This is a real life sample alert from indeni alert guide for Palo Alto Networks Firewall.
This device is receiving far less traffic than expected. It is receiving 142 packets/sec at the moment, compared to 15921 packets/sec it received a few minutes ago. This can be a result of a fail over of this firewall cluster.
Manual Remediation Steps:
Consider clearing the ARP cache, as detailed in DOC-4575. Review the comments of that DOC.
How does this alert work?
indeni tracks the traffic flow on firewalls to identify situations where there is a sharp decrease in RX traffic (as opposed to TX traffic). Such a drop in RX traffic means the surrounding network equipment isn’t forwarding traffic to the firewall, usually due to ARP issues.