Packet drop counters increasing-paloaltonetworks-panos

error
health-checks
panos
paloaltonetworks
Packet drop counters increasing-paloaltonetworks-panos
0

#1

Packet drop counters increasing-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Description:
indeni will track packet drop counters and alert if any important counters are incrementing.

Remediation Steps:
Contact your technical support provider.

How does this work?
This script uses the Palo Alto Networks API to retrieve the global drop counters, which is the equivelant of running “show counter global filter severity drop” on the CLI.

Why is this important?
Tracking packet drop counters on a Palo Alto Networks firewalls can be crucial to identifying potential issues before they cause a wider impact. Generally, when the firewall drops packets it logs the reason for the drop. Sometimes the drop is legitimate, but sometimes it is due to a configuration or setup issue. In the latter case, it is important to know the packets are being dropped before users complain regarding service issues.

Without Indeni how would you find this?
An administrator can poll the firewall for the various packet drop counters. The challenge, many times, is making sense of which counters are interesting and what each of them means.

panos-show-counter-global-filter-severity-drop

#! META
name: panos-show-counter-global-filter-severity-drop
description: fetch packet drop counters
type: monitoring
monitoring_interval: 5 minutes
requires:
    vendor: paloaltonetworks
    os.name: panos
    product: firewall

#! COMMENTS
packet-drop-counter:
    why: |
        Tracking packet drop counters on a Palo Alto Networks firewalls can be crucial to identifying potential issues before they cause a wider impact. Generally, when the firewall drops packets it logs the reason for the drop. Sometimes the drop is legitimate, but sometimes it is due to a configuration or setup issue. In the latter case, it is important to know the packets are being dropped before users complain regarding service issues.
    how: |
        This script uses the Palo Alto Networks API to retrieve the global drop counters, which is the equivelant of running "show counter global filter severity drop" on the CLI.
    without-indeni: |
        An administrator can poll the firewall for the various packet drop counters. The challenge, many times, is making sense of which counters are interesting and what each of them means.
    can-with-snmp: true
    can-with-syslog: true

#! REMOTE::HTTP
url: /api?type=op&cmd=<show><counter><global><filter><severity>drop</severity></filter></global></counter></show>&key=${api-key}
protocol: HTTPS

#! PARSER::XML
_metrics:
    -
        _groups:
            /response/result/global/counters/entry:
                _temp:
                    desc:
                        _text: "desc"
                _value.double:
                    _text: "value"
                _tags:
                    "im.name":
                        _constant: "packet-drop-counter"
                    "im.dsType":
                        _constant: "counter"
                    "name":
                        _text: "name"
                    "live-config":
                        _constant: "true"
                    "display-name":
                        _constant: "Packet Drop Counters"
                    "im.dstype.displayType":
                        _constant: "number"
                    "im.identity-tags":
                        _constant: "name"
        _transform:
            _tags:
                "description": | 
                    {
                        print(trim(temp("desc")))
                    }

cross_vendor_packet_drops

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.NumericThresholdOnDoubleMetricWithItemsTemplateRule
/**
  *
  */
case class cross_vendor_packet_drops() extends NumericThresholdOnDoubleMetricWithItemsTemplateRule(
  ruleName = "cross_vendor_packet_drops",
  ruleFriendlyName = "All Devices: Packet drop counters increasing",
  ruleDescription = "indeni will track packet drop counters and alert if any important counters are incrementing.",
  metricName = "packet-drop-counter",
  applicableMetricTag = "name",
  threshold = 100.0,
  alertDescription = "Some devices track the number of packets being dropped for various reasons. The current packet drop counters which are indicating dropped packets are listed below.",
  alertItemDescriptionFormat = "The drop counter is increasing at a rate of %.0f per second.",
  baseRemediationText = "Contact your technical support provider.",
  alertItemsHeader = "Affected Counters",
  itemsToIgnore = Set("flow_tcp_non_syn_drop".r, "flow_fwd_l3_bcast_drop".r, "flow_host_service_deny".r, "flow_ipv6_disabled".r, "flow_rcv_dot1q_tag_err".r, "flow_parse_l4_tcpsynfin".r, "flow_parse_l4_tcpfin".r, "flow_fwd_l3_mcast_drop".r, "^$".r))(
)