OS name mismatch across cluster members-paloaltonetworks-panos

OS name mismatch across cluster members-paloaltonetworks-panos
4.0 1

OS name mismatch across cluster members-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Description:
Indeni will identify when two devices are part of a cluster and alert if the OS installed is different.

Remediation Steps:
Install the correct versions of software on each device.

How does this work?
This script uses the Palo Alto Networks API to retrieve the software name and version installed on the device. indeni then compares the result to the same script run on other members of the same cluster.

Why is this important?
Two or more devices which operate as part of a single cluster must be running the same version of software.

Without Indeni how would you find this?
Manual tracking by an administrator is usually the only method for knowing when two devices are not running the same version of software.

panos-show-system-info-monitoring

Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/parsers/src/panw/panos/show-system-info-monitoring.ind

cross_vendor_compare_osname

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.SnapshotComparisonTemplateRule
import com.indeni.server.rules.RemediationStepCondition

/**
  *
  */
case class cross_vendor_compare_osname() extends SnapshotComparisonTemplateRule(
  ruleName = "cross_vendor_compare_osname",
  ruleFriendlyName = "Clustered Devices: OS name mismatch across cluster members",
  ruleDescription = "Indeni will identify when two devices are part of a cluster and alert if the OS installed is different.",
  metricName = "os-name",
  isArray = false,
  alertDescription = "The members of a cluster of devices must have the same OS's installed.\n\nThis alert was added per the request of <a target=\"_blank\" href=\"http://il.linkedin.com/pub/gal-vitenberg/83/484/103\">Gal Vitenberg</a>.",
  baseRemediationText = "Install the correct versions of software on each device.")(
  RemediationStepCondition.VENDOR_CISCO ->
    """|
      |1. Check that the vPC peers have the same NX-OS version except during the non-disruptive upgrade, that is, In-Service Software Upgrade (ISSU).
      |2. Execute the "show version" NX-OS command and check the installed NX-OS version across the vPC peer switches.
      |3. Schedule a Maintenance Window for NX-OS upgrade in order the vPC peer switches have exact the same NX-OS version.
      |NOTE: The vPC could be established between the vPC peers with not exact the same NX-OS name but several problems will be faced when new features are configured. For instance FEX-mismatch SW log message will be generated if you try to connect a FEX via vPC to a pair of vPC switches with different SW version. In this case the FEX will be operational only from one of the vPC peer switches.""".stripMargin
)

This notification is very important especially in scenarios where you are deploying OS updates from Panorama. Doing updates from Panorama increases the likelihood that you wouldn’t notice the red dot for an OS mismatch error on the firewall’s dashboard. If you have direct alerts from the firewalls configured, it will alert you as well.

If you are receiving this notification and while you are doing OS updates it is best not to disable the alert. The alert will “auto-resolve” after you complete your upgrades.

The benefit of this rule is making sure you DO NOT forget to update the entire HA cluster.