Automate the monitoring and remediation of shifting traffic off a degraded link

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Automate the monitoring and remediation of shifting traffic off a degraded link

L1 Bithead

Hi all, as the title suggests I'd like to be able to automate the monitoring and remediation of shifting traffic off a degraded link.  In my environment, we have two corp DIA circuits for internet-bound traffic which we perform ECMP load balancing on.  The problem we have is if one of the two links is degraded and suffering substantial packet loss but not a complete outage, traffic continues to flow across both links.

 

I had the idea of using Ansible via API call to send pings out of each link and if the packet loss exceeded a certain threshold, then raise the metric of the static route for the affected link so that traffic would only use the healthy link until the affected link returned to normal.  However, that's when I realized there's no way to send a ping command via API call so there's really no way to automate the link monitoring for degredation.  Am I missing something here or is there some other way to accomplish this?

3 REPLIES 3

L5 Sessionator

Other options include path monitoring, or for even more flexibility in monitoring and path selection the SD-WAN suite of features.

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

Thanks, @JimmyHolland.  We already have path monitoring in place but that only helps when there's a complete outage, not when the link is degraded and suffering < 100% packet loss.  I realize SD-WAN is meant to address this shortcoming but I wish this was a native feature of the firewalls. 

What about TCL Expect? As some things are not available through the Palo Alto API and because of this Ansible is not an option you can use my script to ssh to the device and run ping.

 

https://live.paloaltonetworks.com/t5/general-articles/automating-the-palo-alto-ngfw-s-process-deamon...

 

 

You will need to play around as you can make bash script triggering the tcp expect script and then the bash script can trigger an Ansible playbook that will dissable an interface or whatever else you want.

 

https://stackoverflow.com/questions/42353148/expect-within-bash-script

  • 1164 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!