Palo Alto Networks Firewalls Alert Guide: Group ID Conflict Detected

This is a real life sample alert from indeni alert guide for Palo Alto Firewalls.

 

Description:

This cluster has the same Group ID as the other clusters listed below. A conflict may arise if they share a VLAN with this cluster.

Other Clusters:

buny-fw1 (10.10.24.1)

Manual Remediation Steps:

Consider changing the Group ID. For more information, see DOC-5843.

How does this alert work?

indeni automatically identifies the HA clusters in the environment and then compares the Group ID that is set on the active member of each of those clusters.

For even more alerts and in depth analysis to make your network high availability and failure proof, check out our device management solution for PAN Firewalls.

Proxy ARP Entries Removed – Check Point Firewalls Optimized Performance

This is a real life sample alert from the indeni guide to preemptive maintenance for Check Point Firewalls.

Description:

This firewall used to have (51) proxy ARP entries. They have disappeared suddenly from the output of “fw ctl arp”. Proxy ARP behavior may be impacted.

Manual Remediation Steps:

If this is due to an interface being taken down, please verify that “fw ctl arp” provides the correct output after the interface being turned back on. If it doesn’t, contact technical support.
If this is not due to an interface being taken down, we recommend you contact technical support. Please review SK98740 and SK93534.

How does this alert work?

indeni runs the “fw ctl arp” command every few minutes and identifies when there is a major change in the response.

Firewall in Maintenance Mode. Palo Alto Network Alert Guide

indeni, cisco

This is a real life sample alert from our indeni alert guide for Palo Alto Networks Firewall.

Description:

The firewall has entered maintenance mode due to an unknown reason. indeni will stop collecting data from this firewall until it exits maintenance mode.

Manual Remediation Steps:

Connect to the firewall using SSH (see DOC-5719) and determine the cause.

How does this alert work?

indeni uses a mix of SSH, API calls and SNMP to communicate with Palo Alto Networks firewalls. If it identifies that the firewall is in maintenance mode (for example, via SSH), it will alert.

F5 bigd process down

This is a real life sample alert from indeni

Description:

The F5 bigd process is down and has not restarted. Among its responsibilities, bigd runs the monitors for nodes, pool members and services. For more information, read SOL6967.

Manual Remediation Steps:

Review the logs to identify why the bigd process is down. indeni will attempt to determine the source of the issue automatically as well.

How does this alert work?

indeni tracks the status of all of the critical operating-system level processes and alerts if any of them crashes or shuts down unexpectedly.

RX Traffic Drastically Reduced Post Fail Over. Palo Alto Networks Alert Guide

This is a real life sample alert from indeni alert guide for Palo Alto Networks Firewall.

Description:

This device is receiving far less traffic than expected. It is receiving 142 packets/sec at the moment, compared to 15921 packets/sec it received a few minutes ago. This can be a result of a fail over of this firewall cluster.

Manual Remediation Steps:

Consider clearing the ARP cache, as detailed in DOC-4575. Review the comments of that DOC.

How does this alert work?

indeni tracks the traffic flow on firewalls to identify situations where there is a sharp decrease in RX traffic (as opposed to TX traffic). Such a drop in RX traffic means the surrounding network equipment isn’t forwarding traffic to the firewall, usually due to ARP issues.

F5 Too many RST packets sent

indeni, cisco

This is a real life sample alert from indeni from our F5 Load Balancing Methods Library

Description:

This device is being hit with too many connections that appear to have already been closed or never opened. It is possible the device is under DDoS attack. indeni has found this log message:
May 18 12:49:43 JCNC-ADC1 warning tmm1[11241]: 011e0001:4: Limiting open port RST response from 251 to 250 packets/sec 

Manual Remediation Steps:

Review SOL13151 and review the cause of this sudden increase in unexpected connections.

How does this alert work?

indeni crosses information from the log files with SOL’s listed on f5.com to identify when certain logs should receive attention.

Firewall Connection Table Limit Approaching or Reached – Check Point Firewall Alerts

This is a real life sample alert from the indeni Check Point Firewall configuration guide. 

Description:

There are 248742 concurrent connections while the limit is 250000. The connection table limit should be increased to ensure uninterrupted operation.

Manual Remediation Steps:

Upgrading to the GAIA OS can resolve the need to set a connection table limit. If you decide to remain on IPSO, however, consider the following:

In many cases, a sudden spike in connections has been attributed to a worm or misbehaving application. If you have ruled this out, consider the following solutions:

  1. Locate the maximum concurrent connections setting for the firewall (normally found in the object’s properties) and increase the value. The increase should be done gradually and with care as it will also increase the memory usage of the firewall.
  2. Turn on Aggressive Aging to have connections removed as quick as possible.
  3. In the SmartDashboard, go to Policy->Global Properties and in the Stateful Inspection tab reduce the TCP end timeout to 5 seconds. Please refer to the firewall’s user manual for more information on what the TCP end timeout is.

How does this alert work?

indeni tracks the number of entries in the connections table, using “fw tab connections -s”.

Pulling Data via SNMP, SSH or API – PAN Firewall Best Practices

When querying a firewall, what’s the best protocol to use? SNMP, SSH or API?

If you are looking to integrate Palo Alto firewalls as part of some automated system – scripts, central NOC, software-defined-whatever, etc. – you’d want to hear what we have to share. You should also read this post if you like learning about interesting technical aspects of the products you use.

As you may know, we have started supporting Palo Alto Networks (PANW) firewalls in our product late last year. We are currently developing new support and are working with large and small organizations throughout the globe. One interesting thing we’ve noticed that’s worth sharing is that PANW’s customers are very open to embracing new technologies. That is great for us 🙂

Continue reading

F5 IPSec Tunnel Causing Traffic Issues

This is a real life sample alert from indeni for F5 Load Balancing Methods

Description:

Some of the F5 IPsec tunnels have multiple security associations negotiated for them. This may result in traffic issues.

Affected Tunnels:

Tunnel to 165.160.15.20

Manual Remediation Steps:

Review SOL14646.

How does this alert work?

indeni uses the various “show /net ipsec” commands to track the IPsec tunnels.

Palo Alto Networks Proxy Session Pool Low

This is a real life sample alert from our indeni alert guide for Palo Alto Networks Firewall.

Description:

The Proxy Session pool is low – of 1024 possible entries, 971 are being used. This is 95%.

Manual Remediation Steps:

Contact your Palo Alto Networks technical support provider to identify what should be done prior to the pool being completely utilized. Also read HTTPS traffic suddenly blocked.

How does this alert work?

indeni regularly runs “debug dataplane pool statistics” regularly and tracks pool usages.