Incorrect PANORAMA health MonitorStatus

Reply
Highlighted
L2 Linker

Incorrect PANORAMA health MonitorStatus

Hi there,

 

Could you help me understanding of my device status correctly :

 

I was looking at my device status in PANORAMA's beautiful featrure called "Deviating devices" list. I couldn't quite understand why it is reporting some of my PA devices as deviating from Baseline though it's not even close to the threshold values. for example it's reporting a device as deviating when it's memory is at 27%. Sometimes it's red even for the connections count 2. 

 

Could you please help me understanding, if you come across this issue. 

 

Best regards,

Nagarjuna 

 

 

 

Highlighted
L2 Linker

Re: Incorrect PANORAMA health MonitorStatus

So I have seen the same issue. I see that my primary HA firewall pair is listed, and the active firewall is deviating, but all of the metrics are low... 7k sessions, 22% cpu, 208 logs/sec. It's very strange. 

Highlighted
Cyber Elite

Re: Incorrect PANORAMA health MonitorStatus

 

As per my understanding if firewall sees increases in traffic as compare to previous baseline even though threshold is not reached it show it  as red.

Lets see if someone chimes in about this behaviour.

MP
Highlighted
L3 Networker

Re: Incorrect PANORAMA health MonitorStatus

Hi , it's a bit of a slow reply I realise, but I have just been looking at how many warnings we are logging and it seems to me that the baselining calculation doesn't allow for variations caused by night time and weekend lulls.  The little graph it displays shows my supposedly deviating stats are following a fairly normal pattern, but the baseline is way too low for daytime activity levels.  I can only assume that's because it's an average over all time and the variation between my day and night is huge, as I would guess it is for most people.  It uses some standard deviation to calculate a tolerance, but that's far too conservative.

 

Take an example of my logging rate, to the human eye you can see it's sticking to the normal pattern but because the rate drops to the low 100's overnight, the 2,000 rate in the daytime is way outside the baseline and tolerance.  Weekends just add to that imbalance.

 

Palo, can you change the algorithm to take into account time of day variations?  I'm no mathmetician so don't know how, but at teh moment I am just having to ignore/filter out the deviating device logs as they trigger all the time.

 

lograte.png

Highlighted
L3 Networker

Re: Incorrect PANORAMA health MonitorStatus

I can update, this has been accepted by Palo as a feature update, so don't hold your breath, but we should see a change at some point.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!