Next-Generation Firewall
Free Health Alerts
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
- Management Interfaces
-
- Launch the Web Interface
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Commit Selective Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
-
-
- Define Access to the Web Interface Tabs
- Provide Granular Access to the Monitor Tab
- Provide Granular Access to the Policy Tab
- Provide Granular Access to the Objects Tab
- Provide Granular Access to the Network Tab
- Provide Granular Access to the Device Tab
- Define User Privacy Settings in the Admin Role Profile
- Restrict Administrator Access to Commit and Validate Functions
- Provide Granular Access to Global Settings
- Provide Granular Access to the Panorama Tab
- Provide Granular Access to Operations Settings
- Panorama Web Interface Access Privileges
-
- Reset the Firewall to Factory Default Settings
-
- Plan Your Authentication Deployment
- Pre-Logon for SAML Authentication
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure TACACS Accounting
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Troubleshoot Authentication Issues
-
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Deployment
- Configure the Master Key
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Configure an SSH Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
-
- HA Overview
-
- Prerequisites for Active/Active HA
- Configure Active/Active HA
-
- Use Case: Configure Active/Active HA with Route-Based Redundancy
- Use Case: Configure Active/Active HA with Floating IP Addresses
- Use Case: Configure Active/Active HA with ARP Load-Sharing
- Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
- Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
- Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
- HA Clustering Overview
- HA Clustering Best Practices and Provisioning
- Configure HA Clustering
- Refresh HA1 SSH Keys and Configure Key Options
- HA Firewall States
- Reference: HA Synchronization
-
- Use the Dashboard
- Monitor Applications and Threats
- Monitor Block List
-
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
-
- Configure Syslog Monitoring
-
- Traffic Log Fields
- Threat Log Fields
- URL Filtering Log Fields
- Data Filtering Log Fields
- HIP Match Log Fields
- GlobalProtect Log Fields
- IP-Tag Log Fields
- User-ID Log Fields
- Decryption Log Fields
- Tunnel Inspection Log Fields
- SCTP Log Fields
- Authentication Log Fields
- Config Log Fields
- System Log Fields
- Correlated Events Log Fields
- GTP Log Fields
- Audit Log Fields
- Syslog Severity
- Custom Log/Event Format
- Escape Sequences
- Forward Logs to an HTTP/S Destination
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
- Monitor Transceivers
-
- User-ID Overview
- Enable User-ID
- Map Users to Groups
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts
- Verify the User-ID Configuration
-
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
-
- Prepare to Deploy App-ID Cloud Engine
- Enable or Disable the App-ID Cloud Engine
- App-ID Cloud Engine Processing and Policy Usage
- New App Viewer (Policy Optimizer)
- Add Apps to an Application Filter with Policy Optimizer
- Add Apps to an Application Group with Policy Optimizer
- Add Apps Directly to a Rule with Policy Optimizer
- Replace an RMA Firewall (ACE)
- Impact of License Expiration or Disabling ACE
- Commit Failure Due to Cloud Content Rollback
- Troubleshoot App-ID Cloud Engine
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Maintain Custom Timeouts for Data Center Applications
-
- Decryption Overview
-
- Keys and Certificates for Decryption Policies
- SSL Forward Proxy
- SSL Forward Proxy Decryption Profile
- SSL Inbound Inspection
- SSL Inbound Inspection Decryption Profile
- SSL Protocol Settings Decryption Profile
- SSH Proxy
- SSH Proxy Decryption Profile
- Profile for No Decryption
- SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates
- Perfect Forward Secrecy (PFS) Support for SSL Decryption
- SSL Decryption and Subject Alternative Names (SANs)
- TLSv1.3 Decryption
- High Availability Not Supported for Decrypted Sessions
- Decryption Mirroring
- Configure SSL Forward Proxy
- Configure SSL Inbound Inspection
- Configure SSH Proxy
- Configure Server Certificate Verification for Undecrypted Traffic
- Post-Quantum Cryptography Detection and Control
- Enable Users to Opt Out of SSL Decryption
- Temporarily Disable SSL Decryption
- Configure Decryption Port Mirroring
- Verify Decryption
- Activate Free Licenses for Decryption Features
-
- Policy Types
- Policy Objects
- Track Rules Within a Rulebase
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
-
- External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Use Dynamic User Groups in Policy
- Use Auto-Tagging to Automate Security Actions
- CLI Commands for Dynamic IP Addresses and Tags
- Application Override Policy
- Test Policy Rules
-
- Network Segmentation Using Zones
- How Do Zones Protect the Network?
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 11.2
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
Free Health Alerts
The following table identifies the free alerts that AIOps for NGFW or Strata Cloud Manager can raise
which are related to the health of your platform.
A Premium license is not required in order for AIOps for NGFW or Strata Cloud Manager to raise these alerts.
Alert
|
Description
|
---|---|
Card Failure: Card heartbeat failure - Max restarts attempted (Free alert)
|
This alert triggers when the error "Card heartbeat failure - Max restarts attempted" is detected in one of the line cards in the chassis, indicating a software or hardware issue that has caused the card to enter a failure state.
Class: Health
Category: Hardware
|
Log Loss due to Log Forwarding Failure (Free alert)
|
The firewall attempts to reliably forward logs to Panorama, log collectors, or the Strata Logging Service. When a forwarded log is successfully received, the firewall will receive an acknowledgment from these destinations. This alert is triggered when the firewall’s ability to track the unacknowledged logs is at capacity. A backlog of too many unacknowledged logs results in log loss.
Class: Health
Category: Logging
|
SAML message from IdP has no Assertion (Free alert)
|
When the user attempts to log in to GlobalProtect, the Captive Portal, or the Admin UI, if using an Identity Provider (IdP), the IdP sends a SAML Assertion to the PAN-OS device’s Assertion Consumer Service (ACS) URL. Even if the authentication with the IdP is successful, the PAN-OS device must still validate the SAML Assertion for successful authentication.
This alert is triggered when, during the transmission of the SAML assertion to the PAN-OS device, one of two potential points of failure occur:
1. The SAML assertion may be encrypted, which PAN-OS does not support, preventing successful assertion processing.
2. The IdP may fail to transmit the SAML assertion due to misconfiguration.
This Alert automatically clears if no failures are noticed for 24 hours since the detection of the last failure.
Class: Health
Category: Account Monitoring and Control
|
ACC Query Failure (Free alert)
|
This alert detects if the Application Command Center (ACC) query has failed.
Class: Health
Category: Logging
|
Advanced Routing Engine: NGFW Sent BGP Routes Beyond the Capacity of Its Peer (Free alert)
|
This alert is triggered when this NGFW's BGP peer notifies it that its maximum prefix capacity has been exceeded.
Class: Health
Category: Traffic
|
Approaching Max Capacity - EDL Custom Lists (Free alert)
|
The number of EDL Custom List objects is approaching the maximum capacity the firewall can support.
Class: Health
Category: Capacity
|
Approaching Max Capacity - URLs or IPs within EDLs (Free alert)
|
The number of URLs, IPs, or Domains within the configured EDL(s) used in policy on this firewall is approaching the maximum capacity that the firewall can support.
Class: Health
Category: Resource limits
|
Approaching Max Tunnel Throughput (Free alert)
|
The IPsec VPN tunnel usage is close to maximum.
Class: Health
Category: Site-to-Site VPN
|
BGP Peering Issue Due to Error Subcode = Administrative Reset (4) (Free alert)
|
This alert is triggered when a BGP speaker decides to reset the peering with a neighbor administratively. In such cases, the speaker SHOULD send a NOTIFICATION message with the Error Code "Cease" (6) and the Error Subcode "Administrative Reset" (4).
Common reasons for a BGP administrative reset include:
1. A configuration change to BGP parameters on one of the peers e.g., A loss of connectivity due to a cut cable or failed link, The blocking of TCP port 179, which is used by BGP, Misconfiguration of the IGP or the static routing that establishes connectivity between the two peers
2. Loss of connectivity between BGP peers - Changing BGP routing policies, router IDs, or IP addresses of particular interfaces/peers may cause an immediate reset.
3. Misconfiguration of the BGP peering parameters- e.g., An administrator performs a manual BGP reset for any newly configured or modified routing policies to take effect.
Class: Health
Category: Traffic
|
BGP Peering Issue Due to Error Subcode = Administrative Shutdown (2) (Free alert)
|
This alert is triggered when a BGP notification message with the Administrative Shutdown code is sent by the neighbor to the NGFW, indicating that the neighbor has initiated a termination of the BGP peering.
Refer to the RFC below regarding BGP's Error Subcode = Administrative Shutdown (2):
https://datatracker.ietf.org/doc/html/rfc8203
If a BGP speaker decides to terminate its session with a BGP neighbor and sends a NOTIFICATION message with the Error Code 'Cease' and Error Subcode 'Administrative Shutdown' or 'Administrative Reset' [RFC4486], it MAY include a UTF-8 encoded string. The contents of the string are at the operator's discretion.
Class: Health
Category: Traffic
|
BGP Peering Issue Due to Error Subcode = Connection Rejected (5) (Free alert)
|
This alert is triggered when the system receives a BGP connection (OPEN) message from a peer that is not configured locally. The alert identifies this issue using Error Code = Cease (6) and Error Subcode = Connection Rejected (5).
Class: Health
Category: Traffic
|
BGP peering issue due to Error subcode = Peer De-configured (3) (Free alert)
|
This alert detects if a BGP speaker decides to de-configure the peer, The relevance of this alert is to determine which peer has initiated Peer De-configuring.
As per the BGP RFC, (https://datatracker.ietf.org/doc/html/rfc4486)
" If a BGP speaker decides to de-configure a peer, then the speaker SHOULD send a NOTIFICATION message with the Error Code Cease and the Error Subcode "Peer De-configured".
Class: Health
Category: Traffic
|
BGP peering issue due to Error subcode = Bad Peer AS (2) (Free alert)
|
This alert is triggered when the NGFW's BGP AS information doesn't match its peer's AS information.
In a standard BGP peering configuration, both peers must agree on the local AS number and the peer's AS number, and this should hold true in both directions. However, more complex BGP setups, such as Cisco's dual-AS configuration (https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/15-sy/irg-15-sy-book/irg-dual-as.pdf) or BGP peering between a 4-byte ASN device and a 2-byte ASN device (discussed here - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004LXFCA2), can present challenges for users configuring basic BGP peering.
Class: Health
Category: Traffic
|
BGP-peer dropping due to missing keepalives (Free alert)
|
This Alert is triggered when one peer fails to receive keepalive messages from its peer. These messages are exchanged periodically to confirm the connection is still active. Without them, the BGP speaker cannot verify the connection's status and drops the peering session.
Class: Health
Category: Traffic
|
Card Failure: Path monitor failure - Max restarts attempted (Free alert)
|
This alert triggers when the error "Path monitor failure - Max restarts attempted" is detected in one of the line cards in the chassis, indicating a software or hardware issue that has caused the card to enter a failure state.
Class: Health
Category: Hardware
|
Card Power Failure (Free alert)
|
A card failure has been detected, suggesting a potential issue with the card or its seating within the chassis.
Class: Health
Category: Hardware
|
Card Stuck in Starting State (Free alert)
|
This alert detects if a card is stuck in "Starting" state.
Class: Health
Category: Hardware
|
Card failure with reason "Slot runtime software failure - Max restarts attempted" (Free alert)
|
This alert triggers when the error "Slot runtime software failure - Max restarts attempted" is detected in one of the line cards in the chassis, indicating a software or hardware issue that has caused the card to enter a failure state.
Class: Health
Category: Hardware
|
Config Memory Usage Approaching Max Limits (Free alert)
|
The firewall's configuration is approaching its maximum memory usage limit. During commits, the firewall's total config memory must accommodate two copies: the current 'in-use' configuration and the new 'to-be-used' configuration. If the allocated memory per configuration exceeds 50%, the firewall reaches capacity, resulting in commit failure.
Class: Health
Category: Resource limits
|
Configuration size reaching device recommended limit (Free alert)
|
The configuration size of this device has reached its recommended limit.
Class: Health
Category: Resource limits
|
Connection Failure to LDAP Server (Free alert)
|
This alert indicates a connection failure between the firewall or Panorama and the LDAP server.
Class: Health
Category: Logging
|
DHCP Client IPv4 address Assignment Failure (Free alert)
|
This alert is triggered when a firewall’s dataplane interface configured as an IPv4 DHCP client either fails to obtain an IP address or has lost its assigned IP address.
Class: Health
Category: Traffic
|
DP Restart - Heartbeat Failure due to Internal Link Down (Free alert)
|
This alert triggers when evidence of the issue PAN-160633 occurring was detected in a PA-3200 or PA-5200 device.
Class: Health
Category: PAN-OS and Subscriptions
|
Degraded System Drive (Free alert)
|
A degraded system drive has been identified by monitoring its attributes values.
Class: Health
Category: Hardware
|
Delayed Telemetry (Free alert)
|
The analytics engines have no new telemetry from this NGFW/Panorama.
Class: Health
Category: Telemetry
|
Dropping Logs - Log Forwarding Queue Failure (Free alert)
|
This alert is triggered when a firewall or Panorama's internal log forwarding queue becomes full and starts dropping logs while trying to forward them to an external log destination like a Syslog server or HTTP server. This can occur even if there are no connectivity issues between the firewall or Panorama and the external log server.
Class: Health
Category: Logging
|
Duplicate IP address detected on an interface (Free alert)
|
This alert is triggered when a duplicate IP address is detected. The firewall's configuration can cause IP address conflicts on the network if any of the following conditions apply:
1. One of the firewall's interfaces has the same IP address.
2. A static Source Network Address Translation (SNAT) address is assigned that conflicts.
3. A static Destination Network Address Translation (DNAT) address is assigned that conflicts.
4. An IP address from a configured SNAT pool overlaps an existing subnet.
2. The IdP may fail to transmit the SAML assertion due to misconfiguration.
This Alert automatically clears if no new errors are noticed for 24 hours since the detection of the duplicate IP address.
Class: Health
Category: Traffic
|
Empty Tunnel (Free alert)
|
The IPsec VPN tunnel has no traffic in both ingress and egress.
Class: Health
Category: Site-to-Site VPN
|
Error - Heartbeat Failed Previously (Free alert)
|
This alert triggers when the "****Heartbeats failed previously" error is seen in the firewall.
Class: Health
Category: Logging
|
FE100 Failure (Free alert)
|
A calibration error has been detected on the FE100 chip in the firewall. This issue usually indicates a hardware failure.
Class: Health
Category: Hardware
|
Failed exporting config bundle via ssh (Free alert)
|
This alert is triggered when the Panorama is used as a client to SSH into a remote system (e.g., when using SCP to copy files over), it keeps a record of the public certificate of the remote system with the corresponding IP address.
When the remote system's certificate has changed, perhaps due to a transition from a self-signed certificate to a public-signed certificate, or the generation of a new certificate and key pair, the old SSH certificate stored in the Panorama will need to be deleted.
This alert will clear automatically if the host key verification failure is not detected for 24 hours since the last time it was noticed.
Class: Health
Category: Certificates
|
Fan Issues (Free alert)
|
A fan or fan tray triggered an alarm on the device.
Class: Health
Category: Hardware
|
Fatal Machine Check Failure (Free alert)
|
A Fatal Machine check failure was detected. This issue usually indicates a hardware failure in the CPU.
Class: Health
Category: Hardware
|
Firewall Disconnected from Panorama (Free alert)
|
The connection between Firewall and Panorama has been lost.
Class: Health
Category: System state
|
GRE tunnel is down - Tunnel Monitoring Failure (Free alert)
|
This alert is triggered when a Generic Routing Encapsulation (GRE) tunnel on the firewall has gone down due to tunnel monitoring failure. The GRE tunnel is no longer operational, disrupting the encapsulated traffic flow between the connected networks.
Class: Health
Category: Traffic
|
GRE tunnel is down - recursive routing (Free alert)
|
This alert is triggered when a Generic Routing Encapsulation (GRE) tunnel on the firewall has gone down due to recursive routing. The GRE tunnel is no longer operational, disrupting the encapsulated traffic flow between the connected networks.
Class: Health
Category: Traffic
|
HA Backup (Free alert)
|
The HA Backup link(s) are not currently configured.
Class: Health
Category: High-Availability
|
HA Peer Connection Status (Free alert)
|
One of the firewalls in the HA pair is in a non-healthy state.
Class: Health
Category: High-Availability
|
HA pair - Oversubscription of resources (Free alert)
|
The active/active HA pair is exceeding 100% resource usage.
Class: Health
Category: High-Availability
|
HW failure - DIMM Error (Free alert)
|
A Dual In-Line Memory Module (DIMM) is a hardware component responsible for storing and accessing data in the firewall's random access memory (RAM). This memory module plays a critical role in the firewall's performance, facilitating rapid processing of network traffic and execution of security tasks. An error related to this component typically indicates a memory failure, where processes encounter issues reaching the specific memory location.
Class: Health
Category: Hardware
|
High Dataplane Processing Latency (Free alert)
|
This alert is triggered when the dataplane processing latency on the firewall exceeds the predefined threshold. Dataplane processing latency refers to the time taken by the firewall to process network traffic and make forwarding decisions.
Class: Health
Category: Resource limits
|
High Disk Space Usage - Pancfg partition (Free alert)
|
The hard disk partition is nearing or at capacity. System performance and functionality may be negatively affected.
Class: Health
Category: Resource limits
|
High Disk Space Usage - Panlogs partition (Free alert)
|
The hard disk partition is nearing or at capacity.
Class: Health
Category: Resource limits
|
High Disk Space Usage - Root partition (Free alert)
|
The hard disk partition is nearing or at capacity.
Class: Health
Category: Resource limits
|
High Disk Space Usage - Shared memory partition (Free alert)
|
This alert is triggered if the shared memory (/dev/shm) disk partition is full on a firewall. The /dev/shm is a temporary filesystem used for shared memory in Linux systems.
Class: Health
Category: Capacity
|
High Processing Activity (Free alert)
|
One or more computing resources are running low on the device. System performance and functionality may be negatively affected.
Class: Health
Category: Resource limits
|
Hot-Plug event detected (Free alert)
|
Hot-Plug events on the interface will result in a complete traffic outage on those interfaces.
Class: Health
Category: Logging
|
IKEv1 IPsec Tunnel Down - IKE Crypto Profile Configuration mismatch (Free alert)
|
This alert is triggered when the IKEv1 IPsec tunnel is down due to an IKE Crypto Profile configuration mismatch. This configuration is crucial for ensuring the secure negotiation of cryptographic parameters necessary for establishing and maintaining a secure IPsec VPN connection. A discrepancy in the IKE Crypto Profile configuration between the local and remote ends can lead to the failure to establish or maintain phase 1 of the tunnel.
Class: Health
Category: Traffic
|
IKEv1 IPsec Tunnel Down - IPsec Crypto Profile Configuration mismatch (Free alert)
|
This alert is triggered when the IKEv1 IPsec tunnel is down due to an IPsec Crypto Profile configuration mismatch, which is vital for establishing secure communication between peers in an IPsec VPN connection.
Class: Health
Category: Traffic
|
IKEv1 IPsec Tunnel Down - Peer Identification Mismatch (Free alert)
|
This alert triggers when the IKEv1 IPsec tunnel is down due to a Peer Identification mismatch, which is vital for establishing secure communication between peers in an IPsec VPN connection; a discrepancy in Peer Identification between the local and remote ends can prevent the tunnel from establishing or maintaining a connection.
Class: Health
Category: Site-to-Site VPN
|
IKEv2 IPsec Tunnel Down - IPsec Crypto Profile configuration mismatch (Free alert)
|
This alert triggers when the IKEv2 IPsec tunnel is down due to an IPsec Crypto Profile configuration mismatch, which is vital for establishing secure communication between peers in an IPsec VPN connection. A discrepancy in the IPsec Crypto Profile configuration between the local and remote ends can lead to the failure of the Child SA negotiation, thereby preventing the establishment or maintenance of phase 2 of the tunnel.
Class: Health
Category: Site-to-Site VPN
|
IKEv2 IPsec Tunnel Down - Peer Identification Mismatch (Free alert)
|
This alert triggers when the IKEv2 IPsec tunnel is down due to a Peer Identification mismatch, which is vital for establishing secure communication between peers in an IPsec VPN connection. Any discrepancy in Peer Identification between the local and remote ends can prevent the tunnel from establishing or maintaining a connection.
Class: Health
Category: Site-to-Site VPN
|
IPQ Error (Free alert)
|
An IPQ (Ingress Packet Queue) error has been detected on one of the FE100 chips in the firewall. This error usually indicates a reseat is needed, or there is a hardware failure.
Class: Health
Category: Hardware
|
Incompatible SFP Media Type (Free alert)
|
This alert triggers when the error "SFP Ports Doesn't Support this media type" is found in the device, indicating an incompatible or faulty SFP or cable is inserted.
Class: Health
Category: Hardware
|
Incorrect Port Speed Configured - PA-850 (Free alert)
|
This alert triggers when a PA-850 has an incorrect port speed configured for the installed SFP type.
Class: Health
Category: Traffic
|
Inter Log Collector Disconnection (Free alert)
|
This alert triggers when one of the Panoramas in Panorama mode or Log Collector mode becomes disconnected from the Collector Group. The Collector Group provides a centralized repository for NGFWs to forward logs such as system, config, traffic, and threat logs. Additionally, it supports reporting and querying functionalities.
Class: Health
Category: Logging
|
Irregular Input Power (Free alert)
|
Device power levels are outside of the normal range.
Class: Health
Category: Hardware
|
License Expiration (Free alert)
|
One or more of your licenses are nearing or have reached expiration.
Class: Health
Category: PAN-OS and Subscriptions
|
Logging Drive Failure (Free alert)
|
A failed logging drive has been identified through the monitoring of the firewall's disk status.
Class: Health
Category: Hardware
|
Logrcvr Out-of-Memory - LFC Log Loss Recovery Mechanism (Free alert)
|
This alert indicates that a connection to the Log Collector, Panorama or Strata Logging Service is unstable, causing increased memory usage for the LFC log loss recovery hint mechanism.
Class: Health
Category: Logging
|
Logrcvr Out-of-Memory - LFC Memory Retention Due to Kernel Failure (Free alert)
|
This alert indicates that a kernel failure caused memory retention on the Log Forwarding Card (LFC) due to connection flaps with Panorama while forwarding logs.
Class: Health
Category: Logging
|
MPC Card - CPLD Failure (Free alert)
|
The Management Processor Card (MPC) is an essential component for the PA-5450, providing management, logging, and high availability functions. The MPC card has experienced a failure due to an issue with its component, the Complex Programmable Logic Device (CPLD).
Class: Health
Category: Hardware
|
NGFW received BGP Routes beyond the configured max Prefixes (Free alert)
|
This alert is triggered when this NGFW's BGP peer advertises more routes than the NGFW can handle based on its configured max prefixes capacity.
Class: Health
Category: Traffic
|
NGFW/Panorama Management Certificate Expiration (Free alert)
|
This alert detects the expiration of the NGFW/Panorama Management Certificate.
Class: Health
Category: Certificates
|
NPC Card - FE100 Failure (Free alert)
|
Network Processing Cards (NPCs) provide network connectivity and are essential for network traffic processing. An NPC card has experienced an issue with its FE100 component, leading to its failure.
Class: Health
Category: Hardware
|
Non-default Logging level (Free alert)
|
This alert is triggered when the logging level of a service is not set to its default configuration. This alert ensures that services consistently maintain their designated logging settings.
Class: Health
Category: Resource limits
|
Out of Sync Peers - Configuration (Free alert)
|
The system configurations on the high availability peers do not match.
Class: Health
Category: High-Availability
|
Out of Sync Peers - Dynamic Content (Free alert)
|
Dynamic content, such as Antivirus or Applications and Threats, do not match between the high availability peers.
Class: Health
Category: High-Availability
|
Out of Sync Peers - Sessions (Free alert)
|
Sessions are not matching or up to date between the High availability Peers.
Class: Health
Category: High-Availability
|
Out of Sync Peers - Software (Free alert)
|
The PAN-OS software versions on the high availability peers do not match.
Class: Health
Category: High-Availability
|
Outdated Dynamic Content (Free alert)
|
The dynamic content installed on the device is stale when compared to the content that is available on the update server.
Class: Health
Category: Dynamic content
|
PA-5450 NC card - FE100 Failure (Free alert)
|
Networking Cards (NCs) provide network connectivity and are essential for network traffic processing. An NC card has experienced an issue with its FE100 component, which triggers its internal link fault, causing path monitoring failure on the Dataplane Processing Card (DPC).
Class: Health
Category: Hardware
|
PAN-OS End-of-Life (Free alert)
|
Your current version of PAN-OS is no longer supported.
Class: Health
Category: PAN-OS and Subscriptions
|
PAN-OS Known Vulnerability (Free alert)
|
Your current version of PAN-OS has known vulnerabilities.
Class: Health
Category: PAN-OS and Subscriptions
|
PAN-OS Root and Default Certificate Expiration - Scenario 1 (Free alert)
|
The root certificate and the default certificate on the firewall expired.
Class: Health
Category: Certificates
|
PAN-OS Root and Default Certificate Expiration - Scenario 2 (Free alert)
|
The root certificate and the default certificate on the firewall expired.
Class: Health
Category: Certificates
|
PAN-OS integrated User-ID Agent Monitored Server Disconnected (Free alert)
|
This alert is triggered when the server, monitored by the PAN-OS integrated User-ID Agent (Agentless User-ID), loses connection with the firewall. This monitored server is a critical component for mapping user identities to network activities.
Class: Health
Category: Hardware
|
PCI Error (Free alert)
|
A Peripheral Component Interconnect (PCI) is responsible for connecting the Management Plane (MP) to the Control Plane (CP). A certain error related to this component indicates a failure in its functionality.
Class: Health
Category: Hardware
|
Panorama/Log Collector Disconnected from Collector Group [AIOps-Alerts-Logging] (Free alert)
|
This alert triggers when the IP address of Panorama or the Log Collector changes, causing the ring file's configuration linked to the old IP address. As a result, Panorama or the Log Collector disconnects from the Collector Group, preventing NGFWs from sending their logs to Panorama or the Log Collector.
Class: Health
Category: Logging
|
Path Monitor Failure - Card (Free alert)
|
A path monitoring failure has been detected on a card located within the firewall's slots.
Class: Health
Category: Hardware
|
Policy Config Memory Usage Approaching Max Limits (Free alert)
|
This alert detects if the policy config memory usage exceeds a critical threshold.
Class: Health
Category: Resource limits
|
Port Failure (Free alert)
|
A failure related to the management physical port or one of the high-availability physical ports has been detected.
Class: Health
Category: Hardware
|
Process Memory Depletion - Configd (Free alert)
|
The device’s management plane processes are depleting its available memory.
Class: Health
Category: Resource limits
|
Process Memory Depletion - Device Server (Free alert)
|
The device’s management plane processes are depleting its available memory.
Class: Health
Category: Resource limits
|
Process Memory Depletion - Log Receiver (Free alert)
|
The device’s management plane processes are depleting its available memory.
Class: Health
Category: Resource limits
|
Process Memory Depletion - Management Server (Free alert)
|
The device’s management plane processes are depleting its available memory.
Class: Health
Category: Resource limits
|
Process Memory Depletion - Report (Free alert)
|
The device’s management plane processes are depleting its available memory.
Class: Health
Category: Resource limits
|
Process Memory Depletion - User Id (Free alert)
|
The device’s management plane processes are depleting its available memory.
Class: Health
Category: Resource limits
|
Reduced Tunnel Throughput (Free alert)
|
The IPsec VPN tunnel usage is below normal usage.
Class: Health
Category: Site-to-Site VPN
|
Redundant Power Supply Failure (Free alert)
|
Power supply redundancy is not attained either because it hasn't been inserted, the power supply has malfunctioned, or complete redundancy hasn't been accomplished.
Class: Health
Category: Hardware
|
SAML SSO authentication failed for User (Free alert)
|
When the Authentication Profile filters specific groups for GlobalProtect or Captive Portal users, or both, authentication failures may occur. Even if users seem to belong to the group listed in the allow list, they still encounter the "user not in allow list" message. Changing the allow list to include "all" groups rather than specific ones enables successful user authentication.
Class: Health
Category: Logging
|
SCP Scheduled Log Export Failure (Free alert)
|
This alert detects if the SCP scheduled log export has failed.
Class: Health
Category: Logging
|
Session Failure (Free alert)
|
Sessions can fail in the firewall, which can result in the increment of various global counters. These global counters indicate the reason that traffic session failed.
Class: Health
Category: Traffic
|
Slow Panorama Performance - Long Execution of 'show config candidate' operation (Free alert)
|
This alert is triggered when the operation 'show config candidate' takes longer than expected.
This alert will clear automatically if the slow operation 'show config candidate' is not detected for 3 days since the last time it was noticed.
Class: Health
Category: System State
|
Slow Panorama Performance - Long Execution of Push Scope Operation (Free alert)
|
This alert is triggered when the admin tries to push changes and the Panorama takes too long to display the push scope UI.
This alert will clear automatically if the slow push-scope operation is not detected for 3 days since the last time it was noticed.
Class: Health
Category: System State
|
Slow Panorama Performance - Long Execution of Save, Load, or Revert config operation (Free alert)
|
This alert is triggered when the Save, Load, or Revert config operations take longer than expected.
This alert will clear automatically if the slow operations like Save, Load or Revert are not detected for 3 days since the last time it was noticed.
Class: Health
Category: System State
|
System Drive or Connector fault (Free alert)
|
This alert indicates that the device has experienced a hardware failure in either the drive or the drive connector.
Class: Health
Category: Hardware
|
Terminal Server agent Self-signed Certificate Expiration (Free alert)
|
This alert detects the expiration of the Terminal Server agent self-signed certificate on November 18, 2024.
Class: Health
Category: Certificates
|
Thermal Issues (Free alert)
|
Device temperature is outside of the normal range.
Class: Health
Category: Hardware
|
Traffic Latency - Packet Descriptors (on-chip) (Free alert)
|
Packet Descriptor (on-chip) resources are running low on the device.
Class: Health
Category: Flood/DoS
|
Transceiver or SFP Port - Failed to Write Value (Free alert)
|
This alert triggers when the error "Failed to write value 0x from byte 0 to offset" is found in the device, usually indicating a faulty transceiver, cable, or SFP port in the device.
Class: Health
Category: Hardware
|
Unidirectional Tunnel Traffic (Free alert)
|
The IPsec VPN tunnel has has unidirectional traffic.
Class: Health
Category: Site-to-Site VPN
|
Unofficial URL for Application Database (Free alert)
|
This alert triggers when the firewall's dynamic content update for the Application Database uses an unofficial URL to download the update.
Administrators may use QA servers for troubleshooting dynamic update downloads, sometimes without realizing these are test servers. After successful testing, they may forget to reset the firewall to the correct URL for downloading updates.
Class: Health
Category: Dynamic Content
|
Unofficial URL for Cloud Services (Free alert)
|
This alert triggers when the firewall's dynamic content update for the Cloud Services uses an unofficial URL to download the update.
Administrators may use QA servers for troubleshooting dynamic update downloads, sometimes without realizing these are test servers. After successful testing, they may forget to reset the firewall to the correct URL for downloading updates.
Class: Health
Category: Dynamic Content
|
Unofficial URL for PAN-DB URL Filtering | Advanced URL Filtering (Free alert)
|
This alert triggers when the firewall's dynamic content update for the PAN-DB URL Filtering | Advanced URL Filtering uses an unofficial URL to download the update.
Administrators may use QA servers for troubleshooting dynamic update downloads, sometimes without realizing these are test servers. After successful testing, they may forget to reset the firewall to the correct URL for downloading updates.
Class: Health
Category: Dynamic Content
|
Unofficial URL for WildFire | Advanced WildFire (Free alert)
|
This alert triggers when the firewall's dynamic content update for WildFire | Advanced WildFire uses an unofficial URL to download the update.
Administrators may use QA servers for troubleshooting dynamic update downloads, sometimes without realizing these are test servers. After successful testing, they may forget to reset the firewall to the correct URL for downloading updates.
Class: Health
Category: Dynamic Content
|
Unsupported Transceiver Used (Free alert)
|
This alert is raised if the part number for any transceiver (SFP, SFP+, QSFP, QSFP+), within a single device, is incompatible with the specifications supported by Palo Alto Networks.
Class: Health
Category: Hardware
|
User authentication unsuccessful - received out-of-band SAML message (Free alert)
|
When the user attempts to log in to GlobalProtect, the Captive Portal, or the Admin UI, if using an Identity Provider (IdP), the IdP sends a SAML Assertion to the PAN-OS device’s Assertion Consumer Service (ACS) URL. Even if the authentication with the IdP is successful, the PAN-OS device must still validate the SAML Assertion to successfully validate the authentication.
This alert is triggered when the PAN-OS device is not expecting a SAML Assertion but receives one, indicating some user’s login attempt was unsuccessful.
Class: Health
Category: Account Monitoring and Control
|
User authentication unsuccessful - “max_clock_skew” Error (Free alert)
|
This alert indicates that the Security Assertion Markup Language (SAML) Identity Provider's authentication message encountered a "max_clock_skew" error due to time discrepancies between the Identity Provider (IdP) and the firewall/Panorama. This issue is often caused by out-of-sync local time or network latency.
Class: Health
Category: Account Monitoring and Control
|
User-ID agent Self-signed Certificate Expiration (Free alert)
|
This alert detects the expiration of the User-ID agent self-signed certificate on November 18, 2024. The alert detects if a PAN-OS device has a User-ID policy configured, meets the PAN-OS version requirements per Table 1 of the advisory, and uses a self-signed certificate. It does not apply if custom certificates are in use or User-ID mappings are provided only by an NGFW that serves as a User-ID agent or from GlobalProtect agents.
Class: Health
Category: Certificates
|
Zone Protection profile - Flood Detection (Free alert)
|
Connections established on the zone or the incoming packet rate are excessive or abnormal.
Class: Health
Category: Flood/DoS
|
Zone Protection profile - Threshold Recommendation (Free alert)
|
A zone is missing a Zone Protection profile or the threshold values in a Zone Protection profile need adjustment.
Class: Health
Category: Flood/DoS
|