NTP servers used do not match across cluster members-paloaltonetworks-panos

NTP servers used do not match across cluster members-paloaltonetworks-panos
3.0 1

NTP servers used do not match across cluster members-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Description:
Indeni will identify when two devices are part of a cluster and alert if the NTP servers they are using are different.

Remediation Steps:
Review the NTP configuration on each device to ensure they match.

How does this work?
This script pulls the Palo Alto Networks firewall’s active configuration and extracts the configured NTP servers from there.

Why is this important?
Tracking the currently configured NTP servers on all devices is important to ensure consistent time sync.

Without Indeni how would you find this?
An administrator may write a script to pull this data from devices and compare against a gold configuration.

panos-show_config_running-monitoring-xml

Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/parsers/src/panw/panos/show-config-running-m.ind

cross_vendor_ntp_servers_comparison

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.SnapshotComparisonTemplateRule
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity

/**
  *
  */
case class cross_vendor_ntp_servers_comparison() extends SnapshotComparisonTemplateRule(
  ruleName = "cross_vendor_ntp_servers_comparison",
  ruleFriendlyName = "Clustered Devices: NTP servers used do not match across cluster members",
  ruleDescription = "Indeni will identify when two devices are part of a cluster and alert if the NTP servers they are using are different.",
  severity = AlertSeverity.WARN,
  metricName = "ntp-servers",
  isArray = true,
  alertDescription = "Devices that are part of a cluster must have the same NTP servers used. Review the differences below.",
  baseRemediationText = "Review the NTP configuration on each device to ensure they match.")()

I’ll comment the same as I did on the DNS server mis-match rule.

It is important to note when NTP servers may accidentally be misconfigured or even missing between HA peers. However, in some architecturally specific use cases such as business continuity or disaster recovery, unique NTP servers may be required. The primary site NTP servers may not become available in the new site if they are not load balanced/mirrored.

This is going to be a unique alert to the Indeni platform. If anyone knows of other systems that monitor this situation please comment. Also, if you have a DR/BC scenario where you wish not to receive this alert you can simply set the alert to be ignored for those devices only.