Unsolved
This post is more than 5 years old
9 Posts
0
4569
December 15th, 2016 08:00
Questions about creating a dynamic model for a firewall
Dear colleagues,
I am starting to work with dynamic modelling and found a couple of questions I can't find an answer for.
Basically, I want to extend a model for a firewall, gather a couple of additional OIDs and use a custom threshold from the UI.
This is where we currently are:
/*
* pp_fw_palo_alto.mdl - model file for Perimeter Protecion Palo Alto firewalls - IP domain(s)
* FIELD CERTIFICATION FILE
*
*/
interface PP_FW_PALO_ALTO_Status_Setting : ICF_PollingSetting
{
refine stored DisplayName
= "PP Palo Alto firewall Environment";
refine stored RuleSet
= "devstat/pp_fw_palo_alto_setting.asl";
refine stored TargetClass = "ICIM_UnitaryComputerSystem";
}
interface PP_FW_PALO_ALTO_Setting : ICF_Setting {
refine stored DisplayName
= "PP Palo Alto firewall Settings";
attribute int [0 .. 100] FwPaloAltopanSessionThreshold
"Session table utilization percentage threshold (%)."
= 50;
}
interface PP_FW_PALO_ALTO_Fault : ICIM_Instrumentation
{
instrument SNMP {
panMgmtPanoramaConnectedSNMP = "1.3.6.1.4.1.25461.2.1.2.4.1",
panSessionUtilizationSNMP = "1.3.6.1.4.1.25461.2.1.2.3.1"
};
instrumented attribute string panMgmtPanoramaConnectedSNMP
"Current Connection status to Panorama Server (connected, not-connected).";
instrumented attribute int panSessionUtilizationSNMP
"Current Session table usage (percentage).";
}
interface PP_FW_PALO_ALTO : UnitaryComputerSystem
{
propagate attribute int panSessionUtilization
"Current Session table usage (percentage)."
= PP_FW_PALO_ALTO_Fault, InstrumentedBy, panSessionUtilizationSNMP;
propagate attribute string panMgmtPanoramaConnected
"Current Connection status to Panorama Server (connected, not-connected)."
= PP_FW_PALO_ALTO_Fault, InstrumentedBy, panMgmtPanoramaConnectedSNMP;
propagate attribute int [0 .. 100] FwPaloAltopanSessionThreshold
"Session table utilization percentage threshold (%)."
= PP_FW_PALO_ALTO_Setting, InstrumentedBy, FwPaloAltopanSessionThreshold
event FwPaloAltoSessionUtilization
"The current Session table usage is too high."
= panSessionUtilization >= FwPaloAltopanSessionThreshold;
export FwPaloAltoSessionUtilization;
readonly string FwPaloAltoSessionUtilization_attributes()
definition:
return "THRESHOLD PCT panSessionUtilization > FwPaloAltopanSessionThreshold";
event FwPaloAltoPanoramaDisconnected
"Firewall disconnected from Panorama Server."
= panMgmtPanoramaConnected == "not-connected";
export FwPaloAltoPanoramaDisconnected;
}
My questions, which I hope some of you have an answer for:
1) This mdl fails because FwPaloAltopanSessionThreshold is used directly and it is only declared inside the "interface PP_FW_PALO_ALTO_Setting : ICF_Setting" block, what else should I add inside the "interface PP_FW_PALO_ALTO : UnitaryComputerSystem" so that I can compare the instrumented value against the threshold configured in the UI? (Also, is there any way to see the errors and troubleshoot them? I can only see that the class does not get created unless I replace FwPaloAltopanSessionThreshold with a value such as 50)
2) I never get to see values for the instrumented attributes when I look for panSessionUtilization and panMgmtPanoramaConnected in the attribute list for a firewall of this class. The attributes do appear, but they are greyed out and have no value. What else could I be missing? In other case I get the events, but I can never see the actual value neither in the attributes nor in the "Details" tab of the event.
3) How can I query a OID defined as a table and iterate it in order to generate alerts?
4) Last but not least: is there any decent manual or training about these topics? We only have the dynamic modelling doc, with a few simple exampleas and both support and Professional Services won't help us with this, which is surprising when least...
Thanks a lot for your time and apologies for the long message.
Regards and greetings from Spain,
Hector
hparra
9 Posts
1
February 1st, 2017 10:00
Dear Rob,
I have been unable to log in since you wrote your reply because of some issue with SSO.
I was able to do it finally today and just wanted to thank you for providing the zip file, it has been key to learn more about the topic and I'm almost there creating a few quite complicated models with the help of a Subject Matter Expert.
Of course, please extend my gratitude to Geoff Bradford and the PS team.
Thank you again for your help and best regards,
Hector
Nirala_Shobhit
4 Posts
0
July 22nd, 2018 19:00
Hi Hector, do you have still example with you?,
I am also need example for ref, as working to poll/alert for specific oid
Thanks
Shobhit
SeanPopham
54 Posts
0
July 23rd, 2018 10:00
Shobhit,
I believe I have that same example. You can download it at
sftp mSzwx0RLz@ftp.emc.com
Password: rk9Rrk99nR
Connecting via a web browser: https://ftp.emc.com/action/login?domain=ftp.emc.com&username=mSzwx0RLz&password=rk9Rrk99nR
Automatic account removal after 7 days on Mon Jul 30 @ 14:00
Kind Regards,
Sean Popham
Nirala_Shobhit
4 Posts
0
August 6th, 2018 17:00
Thanks for great example,
interface CheckPoint_Session_Setting : ICF_Setting {
refine stored DisplayName
= "Check Point Threshold Setting";
#pragma Uses Propagation
attribute int [0 .. 100000] ActiveSessionsThreshold
"Check Point Connection Monitoring threshold."
=100;
}
refine interface CheckPoint
{
propagate attribute unsigned max ActiveSessions
"Number of active sessions on the device."
= fw_session,InstrumentedBy,ActiveSessions;
propagate attribute unsigned max ActiveSessionsThreshold
"Session table utilization percentage threshold (%)."
= CheckPoint_Session_Setting, InstrumentedBy, ActiveSessionsThreshold;
event HighSessionCounts_CheckPoint
"Indicates when reached to Max Sessions"
= ActiveSessions > ActiveSessionsThreshold;
export HighSessionCounts_CheckPoint;
}
i was trying to access threshold variable "ActiveSessionsThreshold" in Class "CheckPoint" but do not know why it is not getting populated while i was getting value for "ActiveSessions"
can you please help to debug?