topic Re: Incorrect PANORAMA health MonitorStatus in General Topics

Incorrect PANORAMA health MonitorStatus

nagarjuna.b — Tue, 05 Feb 2019 02:28:31 GMT

Hi there,

Could you help me understanding of my device status correctly :

I was looking at my device status in PANORAMA's beautiful featrure called "Deviating devices" list. I couldn't quite understand why it is reporting some of my PA devices as deviating from Baseline though it's not even close to the threshold values. for example it's reporting a device as deviating when it's memory is at 27%. Sometimes it's red even for the connections count 2.

Could you please help me understanding, if you come across this issue.

Best regards,

Nagarjuna

Re: Incorrect PANORAMA health MonitorStatus

Fr4nk4 — Fri, 13 Dec 2019 16:38:39 GMT

So I have seen the same issue. I see that my primary HA firewall pair is listed, and the active firewall is deviating, but all of the metrics are low... 7k sessions, 22% cpu, 208 logs/sec. It's very strange.

Re: Incorrect PANORAMA health MonitorStatus

MP18 — Sat, 14 Dec 2019 05:32:20 GMT

As per my understanding if firewall sees increases in traffic as compare to previous baseline even though threshold is not reached it show it as red.

Lets see if someone chimes in about this behaviour.

Re: Incorrect PANORAMA health MonitorStatus

djr — Fri, 31 Jan 2020 11:30:44 GMT

Hi , it's a bit of a slow reply I realise, but I have just been looking at how many warnings we are logging and it seems to me that the baselining calculation doesn't allow for variations caused by night time and weekend lulls. The little graph it displays shows my supposedly deviating stats are following a fairly normal pattern, but the baseline is way too low for daytime activity levels. I can only assume that's because it's an average over all time and the variation between my day and night is huge, as I would guess it is for most people. It uses some standard deviation to calculate a tolerance, but that's far too conservative.

Take an example of my logging rate, to the human eye you can see it's sticking to the normal pattern but because the rate drops to the low 100's overnight, the 2,000 rate in the daytime is way outside the baseline and tolerance. Weekends just add to that imbalance.

Palo, can you change the algorithm to take into account time of day variations? I'm no mathmetician so don't know how, but at teh moment I am just having to ignore/filter out the deviating device logs as they trigger all the time.

Re: Incorrect PANORAMA health MonitorStatus

djr — Wed, 13 May 2020 08:13:49 GMT

I can update, this has been accepted by Palo as a feature update, so don't hold your breath, but we should see a change at some point.

Re: Incorrect PANORAMA health MonitorStatus

Kristaps.Bekers — Thu, 23 Feb 2023 12:38:30 GMT

2,5 years later and still the issue present.

Re: Incorrect PANORAMA health MonitorStatus

Jason_Lieberman — Wed, 27 Sep 2023 17:11:02 GMT

Wheels of change move slow. Is it possible to send all system logs to a syslog server EXCEPT these deviating device logs?

Re: Incorrect PANORAMA health MonitorStatus

PavelK — Wed, 27 Sep 2023 22:10:47 GMT

Hello @Jason_Lieberman

you can exclude deviating device logs by placing: !( eventid eq 'deviating-device' ) in the Filter field under: Panorama > Log Settings > System > [Profile Name].

Kind Regards

Pavel