Email alerts for utilised interfaces and HA status (active/passive)

Reply
Highlighted
L2 Linker

Email alerts for utilised interfaces and HA status (active/passive)

Hi Gang,

 

I have a server profile configured but completely unsure, even after some searching around.

 

I'd like to generate email alerts for:

  • Interface - in that their status changes e.g. data-link down, hard down, flapping
    • Are the dedicated HA ports possible to be alerted too
  • Firewall goes into HA where the passive firewall takes over

I know the answer lies somewhere in custom logging, but I have no idea where to start.

We are running Panorama and Firewalls currently on 9.05. 

 

In time, I'd love to integrate it into Webex Teams for messaging alerts, as we have an Alert Bot. This is possible right!?

 

Thank you kindly for taking the time and energy to read and respond! 

 

Daniel


Accepted Solutions
Highlighted
Cyber Elite

@MrDMartins,


@MrDMartins wrote:

I'd like to generate email alerts for:

  • Interface - in that their status changes e.g. data-link down, hard down, flapping
    • Are the dedicated HA ports possible to be alerted too
  • Firewall goes into HA where the passive firewall takes over

So for an HA state-change you would want to do the following; note that you could add (severity geq high) to remove any events where someone actually suspends the firewall manually.

<filter>(eventid eq state-change)</filter>
# Or to filter out suspend actions #
<filter>(eventid eq state-change) and (severity geq high)</filter>

 

For the link changes you would actually want to look for the link-change eventid like so

<filter>(eventid eq link-change)</filter>

View solution in original post


All Replies
Highlighted
Cyber Elite

Hello,

The configuration is on the Device tab -> Log Settings. There you can build a filter to suite your needs. I personally just have it send me all critical alerts (HA is included in these).

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cln1CAC

 

Regards,

Highlighted
Cyber Elite

@MrDMartins,


@MrDMartins wrote:

I'd like to generate email alerts for:

  • Interface - in that their status changes e.g. data-link down, hard down, flapping
    • Are the dedicated HA ports possible to be alerted too
  • Firewall goes into HA where the passive firewall takes over

So for an HA state-change you would want to do the following; note that you could add (severity geq high) to remove any events where someone actually suspends the firewall manually.

<filter>(eventid eq state-change)</filter>
# Or to filter out suspend actions #
<filter>(eventid eq state-change) and (severity geq high)</filter>

 

For the link changes you would actually want to look for the link-change eventid like so

<filter>(eventid eq link-change)</filter>

View solution in original post

Highlighted
L2 Linker

Thank you @BPry !

 

Exactly what I was looking for!!!

 

Thank you for your time and reply! 

 

Highlighted
L2 Linker

@OtakarKlier 

 

I never went deep enough into the menu to see the "view filtered logs". So the video you referred was immensely useful in finally getting the overview of log settings! Looking forwarding to tweaking them to get exactly what I want!!! 

 

Thank you too for your time and response!

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!