VPN dropping packets due to decryption errors-paloaltonetworks-panos
Vendor: paloaltonetworks
OS: panos
Description:
indeni tracks critical error metrics for VPN tunnels and alerts when these are increasing.
Remediation Steps:
Review the configurations on both sides of the tunnel.
How does this work?
This script uses the Palo Alto Networks API to retrieve the current status of the VPN tunnels (the equivalent of running “show vpn flow” in CLI). The script retrieves the decryption errors for each tunnel.
Why is this important?
VPN tunnels are one of the most critical features of a firewall. Tracking the health of the VPN tunnels, and specifically if there are any decryption errors, is a good indicator of whether a tunnel is working as planned.
Without Indeni how would you find this?
Decryption error information is only accessible through the CLI to an administrator.
panos-show-vpn-flow
name: panos-show-vpn-flow
description: Fetch the status of the VPN tunnels
type: monitoring
monitoring_interval: 1 minute
requires:
vendor: paloaltonetworks
os.name: panos
product: firewall
comments:
vpn-tunnel-state:
why: |
VPN tunnels are one of the most critical features of a firewall. Many VPN tunnels are temporary, and may go up and down regularly, while some must be up at all times. Those that must remain up are usually set with a monitor to track their status. Knowing if a tunnel that should be up is down is critical for a quick response to service disruption.
how: |
This script uses the Palo Alto Networks API to retrieve the current status of the VPN tunnels (the equivalent of running "show vpn flow" in CLI). The script differentiates between alerts that are not "always on" (don't have a monitor set) and those that should be.
can-with-snmp: true
can-with-syslog: true
vpn-tunnel-decryption-errors:
why: |
VPN tunnels are one of the most critical features of a firewall. Tracking the health of the VPN tunnels, and specifically if there are any decryption errors, is a good indicator of whether a tunnel is working as planned.
how: |
This script uses the Palo Alto Networks API to retrieve the current status of the VPN tunnels (the equivalent of running "show vpn flow" in CLI). The script retrieves the decryption errors for each tunnel.
can-with-snmp: false
can-with-syslog: false
vpn-tunnel-authentication-errors:
why: |
VPN tunnels are one of the most critical features of a firewall. Tracking the health of the VPN tunnels, and specifically if there are any authentication errors, is a good indicator of whether a tunnel is working as planned.
how: |
This script uses the Palo Alto Networks API to retrieve the current status of the VPN tunnels (the equivalent of running "show vpn flow" in CLI). The script retrieves the authentication errors for each tunnel.
can-with-snmp: false
can-with-syslog: false
steps:
- run:
type: HTTP
command: /api?type=op&cmd=<show><vpn><flow><%2Fflow><%2Fvpn><%2Fshow>&key=${api-key}
parse:
type: XML
file: show-vpn-flow.parser.1.xml.yaml
palo_alto_vpn_decryption_errors
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/paloaltonetworks/palo_alto_vpn_decryption_errors.scala