built in Palo Alto Networks firewall alerts.
        can-with-snmp: false
        can-with-syslog: false
    panw-installed-av-release-date:
        why: |
            With an anti-virus package release date it is important to keep track of the vendor release trains and subsequently the corresponding features.
        how: |
            This script uses the Palo Alto Networks API to retrieve the release date of the anti-virus package installed on the device.
        without-indeni: |
            Manual tracking by an administrator is usually the only method to know the anti-virus package release date. You may also track with built in Palo Alto Networks firewall alerts.
        can-with-snmp: false
        can-with-syslog: false
    vendor:
        skip-documentation: true
    serial-numbers:
        skip-documentation: true
    concurrent-ssl-decryption-limit:
        why: |
            It is important to track the capacity limits of each device. 
        how: |
            This script uses the Palo Alto Networks API to retrieve the ssl decryption limit of the device.
        without-indeni: |
            Manual tracking
steps:
-   run:
        type: HTTP
        command: /api?type=op&cmd=<show><system><info></info></system></show>&key=${api-key}
    parse:
        type: XML
        file: show-system-info-monitoring.parser.1.xml.yaml

cross_vendor_compare_model

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.SnapshotComparisonTemplateRule
import com.indeni.server.rules.RemediationStepCondition

/**
  *
  */
case class CrossVendorCompareModel() extends SnapshotComparisonTemplateRule(
  ruleName = "cross_vendor_compare_model",
  ruleFriendlyName = "Clustered Devices: Model mismatch across cluster members",
  ruleDescription = "Indeni will identify when two devices are part of a cluster and alert if the model of device in use is different.",
  metricName = "model",
  isArray = false,
  alertDescription = "The members of a cluster of devices must have the same device models in use.",
  baseRemediationText = "Replace one of the devices to match the other.")(
  RemediationStepCondition.VENDOR_JUNIPER ->
    """|1. Run "show version" command to review device model, operating system and software version.
       |2. Each node of SRX must have the same hardware.
       |3. Each node of SRX chassis cluster must be running the same version of Junos.
       |4. Review the following article on Juniper tech support site: <a target="_blank" href=" https://kb.juniper.net/InfoCenter/index?page=content&id=KB15911&actp=METADATA">SRX Getting Started - Troubleshoot High Availability (HA)</a>""".stripMargin
)

I can say from my research on this that you will find out very quickly this isn’t even possible unless you forgot to connect the HA1 interface between the two devices. Doing so with HA1 connected will force both firewalls into an HA suspended state.

The benefit of this rule would be that you’ll find out very quickly why your firewalls suddenly quit working.

That my fellow firewall guru is the benefit of Indeni right there, knowing exactly why something broke without having to spend time researching the cause.

"If you happen to connect 2 different models in the same HA Pair, you will see the following syslog message:

HA Group 1: Peer device platform model not matching; going to Suspended state"

Source: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClrsCAC

Agreed. one use case I can think of is someone may have missed pre-checked during RMA replacements :slight_smile: