Alerts (Palo Alto Networks)

The Management Pack for Palo Alto creates alerts (and in some cases provides recommended actions) based on various symptoms it detects in your Palo Alto Environment. See the table below for the list of alerts available in the Management Pack.

Alerts List

NameDescriptionSymptomRecommendation
Application has Threat: CriticalThis alert indicates that a Critical alert was raised in PaloAltoNetworks.Threat: CriticalSee the Palo Alto threats log for more details.
Application has Threat: InfoThis alert indicates that a Info alert was raised in PaloAltoNetworks.Threat: InfoSee the Palo Alto threats log for more details.
Application has Threat: WarningThis alert indicates that a Warning alert was raised in PaloAltoNetworks.Threat: WarningSee the Palo Alto threats log for more details.
Next Generation Firewall has Threat: CriticalThis alert indicates that a Critical alert was raised in PaloAltoNetworks.Threat: CriticalSee the Palo Alto threats log for more details.
Next Generation Firewall has Threat: InfoThis alert indicates that a Info alert was raised in PaloAltoNetworks.Threat: InfoSee the Palo Alto threats log for more details.
Next Generation Firewall has Threat: WarningThis alert indicates that a Warning alert was raised in PaloAltoNetworks.Threat: WarningSee the Palo Alto threats log for more details.
VSYS has Threat: CriticalThis alert indicates that a Critical alert was raised in PaloAltoNetworks.Threat: CriticalSee the Palo Alto threats log for more details
VSYS has Threat: InfoThis alert indicates that a Info alert was raised in PaloAltoNetworks.Threat: InfoSee the Palo Alto threats log for more details
VSYS has Threat: WarningThis alert indicates that a Warning alert was raised in PaloAltoNetworks.Threat: WarningSee the Palo Alto threats log for more details
Policy Based Forwarding Table Rule has Next Hop State EventThis alert indicates that a Warning alert was raised in PaloAltoNetworks.Next Hop State Event
Hardware Interface High Received ThroughputThis alert indicates that a high throughput was detected on this interface.
If a Policy Based Forwarding Rule is a child of this interface, validate rule is appropriate.
Hardware Interface High Sent ThroughputThis alert indicates that a high throughput was detected on this interface.
If a Policy Based Forwarding Rule is a child of this interface, validate rule is appropriate.
Logical Interface High Received ThroughputThis alert indicates that a high throughput was detected on this interface.
If a Policy Based Forwarding Rule is a child of this interface, valide rule is appropriate.
Logical Interface High Sent ThroughputThis alert indicates that a high throughput was detected on this interface.
If a Policy Based Forwarding Rule is a child of this interface, valide rule is appropriate.
Physical Port High Received ThroughputThis alert indicates that a high throughput was detected on this interface.
If a Policy Based Forwarding Rule is a child of this interface, valide rule is appropriate.
Physical Port High Sent ThroughputThis alert indicates that a high throughput was detected on this interface.
If a Policy Based Forwarding Rule is a child of this interface, valide rule is appropriate.
Logical IP Spoof Attack OccurredThis alert indicates that at least one attack was detected on this interface.

Logical IP Land Attack OccurredThis alert indicates that at least one attack was detected on this interface.

Logical IP MAC Attack OccurredThis alert indicates that at least one attack was detected on this interface.

Logical IP Ping-Of-Death Attack OccurredThis alert indicates that at least one attack was detected on this interface.

Logical IP Teardrop Attack OccurredThis alert indicates that at least one attack was detected on this interface.

Next Generation Firewall CPU Average Load Higher than NormalThis alert indicates that the average load is higher than normal on the Firewall's CPU.
Examine running process on the firewall and determine what is causing the high load.
Next Generation Firewall CPU BusyThis alert indicates that the CPU Busy value is too high.
Examine the detailed breakdown of CPU usage on the object and determine why the CPU is busy.
Next Generation Firewall CPU BusyThis alert indicates that the CPU Busy value is too high.
Examine the detailed breakdown of CPU usage on the object and determine why the CPU is busy.
Next Generation Firewall Data Plane Utilization CPUThis alert indicates that the CPU Utilization value is too high.

Next Generation Firewall Data Plane Utilization CPUThis alert indicates that the CPU Utilization value is too high.

Next Generation Firewall CPU Hardware InterruptsThis alert indicates that the CPU Hardware Interrupts value is too high.
This is often caused by a broken peripheral. Check environment for a broken peripheal.
Next Generation Firewall CPU Hardware InterruptsThis alert indicates that the CPU Hardware Interrupts value is too high.
This is often caused by a broken peripheral. Check environment for a broken peripheal.
Next Generation Firewall System CPUThis alert indicates that the kernel CPU value is too high.
This is sometimes acceptable, but if it occurs over a long period of time, it could suggest a problem with the driver or kernel itself.
Next Generation Firewall System CPUThis alert indicates that the kernel CPU value is too high.
This is sometimes acceptable, but if it occurs over a long period of time, it could suggest a problem with the driver or kernel itself.
Next Generation Firewall Management Plane Utilization CPUThis alert indicates that the CPU Utilization value is too high.

Next Generation Firewall Management Plane Utilization CPUThis alert indicates that the CPU Utilization value is too high.

Next Generation Firewall CPU User Space Processes NicedThis alert indicates that the User Space Proceess Niced CPU value is too high.
This is acceptable if the niceness level of the process causing the spike is greater than 0. If it is less than 0, the process should be examined as it could cause the system to become less responsive. More info on processes can be found through the CLI by running `show system resources`.
Next Generation Firewall CPU User Space Processes NicedThis alert indicates that the User Space Proceess Niced CPU value is too high.
This is acceptable if the niceness level of the process causing the spike is greater than 0. If it is less than 0, the process should be examined as it could cause the system to become less responsive. More info on processes can be found through the CLI by running `show system resources`.
Next Generation Firewall CPU Software InterruptsThis alert indicates that the Software Interrupts CPU value is too high.
Determine which process is causing the bulk of the software interrupts and determine whether this can be killed or restarted. More info on processes can be found through the CLI by running `show system resources`.
Next Generation Firewall CPU Software InterruptsThis alert indicates that the Software Interrupts CPU value is too high.
Determine which process is causing the bulk of the software interrupts and determine whether this can be killed or restarted. More info on processes can be found through the CLI by running `show system resources`.
Next Generation Firewall CPU StolenThis alert indicates that the CPU Stolen value is too high.
Check the hypervisor for other virtual machines that are using a lot of CPU and remedy them, or move to another host.
Next Generation Firewall CPU StolenThis alert indicates that the CPU Stolen value is too high.
Check the hypervisor for other virtual machines that are using a lot of CPU and remedy them, or move to another host.
Next Generation Firewall User Space Processes CPUThis alert indicates that the CPU Stolen value is too high.
Check for processes using too much CPU. This can be done through the CLI by running `show system resources`. Determine whether this process is safe to restart or kill.
Next Generation Firewall User Space Processes CPUThis alert indicates that the CPU Stolen value is too high.
Check for processes using too much CPU. This can be done through the CLI by running `show system resources`. Determine whether this process is safe to restart or kill.
Next Generation Firewall CPU WaitThis alert indicates that the CPU Wait value is too high.
If this occurs consistently, it could indicate a problem with the hard disk. If intermittent, it could mean that many I/O tasks are running which do not require a great amount of CPU time.
Next Generation Firewall CPU WaitThis alert indicates that the CPU Wait value is too high.
If this occurs consistently, it could indicate a problem with the hard disk. If intermittent, it could mean that many I/O tasks are running which do not require a great amount of CPU time.
Next Generation Firewall has High Availability Compatibility: InfoThis alert indicates that a Info High Avaiability Configuration alert was raised in the firewall.High Availability Compatibility: InfoSee symptom for more info about the configuration mismatch.
Next Generation Firewall has High Availability Failover: WarningThis alert indicates that a Warning alert was raised on the firewall due to failover.High Availability Failover: Warning
Next Generation Firewall Fan has Raised an AlarmThis alert indicates that a fan has raised an alert.Fan Alarm: WarningSee symptom for more info.
Next Generation Firewall Thermal Sensor has Raised an AlarmThis alert indicates that a thermal sensor has raised an alert.Thermal Alarm: WarningSee symptom for more info.
Next Generation Firewall Power Rail has Raised an AlarmThis alert indicates that a power rail has raised an alert.Power Rail Alarm: WarningSee symptom for more info.

See also:

Metrics (Palo Alto Networks)