Why are my Severity Mappings for Palo Alto devices wrong?
search cancel

Why are my Severity Mappings for Palo Alto devices wrong?

book

Article ID: 215616

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

As of Palo Alto version 10 the values of the panSystemSeverity from PaloAlto does not reflect the panSystemSeverity on Spectrum.

MIB: PAN-Traps-my-v10
panSystemSeverity OBJECT-TYPE
SYNTAX INTEGER { unused (0), informational (1), low (2), medium (3), high (4), critical (5) }
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"System log event severity"
::= { panCommonEventObjs 303}
--

SPECTRUM:

panSystemSeverity 1.3.6.1.4.1.25461.2.1.3.1.303 INTEGER
{
unused(1)
informational(2)
low(3)
medium(4)
high(5)
critical(6)
}

 

How can we correct this to avoid alarm issues?

Environment

Release : 20.x, 10.x

Component : Spectrum Alarms

Cause

Palo Alto Severity Mapppings have changed with version 10 firmware.

The numberings go from 0 to 5 whereas previously they went from 1 to 6.


example from a recent PAN-TRAPS mib

panHAStateChangeTrap NOTIFICATION-TYPE
 VARIABLES {
    panReceiveTime          1.3.6.1.4.1.25461.2.1.3.1.2    OCTET STRING                   
    panSerial                      1.3.6.1.4.1.25461.2.1.3.1.3    OCTET STRING                   
    panEventType              1.3.6.1.4.1.25461.2.1.3.1.4    OCTET STRING                   
    panEventSubType        1.3.6.1.4.1.25461.2.1.3.1.5    OCTET STRING                   
    panVsys                        1.3.6.1.4.1.25461.2.1.3.1.7    OCTET STRING                   
    panSeqno                     1.3.6.1.4.1.25461.2.1.3.1.8    Counter64                      
    panActionflags              1.3.6.1.4.1.25461.2.1.3.1.9    OCTET STRING                   
    panSystemEventId       1.3.6.1.4.1.25461.2.1.3.1.300  OCTET STRING                   
    panSystemObject         1.3.6.1.4.1.25461.2.1.3.1.301  OCTET STRING                   
    panSystemModule        1.3.6.1.4.1.25461.2.1.3.1.302  OCTET STRING                   
    panSystemSeverity       1.3.6.1.4.1.25461.2.1.3.1.303  INTEGER                        
  {
     unused(0)
     informational(1)
     low(2)
     medium(3)
     high(4)
     critical(5)
  }
    panSystemDescription           1.3.6.1.4.1.25461.2.1.3.1.304  OCTET STRING                   
 }
 DESCRIPTION
 "HA device has changed states"
-- 1.3.6.1.4.1.25461.2.1.3.2.0.801

Resolution

If you have updated all of your Palo Alto Devices to firmware 10 you will need to make the changes either through the Event Configuration Editor GUI or through the $SPECROOT/custom/Events/Palo_Alto/ServerityMaps/panSeverity file.

 

From this:

 

 

To this as an example  (Palo Alto has 4 Severity levels while Spectrum uses 3)

Or you can copy the panSeverity file from $SPECROOT/SS/CsVendor/Palo_Alto/SeverityMaps to $SPECROOT/custom/Events/Palo_Alto/SeverityMaps/  and create the directories in the custom directory if they are missing.

The updated panSeverity file to match the suggested setting above in the GUI should look like:

2 1
3 2
4 2
5 3

 

Once the changes have been made and saved, then you will need to push the Update Event Configuration button, from the VNM model, SpectroSERVER control.

Additional Information

Severity Map information

https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/spectrum/10-4-3/managing-network/event-configuration/working-with-events-and-alarms.html

Powered by Wolken Software