Per-virtual-system concurrent connection limit nearing-juniper-junos

error
junos
health-checks
juniper
Per-virtual-system concurrent connection limit nearing-juniper-junos
0

#1

Per-virtual-system concurrent connection limit nearing-juniper-junos

Vendor: juniper

OS: junos

Description:
indeni will trigger an issue the number of connections in a VS is too high.

Remediation Steps:
Review why this may be happening and consider moving some of the traffic between VS’s or devices.

How does this work?
This script runs the “show security flow session summary” command via ssh to retrieve the number of concurrent sessions.

Why is this important?
Concurrent-connections tell the number of connections going through the device. The administrator has to monitor the concurrent-connections to avoid traffic drops because of the high number of concurrent-connection.

Without Indeni how would you find this?
The administrator has to log on the device to retrieve the same information.

junos-show-security-flow-session-summary

#! META
name: junos-show-security-flow-session-summary
description: Retrieve security flow information 
type: monitoring
monitoring_interval: 5 minute
requires:
    vendor: juniper
    os.name: junos
    product: firewall
    high-availability:
        neq: true

#! COMMENTS
concurrent-connections-limit:
    why: |
        Each device has a limit for concurrent sessions or connections based on the hardware capability. Exceeding this limit will cause traffic drops. 
    how: |
       This script runs the "show security flow session summary" command via ssh to retrieve the limit for concurrent sessions.
    without-indeni: |
        The administrator has to log on the device to retrieve the same information.
    can-with-snmp: true 
    can-with-syslog: false 
concurrent-connections:
    why: |
        Concurrent-connections tell the number of connections going through the device. The administrator has to monitor the concurrent-connections to avoid traffic drops because of the high number of concurrent-connection.
    how: |
       This script runs the "show security flow session summary" command via ssh to retrieve the number of concurrent sessions.
    without-indeni: |
        The administrator has to log on the device to retrieve the same information.
    can-with-snmp: true
    can-with-syslog: false

#! REMOTE::SSH
show security flow session summary | display xml

#! PARSER::XML
_vars:
    root: /rpc-reply/flow-session-summary-information
_metrics:
    -
        _tags:
            "im.name":
                _constant: "concurrent-connections"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "Sessions - Current"
            "im.dstype.displayType":
                _constant: "number"
        _value.double:
            _text: ${root}/active-sessions
    -
        _tags:
            "im.name":
                _constant: "concurrent-connections-limit"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "Sessions - Limit"
            "im.dstype.displayType":
                _constant: "number"
        _value.double:
            _text: ${root}/max-sessions


junos-show-security-flow-session-summary

#! META
name: junos-show-security-flow-session-summary
description: Retrieve security flow information 
type: monitoring
monitoring_interval: 5 minute
requires:
    vendor: juniper
    os.name: junos
    product: firewall
    high-availability:
        neq: true

#! COMMENTS
concurrent-connections-limit:
    why: |
        Each device has a limit for concurrent sessions or connections based on the hardware capability. Exceeding this limit will cause traffic drops. 
    how: |
       This script runs the "show security flow session summary" command via ssh to retrieve the limit for concurrent sessions.
    without-indeni: |
        The administrator has to log on the device to retrieve the same information.
    can-with-snmp: true 
    can-with-syslog: false 
concurrent-connections:
    why: |
        Concurrent-connections tell the number of connections going through the device. The administrator has to monitor the concurrent-connections to avoid traffic drops because of the high number of concurrent-connection.
    how: |
       This script runs the "show security flow session summary" command via ssh to retrieve the number of concurrent sessions.
    without-indeni: |
        The administrator has to log on the device to retrieve the same information.
    can-with-snmp: true
    can-with-syslog: false

#! REMOTE::SSH
show security flow session summary | display xml

#! PARSER::XML
_vars:
    root: /rpc-reply/flow-session-summary-information
_metrics:
    -
        _tags:
            "im.name":
                _constant: "concurrent-connections"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "Sessions - Current"
            "im.dstype.displayType":
                _constant: "number"
        _value.double:
            _text: ${root}/active-sessions
    -
        _tags:
            "im.name":
                _constant: "concurrent-connections-limit"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "Sessions - Limit"
            "im.dstype.displayType":
                _constant: "number"
        _value.double:
            _text: ${root}/max-sessions


concurrent_connection_limit_vsx

package com.indeni.server.rules.library

import com.indeni.ruleengine.expressions.OptionalExpression
import com.indeni.ruleengine.expressions.conditions.GreaterThanOrEqual
import com.indeni.ruleengine.expressions.core.{StatusTreeExpression, _}
import com.indeni.ruleengine.expressions.data.{SelectTagsExpression, SelectTimeSeriesExpression, TimeSeriesExpression}
import com.indeni.ruleengine.expressions.math.{DivExpression, TimesExpression}
import com.indeni.server.common.data.conditions.True
import com.indeni.server.params.ParameterDefinition
import com.indeni.server.params.ParameterDefinition.UIType
import com.indeni.server.rules._
import com.indeni.server.rules.library.ConcurrentConnectionsUsageVsxRule.NAME
import com.indeni.server.rules.library.core.PerDeviceRule
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity

case class ConcurrentConnectionsUsageVsxRule() extends PerDeviceRule with RuleHelper {

  private[library] val highThresholdParameterName = "High_Threshold_of_Connection_usage"
  private val highThresholdParameter = new ParameterDefinition(highThresholdParameterName,
    "",
    "High Threshold of Concurrent Connection Usage",
    "What is the threshold for the concurrent connection usage for which once it is crossed an issue will be triggered.",
    UIType.DOUBLE,
    80.0)

  override val metadata: RuleMetadata = RuleMetadata.builder(NAME, "All Devices: Per-virtual-system concurrent connection limit nearing",
    "indeni will trigger an issue the number of connections in a VS is too high.", AlertSeverity.ERROR).configParameter(highThresholdParameter).build()

  override def expressionTree(context: RuleContext): StatusTreeExpression = {
    val actualValue = TimeSeriesExpression[Double]("concurrent-connections").last
    val threshold: OptionalExpression[Double] = getParameterDouble(highThresholdParameter)
    val limit = TimeSeriesExpression[Double]("concurrent-connections-limit").last

    StatusTreeExpression(
      // Which objects to pull (normally, devices)
      SelectTagsExpression(context.metaDao, Set(DeviceKey), True),

      // What constitutes an issue
        StatusTreeExpression(

          // The additional tags we care about (we'll be including this in alert data)
          SelectTagsExpression(context.tsDao, Set("vs.id","vs.name"), True),

            StatusTreeExpression(
              // The time-series we check the test condition against:
              SelectTimeSeriesExpression[Double](context.tsDao, Set("concurrent-connections", "concurrent-connections-limit"), denseOnly = false),

              // The condition which, if true, we have an issue. Checked against the time-series we've collected
              GreaterThanOrEqual(
                actualValue,
                TimesExpression(limit, DivExpression(threshold, ConstantExpression(Some(100.0)))))

              // The Alert Item to add for this specific item
            ).withSecondaryInfo(
                scopableStringFormatExpression("${scope(\"vs.name\")} (${scope(\"vs.id\")})"),
                scopableStringFormatExpression("Usage of %.0f (vs limit of %.0f) is above the threshold of %.0f%%.", actualValue, limit, threshold),
                title = "Affected VS's"
            ).asCondition()
        ).withoutInfo().asCondition()
    ).withRootInfo(
        getHeadline(),
        ConstantExpression("Some VS's have a high number of concurrent connections.\n\nThis issue was added per the request of <a target=\"_blank\" href=\"http://il.linkedin.com/in/motisagey\">Moti Sagey</a>."),
        ConditionalRemediationSteps("Review why this may be happening and consider moving some of the traffic between VS's or devices.",
          ConditionalRemediationSteps.VENDOR_CP -> "Consider enabling aggressive aging if it is not yet enabled: https://sc1.checkpoint.com/documents/R76/CP_R76_IPS_AdminGuide/12857.htm#o12861",
          ConditionalRemediationSteps.VENDOR_PANOS -> "Compare the products and the maximum sessions allowed: https://www.paloaltonetworks.com/products/product-selection"
      )
    )
  }
}

object ConcurrentConnectionsUsageVsxRule {

  /* --- Constants --- */

  private[library] val NAME = "concurrent_connection_limit_vsx"
}