Network interface ipv4 subnet does not match across cluster members-f5-False

error
high-availability
false
f5
Network interface ipv4 subnet does not match across cluster members-f5-False
0

#1

Network interface ipv4 subnet does not match across cluster members-f5-False

Vendor: f5

OS: False

Description:
Indeni will identify when two devices are part of a cluster and alert if their network interface ipv4 subnet are different.

Remediation Steps:
Ensure the network interface ipv4 subnet setting matches across devices in a cluster.

How does this work?
This alert logs into the F5 unit through the iControl REST API and retrieves the IPv4 subnets of all self IP’s.

Why is this important?
To be able to search for IP addresses in indeni, this data needs to be stored.

Without Indeni how would you find this?
An administrator could login and manually check the “Self IP” subnets by logging into the web interface and clicking on “Network” -> “Self IPs”.

f5-rest-net-self

 #! META
name: f5-rest-net-self
description: Determine self ip and network mask
type: monitoring
monitoring_interval: 5 minutes
requires:
    vendor: "f5"
    product: "load-balancer"
    rest-api: "true"

#! COMMENTS
network-interface-ipv4-address:
    why: |
        To be able to search for IP addresses in indeni, this data needs to be stored.
    how: |
        This alert logs into the F5 unit through the iControl REST API and retrieves the IPv4 addresses of all self IP's.
    without-indeni: |
        An administrator could login and manually check the "Self IP" IPv4 addresses by logging into the web interface and clicking on "Network" -> "Self IPs".
    can-with-snmp: true
    can-with-syslog: false
network-interface-ipv4-subnet:
    why: |
        To be able to search for IP addresses in indeni, this data needs to be stored.
    how: |
        This alert logs into the F5 unit through the iControl REST API and retrieves the IPv4 subnets of all self IP's.
    without-indeni: |
        An administrator could login and manually check the "Self IP" subnets by logging into the web interface and clicking on "Network" -> "Self IPs".
    can-with-snmp: true
    can-with-syslog: false
f5-port-lockdown-not-none:
    why: |
        Unless this is intentionally configured, such as a dedicated cable or VLAN for HA, it is recommended for security reasons to have the Self IP configuration to be set to "Allow None". In previous versions the default option when creating a self IP was to allow "Default" and that configuration would follow during upgrades. This metric keeps track of self IP's listening on any services. Please note that ICMP is implicitly allowed no matter what the port lockdown settings are, and does not need to be specified.
    how: |
        This alert logs into the device through SSH and uses TMSH to retrieve the port lockdown configiguration for all self IP's.
    without-indeni: |
        An administrator could check this metric manually by logging into the device through TMSH and executing the command "list net self".
    can-with-snmp: false
    can-with-syslog: false

#! REMOTE::HTTP
url: /mgmt/tm/net/self?$select=fullPath,address,allowService
protocol: HTTPS

#! PARSER::JSON

_metrics:
    - #Get interface address
        _groups:
            "$.items[0:]":
                _tags:
                    "im.name":
                        _constant: "network-interface-ipv4-address"
                    "name":
                        _value: "fullPath"
                _temp:
                    "address":
                        _value: "address"
        _transform:
            _value.complex:
                value: |
                    {
                        address = temp("address")

                        #10.0.2.1%1/23
                        split(address, addressArray, /\//)

                        ip = addressArray[1]

                        #In case of a route domain we need to remove the percentage
                        #10.0.2.1%1/23
                        sub(/%.*$/, "", ip)

                        #  "value" : "10.0.0.1"
                        print ip
                    }
    - #Get interface subnet
        _groups:
            "$.items[0:]":
                _tags:
                    "im.name":
                        _constant: "network-interface-ipv4-subnet"
                    "name":
                        _value: "fullPath"
                _temp:
                    "address":
                        _value: "address"
        _transform:
            _value.complex:
                value: |
                    {
                        address = temp("address")

                        #10.0.2.1/23
                        split(address, addressArray, /\//)

                        #  "value" : "30"
                        print addressArray[2]
                    }
    - #Determine if the self IP is configured to listening to default ports
        _groups:
            "$.items[0:][?('default' in @.allowService[0:])]":
                _tags:
                    "im.name":
                        _constant: "f5-default-port-lockdown"
                    "name":
                        _value: "fullPath"
                    "address":
                        _value: "address"
                _value.complex:
                    value:
                        _constant: "true"
    - #Determine if the self IP is configured to listening to default ports
        _groups:
            "$.items[0:][?('default' nin @.allowService[0:])]":
                _tags:
                    "im.name":
                        _constant: "f5-default-port-lockdown"
                    "name":
                        _value: "fullPath"
                    "address":
                        _value: "address"
                _value.complex:
                    value:
                        _constant: "false"

CrossVendorClusterInterfaceIpv4SubnetVsx

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.{ConditionalRemediationSteps, SnapshotComparisonTemplateRule}
import com.indeni.server.common.data.conditions.{Equals => DataEquals}

/**
  *
  */
case class CrossVendorClusterInterfaceIpv4SubnetVsx(context: RuleContext) extends SnapshotComparisonTemplateRule(context,
  ruleName = "CrossVendorClusterInterfaceIpv4SubnetVsx",
  ruleFriendlyName = "Clustered Devices: Network interface ipv4 subnet does not match across cluster members",
  ruleDescription = "Indeni will identify when two devices are part of a cluster and alert if their network interface ipv4 subnet are different.",
  metricName = "network-interface-ipv4-subnet",
  applicableMetricTag = "name",
  descriptionMetricTag = "vs.name",
  metaCondition = DataEquals("vsx", "true"),
  isArray = false,
  alertDescription = "Devices that are part of a cluster must have the same network interface ipv4 subnet setting. Review the differences below.",
  baseRemediationText = "Ensure the network interface ipv4 subnet setting matches across devices in a cluster.")()


case class CrossVendorClusterInterfaceIpv4SubnetNonVsx(context: RuleContext) extends SnapshotComparisonTemplateRule(context,
  ruleName = "CrossVendorClusterInterfaceIpv4SubnetNonVsx",
  ruleFriendlyName = "Clustered Devices: Network interface ipv4 subnet does not match across cluster members",
  ruleDescription = "Indeni will identify when two devices are part of a cluster and alert if their network interface ipv4 subnet are different.",
  metricName = "network-interface-ipv4-subnet",
  applicableMetricTag = "name",
  metaCondition = !DataEquals("vsx", "true"),
  isArray = false,
  alertDescription = "Devices that are part of a cluster must have the same network interface ipv4 subnet setting. Review the differences below.",
  baseRemediationText = "Ensure the network interface ipv4 subnet setting matches across devices in a cluster.")()