Suggest an automation script

Patrik_Jonsson · November 2, 2017, 9:39pm

Check the TMM log for TCL exceptions.

Device Make/Model

F5 Networks

Operating System

Any TMOS version

Description

TCL exceptions detected

Remediation Steps

Examine the error message and fix the iRule in question.

Command or Method

cat /var/log/ltm

Output Example

Aug 11 06:30:09 slot1/PRD err tmm[19587]: 01220001:3: TCL error: /Common/VanityIRule - Could not find class VURL_google (line 3) invoked from within "class match -value [string tolower [HTTP::uri]] equals VURL_[string tolower [HTTP::host]]"

Patrik_Jonsson · November 27, 2017, 3:59am

Some more contact options would be awesome.

Examples:

Slack
Hipchat
Telegram
Prowl

/Patrik

Johnathan_Browall_No · January 3, 2018, 8:13am

Device Make/Model

BIGIP F5 LTM

Operating System

tmos

Description

Apache Tomcat has run out of memory

Remediaion Steps

To mitigate receiving this message, you can use the provision.tomcat.extramb database variable to increase the maximum amount of Java virtual memory available to the tomcat process
See more details in F5 article https://support.f5.com/csp/article/K9719

Command or Method

Check file /var/log/tomcat/catalina.out for usage of string: java.lang.OutOfMemoryError

Output Example

java.lang.OutOfMemoryError

Output Expectations

Patrik_Jonsson · January 3, 2018, 8:18am

F5: Create an alert for usage of ciphers vulnerable to ROBOT.

https://support.f5.com/csp/article/K21905460

Johnathan_Browall_No · January 3, 2018, 8:19am

Device Make/Model

BIGIP F5 LTM

Operating System

tmos

Description

Clock advanced by <number> ticks

Remediaion Steps

Check for high resource usage
See https://support.f5.com/csp/article/K10095

Command or Method

cat /var/log/ltm for entries of

Output Example

01010029:5: Clock advanced by 518 ticks

Output Expectations

any line with "Clock advanced by [0-9]+ ticks"

Patrik_Jonsson · January 3, 2018, 8:21am

F5: Warn user if their hardware is too weak to support the next major version.

https://support.f5.com/csp/article/K9476

/Patrik

Patrik_Jonsson · January 3, 2018, 8:24am

F5: Warn user if the iRules is not CMP compatible.

https://support.f5.com/csp/article/K13033

/Patrik

Johnathan_Browall_No · January 3, 2018, 8:30am

Device Make/Model

BIG IP F5 LTM

Operating System

tmos

Description

An HTTP monitor send string does not end with the required CR/LF sequence

Remediaion Steps

Make sure that all monitors ends with the CR/LF sequence
more info here: https://support.f5.com/csp/article/K2167

Command or Method

Check all bigip.conf and check if monitors end with this sequence.

Output Example

send "GET /health-monitor/en/ HTTP/1.1\r\nHost:app.site.com\r\nUser-agent: Mozilla/5.0 (something;Windows NT 6.1;)\r\n\r\n"

Output Expectations

any send string that does not end with \r\n\r\n

Johnathan_Browall_No · January 3, 2018, 12:51pm

Device Make/ModelCheck Point, all HW
Operating SystemGaia
DescriptionRead errors from disk
Remediaion StepsRMA the appliance
Command or Methoddmesg
Output Example

ata1.00: status: { DRDY ERR } ata1.00: error: { UNC } ata1.00: configured for UDMA/133 ata1: EH complete ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0 ata1.00: BMDMA stat 0x25 ata1.00: cmd c8/00:08:60:ef:b3/00:00:00:00:00/e5 tag 0 dma 4096 in res 51/40:03:65:ef:b3/00:00:00:00:00/05 Emask 0x9 (media error) sd 0:0:0:0: SCSI error: return code = 0x08000002 sda: Current [descriptor]: sense key: Medium Error Add. Sense: Unrecovered read error - auto reallocate failed

Descriptor sense data with sense descriptors (in hex):
72 03 11 04 00 00 00 0c 00 0a 80 00 00 00 00 00
05 b3 ef 65
end_request: I/O error, dev sda, sector 95678309
ata1: EH complete
SCSI device sda: 625142448 512-byte hdwr sectors (320073 MB)
sda: Write Protect is off
sda: Mode Sense: 00 3a 00 00
SCSI device sda: drive cache: write back
SCSI device sda: 625142448 512-byte hdwr sectors (320073 MB)
sda: Write Protect is off
sda: Mode Sense: 00 3a 00 00
SCSI device sda: drive cache: write back

- Output Expectations
  alert on for example I/O error

Sergei_Chernooki · January 6, 2018, 8:29am

Hi all,

I noticed a brief discussion on Cisco NGFW last November and can propose a smart solution.

Device Make/Model - Cisco Firepower
Operating System - Linux-based
Description - CPU and memory monitor
Remediaion Steps - user top command to obtain real-time data, produce alerts when limits esceeded (especially swap spase usage).
Command or Method - top command on Linux console
Output Example - not needed I guess
Output Expectations - custom limits should be set for analysis.

To get access to NGFW console you should SSH to the ASA, then issue session sfr console command, authenticate (credentials usually different from ASA console) and switch to expert mode.

Johnathan_Browall_No · January 13, 2018, 7:13am

Device Make/ModelCheck point - all appliances
Operating SystemGaia
DescriptionNetwork interface hang
Remediaion StepsContact check point support
Command or Methoddmesg
Output Example

e1000e 0000:04:00.0: eth2: Detected Hardware Unit Hang:

TDH <369>

TDT <36b>

next_to_use <36b>

next_to_clean <369>

buffer_info[next_to_clean]:

time_stamp <8024cc2e>

next_to_watch <369>

jiffies <8024d2b4>

next_to_watch.status <0>

MAC Status <80783>

PHY Status <796d>

PHY 1000BASE-T Status <3800>

PHY Extended Status <3000>

PCI Status <10>

- Output Expectations

Rakesh_Rawat · February 23, 2018, 11:57am

...

Arun_David_Johnson_R · March 15, 2018, 5:51pm

Device Make/Model
- F5
Description
- License expiring nearing rule not updating/generating the alert.

Arun_David_Johnson_R · March 15, 2018, 5:54pm

Device Make/Model
- F5
Description
- License expiring nearing rule not updating/generating the alert.

immortalsolitude · January 8, 2019, 5:08pm

Device Make/Model : Juniper EX and SRX series
Operating System : Junos
Description : Perform check for OS mismatch on Dual boot Juniper EX and SRX devices for firmware. 
Remediaion Steps : Perform recovery procedure
Command or Method : request system snapshot media internal slice alternate