Integration with identity/AAA server down-f5-all

Integration with identity/AAA server down-f5-all

Vendor: f5

OS: all

Description:
Some devices may integrate with identity or AAA servers to provide user identification, authentication and authorization services. If the integration is down, such services may be disrupted. indeni will alert if this occurs.

Remediation Steps:
Make sure that the device can communicate with the identity/AAA server, that the username and password for accessing it are correct and that it has the permissions it needs.

How does this work?
Script will check if we have any failed connections to the authentication server.

Why is this important?
Without any response from the authentication server, no user can login if the APM is setup for central user management.

Without Indeni how would you find this?
Administrator would need to monitor that the authentication server is up or read the APM log file.

f5-cat-var-log-apm

name: f5-cat-var-log-apm
description: Check APM log file for various issues
type: monitoring
monitoring_interval: 59 minutes
requires:
    vendor: f5
    product: load-balancer
    linux-based: 'true'
    shell: bash
comments:
    identity-integration-connection-state:
        why: |
            Without any response from the authentication server, no user can login if the APM is setup for central user management.
        how: |
            Script will check if we have any failed connections to the authentication server.
        without-indeni: |
            Administrator would need to monitor that the authentication server is up or read the APM log file.
        can-with-snmp: false
        can-with-syslog: true
    f5-apm-wrong-psk:
        why: |
            The pre-shared secret key set on AAA server and load balancer is not correct.
        how: |
            This script will look for messages in the APM log warning about the incorrect key and log a warning.
        without-indeni: |
            Administrator would need to look in the APM log file and look for warnings about handshake missmatch.
        can-with-snmp: false
        can-with-syslog: true
steps:
-   run:
        type: SSH
        command: ${nice-path} -n 15 /bin/grep -e 'no response from server' -e 'packet
            verification failed, most likely the shared secret is not correct' /var/log/apm
    parse:
        type: AWK
        file: cat-var-log-apm.parser.1.awk

cross_vendor_identity_integration_down

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.ruleengine.expressions.conditions.{EndsWithRepetition, Equals => RuleEquals, Not => RuleNot, Or => RuleOr}
import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.StateDownTemplateRule
import com.indeni.server.rules.RemediationStepCondition

/**
  *
  */
case class cross_vendor_identity_integration_down() extends StateDownTemplateRule(
  ruleName = "cross_vendor_identity_integration_down",
  ruleFriendlyName = "All Devices: Integration with identity/AAA server down",
  ruleDescription = "Some devices may integrate with identity or AAA servers to provide user identification, authentication and authorization services. If the integration is down, such services may be disrupted. indeni will alert if this occurs.",
  metricName = "identity-integration-connection-state",
  applicableMetricTag = "name",
  alertItemsHeader = "Affected Servers",
  alertDescription = "Typically an administrator would not be aware of a disconnected domain controller (or identity/AAA server) until users can no longer reach resources they were previously able to, or they are now able to reach resources that were previously blocked.",
  baseRemediationText = "Make sure that the device can communicate with the identity/AAA server, that the username and password for accessing it are correct and that it has the permissions it needs.",
  historyLength = 3 /* Avoid transient issues */)(
  RemediationStepCondition.VENDOR_CP -> "A way to confirming this can be found here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk91040"
)