This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Automate the monitoring and remediation of shifting traffic off a degraded link

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Automate the monitoring and remediation of shifting traffic off a degraded link

stangri-la
L1 Bithead

‎02-24-2023 10:04 AM

Hi all, as the title suggests I'd like to be able to automate the monitoring and remediation of shifting traffic off a degraded link.  In my environment, we have two corp DIA circuits for internet-bound traffic which we perform ECMP load balancing on.  The problem we have is if one of the two links is degraded and suffering substantial packet loss but not a complete outage, traffic continues to flow across both links.

 

I had the idea of using Ansible via API call to send pings out of each link and if the packet loss exceeded a certain threshold, then raise the metric of the static route for the affected link so that traffic would only use the healthy link until the affected link returned to normal.  However, that's when I realized there's no way to send a ping command via API call so there's really no way to automate the link monitoring for degredation.  Am I missing something here or is there some other way to accomplish this?

0 Likes Likes
3 REPLIES 3

JimmyHolland
L5 Sessionator

‎02-27-2023 03:28 AM

Other options include path monitoring, or for even more flexibility in monitoring and path selection the SD-WAN suite of features.

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂
0 Likes Likes

stangri-la
L1 Bithead
In response to JimmyHolland

‎02-27-2023 08:15 AM

Thanks, @JimmyHolland.  We already have path monitoring in place but that only helps when there's a complete outage, not when the link is degraded and suffering < 100% packet loss.  I realize SD-WAN is meant to address this shortcoming but I wish this was a native feature of the firewalls. 

0 Likes Likes

nikoolayy1
L6 Presenter
In response to stangri-la

‎03-22-2023 07:35 AM - edited ‎03-22-2023 07:36 AM

What about TCL Expect? As some things are not available through the Palo Alto API and because of this Ansible is not an option you can use my script to ssh to the device and run ping.

 

https://live.paloaltonetworks.com/t5/general-articles/automating-the-palo-alto-ngfw-s-process-deamon...

 

 

You will need to play around as you can make bash script triggering the tcp expect script and then the bash script can trigger an Ansible playbook that will dissable an interface or whatever else you want.

 

https://stackoverflow.com/questions/42353148/expect-within-bash-script

0 Likes Likes
  • 1648 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks