VPN dropping packets due to decryption errors-paloaltonetworks-panos

VPN dropping packets due to decryption errors-paloaltonetworks-panos
0

VPN dropping packets due to decryption errors-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Description:
indeni tracks critical error metrics for VPN tunnels and alerts when these are increasing.

Remediation Steps:
Review the configurations on both sides of the tunnel.

How does this work?
This script uses the Palo Alto Networks API to retrieve the current status of the VPN tunnels (the equivalent of running “show vpn flow” in CLI). The script retrieves the decryption errors for each tunnel.

Why is this important?
VPN tunnels are one of the most critical features of a firewall. Tracking the health of the VPN tunnels, and specifically if there are any decryption errors, is a good indicator of whether a tunnel is working as planned.

Without Indeni how would you find this?
Decryption error information is only accessible through the CLI to an administrator.

panos-show-vpn-flow

name: panos-show-vpn-flow
description: Fetch the status of the VPN tunnels
type: monitoring
monitoring_interval: 1 minute
requires:
    vendor: paloaltonetworks
    os.name: panos
    product: firewall
comments:
    vpn-tunnel-state:
        why: |
            VPN tunnels are one of the most critical features of a firewall. Many VPN tunnels are temporary, and may go up and down regularly, while some must be up at all times. Those that must remain up are usually set with a monitor to track their status. Knowing if a tunnel that should be up is down is critical for a quick response to service disruption.
        how: |
            This script uses the Palo Alto Networks API to retrieve the current status of the VPN tunnels (the equivalent of running "show vpn flow" in CLI). The script differentiates between alerts that are not "always on" (don't have a monitor set) and those that should be.
        without-indeni: |
            The VPN tunnel state is visible through the web interface. Normally, an administrator would access it after a service outage is reported.
        can-with-snmp: true
        can-with-syslog: true
    vpn-tunnel-decryption-errors:
        why: |
            VPN tunnels are one of the most critical features of a firewall. Tracking the health of the VPN tunnels, and specifically if there are any decryption errors, is a good indicator of whether a tunnel is working as planned.
        how: |
            This script uses the Palo Alto Networks API to retrieve the current status of the VPN tunnels (the equivalent of running "show vpn flow" in CLI). The script retrieves the decryption errors for each tunnel.
        without-indeni: |
            Decryption error information is only accessible through the CLI to an administrator.
        can-with-snmp: false
        can-with-syslog: false
    vpn-tunnel-authentication-errors:
        why: |
            VPN tunnels are one of the most critical features of a firewall. Tracking the health of the VPN tunnels, and specifically if there are any authentication errors, is a good indicator of whether a tunnel is working as planned.
        how: |
            This script uses the Palo Alto Networks API to retrieve the current status of the VPN tunnels (the equivalent of running "show vpn flow" in CLI). The script retrieves the authentication errors for each tunnel.
        without-indeni: |
            Authentication error information is only accessible through the CLI to an administrator.
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: HTTP
        command: /api?type=op&cmd=<show><vpn><flow><%2Fflow><%2Fvpn><%2Fshow>&key=${api-key}
    parse:
        type: XML
        file: show-vpn-flow.parser.1.xml.yaml

palo_alto_vpn_decryption_errors

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.paloaltonetworks

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.CounterIncreaseTemplateRule
/**
  *
  */
case class palo_alto_vpn_decryption_errors() extends CounterIncreaseTemplateRule(
  ruleName = "palo_alto_vpn_decryption_errors",
  ruleFriendlyName = "Palo Alto Networks Firewalls: VPN dropping packets due to decryption errors",
  ruleDescription = "indeni tracks critical error metrics for VPN tunnels and alerts when these are increasing.",
  metricName = "vpn-tunnel-decryption-errors",
  applicableMetricTag = "peerip",
  alertDescription = "The VPNs listed below are experiencing packet decryption errors. This is probably due to a configuration issue.",
  alertRemediationSteps = "Review the configurations on both sides of the tunnel.",
  alertItemsHeader = "Affected VPN Tunnels"
)()