No NTP servers configured-paloaltonetworks-panos

No NTP servers configured-paloaltonetworks-panos
0

No NTP servers configured-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Description:
Many odd and complicated outages occur due to lack of clock synchronization between devices. In addition, logs may have the wrong time stamps. Indeni will alert when a device has no NTP servers configured.

Remediation Steps:
Configure one or more NTP servers to be used by this device for clock synchronization.

How does this work?
This script pulls the Palo Alto Networks firewall’s active configuration and extracts the configured NTP servers from there.

Why is this important?
Tracking the currently configured NTP servers on all devices is important to ensure consistent time sync.

Without Indeni how would you find this?
An administrator may write a script to pull this data from devices and compare against a gold configuration.

panos-show-config-merged-monitoring-xml

name: panos-show-config-merged-monitoring-xml
description: Fetch the running config (xml)
type: monitoring
monitoring_interval: 60 minute
requires:
    vendor: paloaltonetworks
    os.name: panos
    product: firewall
comments:
    certificate-expiration:
        why: |
            Palo Alto Networks firewalls use certificate for a variety of different purposes. One purpose, for example, is inbound SSL inspection. If the certificate used by the firewall expires, certain services may be unavailable to external users.
        how: |
            This script pulls the Palo Alto Networks firewall's active configuration, reviews the certificates saved and retrieves their subject and expiration date.
        can-with-snmp: true
        can-with-syslog: true
    timezone:
        why: |
            Most configurations in Palo Alto Networks firewalls are synchronized across cluster members. Some are not, the timezone is one of them. It is important to verify that the timezone is the same on all cluster members to avoid confusion or issues.
        how: |
            This script pulls the Palo Alto Networks firewall's active configuration and extracts the timezone from there.
        can-with-snmp: false
        can-with-syslog: false
    domain:
        why: |
            Most configurations in Palo Alto Networks firewalls are synchronized across cluster members. Some are not, the domain name is one of them. It is important to verify that the domain name is the same on all cluster members to avoid confusion or issues.
        how: |
            This script pulls the Palo Alto Networks firewall's active configuration and extracts the timezone from there.
        can-with-snmp: false
        can-with-syslog: false
    login-banner:
        why: |
            Most configurations in Palo Alto Networks firewalls are synchronized across cluster members. Some are not, the login banner is one of them. It is important to verify that the login banner is the same on all cluster members to avoid confusion or issues.
        how: |
            This script pulls the Palo Alto Networks firewall's active configuration and extracts the timezone from there.
        can-with-snmp: false
        can-with-syslog: false
    syslog-servers:
        why: |
            Tracking the currently configured Syslog servers on all devices is important to ensure consistent logging.
        how: |
            This script pulls the Palo Alto Networks firewall's active configuration and extracts the configured Syslog servers from there.
        can-with-snmp: false
        can-with-syslog: false
    radius-servers:
        why: |
            Tracking the currently configured RADIUS servers on all devices is important to ensure consistent authentication and access.
        how: |
            This script pulls the Palo Alto Networks firewall's active configuration and extracts the configured RADIUS servers from there.
        can-with-snmp: false
        can-with-syslog: false
    dns-servers:
        why: |
            Tracking the currently configured DNS servers on all devices is important to ensure consistent name resolution.
        how: |
            This script pulls the Palo Alto Networks firewall's active configuration and extracts the configured DNS servers from there.
        can-with-snmp: false
        can-with-syslog: false
    ntp-servers:
        why: |
            Tracking the currently configured NTP servers on all devices is important to ensure consistent time sync.
        how: |
            This script pulls the Palo Alto Networks firewall's active configuration and extracts the configured NTP servers from there.
        can-with-snmp: false
        can-with-syslog: false
    unencrypted-snmp-configured:
        why: |
            SNMPv2c is an unsecure protocol and should not be used. Users should prefer the more secure SNMPv3.
        how: |
            This script pulls the Palo Alto Networks firewall's active configuration and extracts the configured services from there.
        can-with-snmp: false
        can-with-syslog: false
    telnet-enabled:
        why: |
            Telnet is an unsecure protocol and should not be used. Users may enable telnet unintentionally and should be alerted if they do so.
        how: |
            This script pulls the Palo Alto Networks firewall's active configuration and extracts the configured services from there.
        can-with-snmp: false
        can-with-syslog: false
    http-server-enabled:
        why: |
            HTTP is an unsecure protocol and should not be used. Users may enable HTTP unintentionally and should be alerted if they do so.
        how: |
            This script pulls the Palo Alto Networks firewall's active configuration and extracts the configured services from there.
        can-with-snmp: false
        can-with-syslog: false
    license-elements-used:
        why: |
            Collect information about the license usage and report installed licenses.
        how: |
            This script pulls the Palo Alto Networks firewall's active configuration and extracts the license information from there.
        can-with-snmp: false
        can-with-syslog: false
    app-update-acceptable-lag:
        why: |
            App update acceptable lag is important to determine because app updates can become out of date if the scheduled update job doesn't succeed.
        how: |
            This script runs determines the configuration scheduled and how frequently the updates should have run.
        can-with-snmp: unknown
        can-with-syslog: true
    av-update-acceptable-lag:
        why: |
            Anti-virus update acceptable lag is important to determine because Anti-virus updates can become out of date if the scheduled update job doesn't succeed.
            This script runs determines the configuration scheduled and how frequently the updates should have run.
        can-with-snmp: unknown
        can-with-syslog: true
    panw-app-update-action:
        why: |
            It is important to track the content (app/threat) version update action in the schedule. Following best practices this should be set to download and install based on a schedule. The rule will alert if not following best practices.
        can-with-snmp: unknown
        can-with-syslog: false
    panw-av-update-action:
        why: |
            It is important to track the anti-virus version update action in the schedule. Following best practices this should be set to download and install based on a schedule. The rule will alert if not following best practices.
        can-with-snmp: unknown
        can-with-syslog: false

steps:
-   run:
        type: HTTP
        command: /api?type=op&cmd=<show><config><merged></merged></config></show>&key=${api-key}
    parse:
        type: XML
        file: show-config-merged-m.parser.1.xml.yaml

cross_vendor_no_ntp_servers

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.ruleengine.expressions.conditions.{Equals => RuleEquals, Not => RuleNot, Or => RuleOr}
import com.indeni.ruleengine.expressions.data.SnapshotExpression
import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.MultiSnapshotValueCheckTemplateRule
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity
import com.indeni.server.rules.RemediationStepCondition
import com.indeni.server.rules.library.RuleHelper

/**
  *
  */
case class cross_vendor_no_ntp_servers() extends MultiSnapshotValueCheckTemplateRule(
  ruleName = "cross_vendor_no_ntp_servers",
  ruleFriendlyName = "All Devices: No NTP servers configured",
  ruleDescription = "Many odd and complicated outages occur due to lack of clock synchronization between devices. In addition, logs may have the wrong time stamps. Indeni will alert when a device has no NTP servers configured.",
  severity = AlertSeverity.WARN,
  metricName = "ntp-servers",
  alertDescription = "This system does not have an NTP server configured. Many odd and complicated outages occur due to lack of clock synchronization between devices. In addition, logs may have the wrong time stamps.",
  baseRemediationText = "Configure one or more NTP servers to be used by this device for clock synchronization.",
  complexCondition = RuleEquals(RuleHelper.createEmptyComplexArrayConstantExpression(), SnapshotExpression("ntp-servers").asMulti().mostRecent().value().noneable))(
  RemediationStepCondition.VENDOR_F5 -> "Log into the Web interface and navigate to System -> Configuration -> Device -> NTP. Add the desired NTP servers and click \"update\".",
  RemediationStepCondition.VENDOR_FORTINET ->
    """
      |1. Login via ssh to the Fortinet firewall and execute the FortiOS “execute time” and “execute date” commands to check the current date/time and the last date of NTP sync.
      |2. Login via ssh to the Fortinet firewall and execute the FortiOS “diagnose sys ntp status” to review the status of the NTP servers and configuration.
      |3. NTP uses UDP protocol (17) and port 123 to communicate between the client and the servers.  Make sure that the firewall rules allow these UDP ports and can route toward the NTP servers.
      |4. Login via ssh to the Fortinet firewall and execute the FortiOS debug commands “diag debug application ntpd -1” and “diag debug enable” and review the debug messages.
      |5. Make sure NTP authentication keys match on both ends. Review the next link for more information: http://kb.fortinet.com/kb/viewContent.do?externalId=FD33783.
      |6. More NTP configuration information can be found at http://help.fortinet.com/cli/fos50hlp/56/Content/FortiOS/fortiOS-cli-ref-56/config/system/ntp.htm.""".stripMargin
)