02-04-2019 06:28 PM
Hi there,
Could you help me understanding of my device status correctly :
I was looking at my device status in PANORAMA's beautiful featrure called "Deviating devices" list. I couldn't quite understand why it is reporting some of my PA devices as deviating from Baseline though it's not even close to the threshold values. for example it's reporting a device as deviating when it's memory is at 27%. Sometimes it's red even for the connections count 2.
Could you please help me understanding, if you come across this issue.
Best regards,
Nagarjuna
12-13-2019 08:38 AM
So I have seen the same issue. I see that my primary HA firewall pair is listed, and the active firewall is deviating, but all of the metrics are low... 7k sessions, 22% cpu, 208 logs/sec. It's very strange.
12-13-2019 09:32 PM
As per my understanding if firewall sees increases in traffic as compare to previous baseline even though threshold is not reached it show it as red.
Lets see if someone chimes in about this behaviour.
01-31-2020 03:30 AM
Hi , it's a bit of a slow reply I realise, but I have just been looking at how many warnings we are logging and it seems to me that the baselining calculation doesn't allow for variations caused by night time and weekend lulls. The little graph it displays shows my supposedly deviating stats are following a fairly normal pattern, but the baseline is way too low for daytime activity levels. I can only assume that's because it's an average over all time and the variation between my day and night is huge, as I would guess it is for most people. It uses some standard deviation to calculate a tolerance, but that's far too conservative.
Take an example of my logging rate, to the human eye you can see it's sticking to the normal pattern but because the rate drops to the low 100's overnight, the 2,000 rate in the daytime is way outside the baseline and tolerance. Weekends just add to that imbalance.
Palo, can you change the algorithm to take into account time of day variations? I'm no mathmetician so don't know how, but at teh moment I am just having to ignore/filter out the deviating device logs as they trigger all the time.
05-13-2020 01:13 AM
I can update, this has been accepted by Palo as a feature update, so don't hold your breath, but we should see a change at some point.
02-23-2023 04:38 AM
2,5 years later and still the issue present.
09-27-2023 10:11 AM
Wheels of change move slow. Is it possible to send all system logs to a syslog server EXCEPT these deviating device logs?
09-27-2023 03:10 PM
Hello @Jason_Lieberman
you can exclude deviating device logs by placing: !( eventid eq 'deviating-device' ) in the Filter field under: Panorama > Log Settings > System > [Profile Name].
Kind Regards
Pavel
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
