Suggest an automation script

IKL Development
#1

Have an idea for a script or rule that could make life easier? Make your suggestion here and our Product team will try to make your dream a reality!


The more detail you provide, the faster we can help.


  • Device Make/Model
  • Operating System
  • Description
  • Remediaion Steps
  • Command or Method
  • Output Example
  • Output Expectations
#2

Logging not received from Panorama Managed Firewall in X amount of time.


Device Make/Model

  • Palo Alto Panorama

Operating System

  • Should work on any 7.x or 8.x Panorama

Description

  • Logging from managed device not received in X mintues

Remediaion Steps

  • ? Currently being told there is a bug in 8.0.4 that prevents Threat and URL logging from showing up for firewalls in Panorama monitoring logs. I have received no logs other than Traffic since upgrading to 8.0.x. It would have been nice to know that was happening immediately so I could have rolled back the upgrade
  • Dependancy- Run this check in Panorama only for connected state devices

Command or Method

  • parse serial numbers to check from the command: show devices connected
  • show log <log type> receive_time in last <hour,24-hour> | match <connected device serial#>
  • repeat for each Panorama connected device serial number

Output Example

admin@PA_M100-01(primary-active)> show log threat receive_time in last-hour | match 00790104444

A maximum of 500 of last 7 day's logs will be displayed.

Please use 'scp export log ...' if more logs are needed

low Suspicious Abnormal HTTP Response Found(38870) 007901001212 0

low HTTP Cross Site Scripting Vulnerability(34851) 007901001212 0

low Sipvicious.Gen User-Agent Traffic Detection(13272) 007901001212 0

Output Expectations

  • any data vs. returning to a system prompt '>'
#3

Log Collector Disconnected and/or Not In Sync


(my appologies if you are already checking for this, I didn't have Indeni when it happend)


Device Make/Model

  • Palo Alto Networks Panorama

Operating System

  • 7.x, 8.x

Description

  • Alert when a Log Collector goes into a disconnected state or is not In Sync. Could indicate serveral other underlying issues especially when upgrading from 7.x to 8.x Panorama

Remediaion Steps

  • I'd have to research this a bit further. There were several issues causing this but doing a commit to the Log Collector Group fixed things up in the end. There are some things to watch out for though.

Command or Method

  • show log-collector connected

Output Example

admin@PA_M100-01(primary-active)> show log-collector connected

Serial CID Hostname Connected Config Status SW Version IPv4 - IPv6

---------------------------------------------------------------------------------------------------------

003001001234 4 PA_M100-01 yes In Sync 8.0.4 172.18.1.100 - unknown

Redistribution status: none

Last commit-all: commit succeeded, current ring version 2

SearchEngine status: Active

md5sum 8e55a03b502b79bba1af4bed86cea223 updated at ?

Certificate Status:

Certificate subject Name:

Certificate expiry at: none

Connected at: none

Custom certificate Used: no

Output Expectations


Serial CID Hostname Connected Config Status SW Version IPv4 - IPv6

---------------------------------------------------------------------------------------------------------

003001001283 5 PA_M-100-02 yes In Sync 8.0.4 172.18.1.101 - unknown

Redistribution status: none

Last commit-all: none, current ring version 2

SearchEngine status: Active

md5sum bcd26b8fe27ace1797aae325bfdac36d updated at 2017/09/08 11:44:14

Certificate Status:

Certificate subject Name: 003001001712

Certificate expiry at: 2027/08/25 17:07:55

Connected at: 2017/08/29 13:45:31

Custom certificate Used: no

#4

Check supported ciphers on load balancer members and detect weak/vulnerable ones. This one will need some bash scripting using the openssl commands.


Device/Make/Model: F5 devices
Operating system: TMOS

Remediation steps: Investigate use of vulnerable script on the server side.

#5

Make a optional/best-practice alert for SSL ciphers/protocols. For instance, use of TLS1.0/1.1.


Device/Make/Model: F5 devices
Operating system: TMOS

Remediation steps: Unless clients uses really old browsers, remove support for TLS1.0, TLS1.1.

Command: Existing scripts can be modified to handle this.


#6

Make an alert for F5 Virtual addresses that is not associated with a listener.


Device/Make/Model: F5 devices
Operating system: TMOS
Remediation steps: Remove the Virtual IP
Command or method: tmsh list ltm rule

Output: List virtual servers with tmsh list ltm virtual and then compare that to tmsh list ltm virtual address.
Remediation steps: Remove the orphaned virtual addresss


#7

Make an optional alert for F5 systems that is rejecting packets rather than dropping them for packets destined for destinations that does not match a listener.


Device/Make/Model: F5 devices
Operating system: TMOS

Command: tmsh list sys db tm.rejectunmatched

Remediation steps: modify sys db tm.rejectunmatched false


#8

Check if the device time zone matches on both vCMP host and it's guests.


Device/Make/Model: F5 devices
Operating system: TMOS
Remediation steps: Configure the same time zone for the host and the guests


This data is already in the db.

#9

Device/Make/Model: F5 devices
Operating system: TMOS
Remediation steps: Check if there are unencrypted archives saved on a device default backup location and warn about it (it could contains SSL keys). This is applicable for at least F5.
Command: curl -sku admin:admin https://localhost/mgmt/tm/sys/ucs

#10

Make optional alert for iRules containing log local0. commands on F5 devices.


Device/Make/Model: F5 devices
Operating system: TMOS
Remediation steps:
Command or method: tmsh list ltm rule

Output: Scan for usage of log local0.
Remediation steps: Remove the log local0. line and suggest using HSL instead to avoid cluttering the local log files.


#11

Check if the device time zone matches on both Checkpoint host and it's guests.

Device/Make/Model: Checkpoint virtual machines (equivalent to vCMP)
Operating system: Gaia?
Remediation steps: Configure the same time zone for the host and the guests


This data is already in the db.

#12

Check expiring/expired certificates on load balancer members. This one will need some bash scripting using the openssl commands.


Device/Make/Model: F5 devices
Operating system: TMOS

Remediation steps: Investigate use of expiring/expired certificates on load balancer members.

#13

Optional check: Scan for unused iRules.


Device/Make/Model: F5 devices

Operating system: TMOS

Command: tmsh list ltm rule and compare it to the LTM configuration. If the count of each iRule is 1, alert.

Remediation steps: Remove usused iRule

#14

Optional check: Scan for unused Client SSL Profiles

Device/Make/Model: F5 devices

Operating system: TMOS

Command: tmsh list ltm profile client-ssland compare it to the LTM configuration. If the count of each profile is 1, alert.

Remediation steps: Remove usused Client SSL Profiles

#15

Make an alert for if iRules are nearing the 1500 character limit.


Device/Make/Model: F5 devices

Operating system: TMOS

Command: tmsh list ltm rule

#16

Alert if mcpd logging is set to debug. Forgetting this setting can cause system degradation if there's a lot of logging.


Optional check: Scan for unused Client SSL Profiles

Device/Make/Model: F5 devices

Operating system: TMOS

Remediation steps: To revert to the default setting. tmsh modify sys db log.mcpd.level value notice

#17

Device Make/Model

  • All - CheckPoint

Operating System

  • GAiA

Description

  • WebUI webserver not running

Remediaion Steps

  • The web server for the WebUI is not running. Please review /var/log/messages.

Command or Method

  • ps aux|grep http

Output Example

admin 5062 0.0 0.1 13428 6528 ? Ss Apr08 0:00 /web/cpshared/web/Apache/2.2.0/bin/httpd2 -k start -f /web/conf/httpd2.conf -D FOREGROUND
nobody 6043 0.0 0.0 13584 4492 ? S Apr08 0:00 /web/cpshared/web/Apache/2.2.0/bin/httpd2 -k start -f /web/conf/httpd2.conf -D FOREGROUND
nobody 6044 0.0 0.0 13584 4616 ? S Apr08 0:00 /web/cpshared/web/Apache/2.2.0/bin/httpd2 -k start -f /web/conf/httpd2.conf -D FOREGROUND
nobody 10759 0.0 0.0 13584 4472 ? S Apr08 0:00 /web/cpshared/web/Apache/2.2.0/bin/httpd2 -k start -f /web/conf/httpd2.conf -D FOREGROUND
nobody 10831 0.0 0.0 13584 4464 ? S Apr08 0:00 /web/cpshared/web/Apache/2.2.0/bin/httpd2 -k start -f /web/conf/httpd2.conf -D FOREGROUND

Output Expectations

  • If no httpd2 is running, alert
#18

Hey, I just created a alert suggestion and posted it under Cisco Systems.

#19

Check virtual server state

Device/Make/Model: F5 devices
Operating system: TMOS
Command: /mgmt/tm/ltm/virtual
Description: All pools connected to this virtual server seems to be down.

Remediation steps: Investigate why the pools has failed and solve the issue.

#20

Maybe this is already in the rules section, but I could not find it when doing a quick search. I'd like to see a comparison between capabilities of cluster members. This is normally not a problem for hardware, but for virtual appliances it could be a nasty surprise waiting to happen if different amount of resources has been assigned to the cluster members.

Just imagine the active device having 8 cores and 16GB in memory while the peer has half. Then, a dark omnious evening during peak hours they fail over.