The firewall attempts to reliably forward logs to Panorama, log collectors, or the Strata Logging Service. When a forwarded log is successfully received, the firewall will receive an acknowledgment from these destinations. This alert is triggered when the firewall’s ability to track the unacknowledged logs is at capacity. A backlog of too many unacknowledged logs results in log loss.

Class: Health

Category: Logging

This alert detects if the Application Command Center (ACC) query has failed.

Class: Health

Category: Logging

The number of EDL Custom List objects is approaching the maximum capacity the firewall can support.

Class: Health

Category: Capacity

The number of URLs, IPs, or Domains within the configured EDL(s) used in policy on this firewall is approaching the maximum capacity that the firewall can support.

Class: Health

Category: Resource limits

The IPsec VPN tunnel usage is close to maximum.

Class: Health

Category: Site-to-Site VPN

A card failure has been detected, suggesting a potential issue with the card or its seating within the chassis.

Class: Health

Category: Hardware

The firewall's configuration is approaching its maximum memory usage limit. During commits, the firewall's total config memory must accommodate two copies: the current 'in-use' configuration and the new 'to-be-used' configuration. If the allocated memory per configuration exceeds 50%, the firewall reaches capacity, resulting in commit failure.

Class: Health

Category: Resource limits

The configuration size of this device has reached its capacity limit.

Class: Health

Category: Resource limits

This alert indicates a connection failure between the firewall or Panorama and the LDAP server.

Class: Health

Category: Logging

This alert is triggered when a firewall’s dataplane interface configured as an IPv4 DHCP client either fails to obtain an IP address or has lost its assigned IP address.

Class: Health

Category: Traffic

A degraded system drive has been identified by monitoring its attributes values.

Class: Health

Category: Hardware

The analytics engines have no new telemetry from this NGFW/Panorama.

Class: Health

Category: Telemetry

This alert is triggered when a firewall or Panorama's internal log forwarding queue becomes full and starts dropping logs while trying to forward them to an external log destination like a Syslog server or HTTP server. This can occur even if there are no connectivity issues between the firewall or Panorama and the external log server.

Class: Health

Category: Logging

The IPsec VPN tunnel has no traffic in both ingress and egress.

Class: Health

Category: Site-to-Site VPN

A calibration error has been detected on the FE100 chip in the firewall. This issue usually indicates a hardware failure.

Class: Health

Category: Hardware

A fan or fan tray triggered an alarm on the device.

Class: Health

Category: Hardware

A Fatal Machine check failure was detected. This issue usually indicates a hardware failure in the CPU.

Class: Health

Category: Hardware

The connection between Firewall and Panorama has been lost.

Class: Health

Category: System state

The HA Backup link(s) are not currently configured.

Class: Health

Category: High-Availability

One of the firewalls in the HA pair is in a non-healthy state.

Class: Health

Category: High-Availability

The active/active HA pair is exceeding 100% resource usage.

Class: Health

Category: High-Availability

A Dual In-Line Memory Module (DIMM) is a hardware component responsible for storing and accessing data in the firewall's random access memory (RAM). This memory module plays a critical role in the firewall's performance, facilitating rapid processing of network traffic and execution of security tasks. An error related to this component typically indicates a memory failure, where processes encounter issues reaching the specific memory location.

Class: Health

Category: Hardware

This alert is triggered when the dataplane processing latency on the firewall exceeds the predefined threshold. Dataplane processing latency refers to the time taken by the firewall to process network traffic and make forwarding decisions.

Class: Health

Category: Resource limits

The hard disk partition is nearing or at capacity.

Class: Health

Category: Resource limits

The hard disk partition is nearing or at capacity.

Class: Health

Category: Resource limits

The hard disk partition is nearing or at capacity.

Class: Health

Category: Resource limits

One or more computing resources are running low on the device.

Class: Health

Category: Resource limits

This alert triggers when the IKEv1 IPsec tunnel is down due to a Peer Identification mismatch, which is vital for establishing secure communication between peers in an IPsec VPN connection; a discrepancy in Peer Identification between the local and remote ends can prevent the tunnel from establishing or maintaining a connection.

Class: Health

Category: Site-to-Site VPN

This alert triggers when the IKEv2 IPsec tunnel is down due to an IPsec Crypto Profile configuration mismatch, which is vital for establishing secure communication between peers in an IPsec VPN connection. A discrepancy in the IPsec Crypto Profile configuration between the local and remote ends can lead to the failure of the Child SA negotiation, thereby preventing the establishment or maintenance of phase 2 of the tunnel.

Class: Health

Category: Site-to-Site VPN

This alert triggers when the IKEv2 IPsec tunnel is down due to a Peer Identification mismatch, which is vital for establishing secure communication between peers in an IPsec VPN connection. Any discrepancy in Peer Identification between the local and remote ends can prevent the tunnel from establishing or maintaining a connection.

Class: Health

Category: Site-to-Site VPN

An IPQ (Ingress Packet Queue) error has been detected on one of the FE100 chips in the firewall. This error usually indicates a reseat is needed, or there is a hardware failure.

Class: Health

Category: Hardware

Device power levels are outside of the normal range.

Class: Health

Category: Hardware

One or more of your licenses are nearing or have reached expiration.

Class: Health

Category: PAN-OS and Subscriptions

A failed logging drive has been identified through the monitoring of the firewall's disk status.

Class: Health

Category: Hardware

The Management Processor Card (MPC) is an essential component for the PA-5450, providing management, logging, and high availability functions. The MPC card has experienced a failure due to an issue with its component, the Complex Programmable Logic Device (CPLD).

Class: Health

Category: Hardware

This alert detects the expiration of the NGFW/Panorama Management Certificate.

Class: Health

Category: Certificates

Network Processing Cards (NPCs) provide network connectivity and are essential for network traffic processing. An NPC card has experienced an issue with its FE100 component, leading to its failure.

Class: Health

Category: Hardware

This alert is triggered when the logging level of a service is not set to its default configuration. This alert ensures that services consistently maintain their designated logging settings.

Class: Health

Category: Resource limits

The system configurations on the high availability peers do not match.

Class: Health

Category: High-Availability

Dynamic content, such as Antivirus or Applications and Threats, do not match between the high availability peers.

Class: Health

Category: High-Availability

Sessions are not matching or up to date between the High availability Peers.

Class: Health

Category: High-Availability

The PAN-OS software versions on the high availability peers do not match.

Class: Health

Category: High-Availability

The dynamic content installed on the device is stale when compared to the content that is available on the update server.

Class: Health

Category: Dynamic content

Your current version of PAN-OS is no longer supported.

Class: Health

Category: PAN-OS and Subscriptions

Your current version of PAN-OS has known vulnerabilities.

Class: Health

Category: PAN-OS and Subscriptions

The root certificate and the default certificate on the firewall expired.

Class: Health

Category: Certificates

The root certificate and the default certificate on the firewall expired.

Class: Health

Category: Certificates

This alert is triggered when the server, monitored by the PAN-OS integrated User-ID Agent (Agentless User-ID), loses connection with the firewall. This monitored server is a critical component for mapping user identities to network activities.

Class: Health

Category: Hardware

A Peripheral Component Interconnect (PCI) is responsible for connecting the Management Plane (MP) to the Control Plane (CP). A certain error related to this component indicates a failure in its functionality.

Class: Health

Category: Hardware

A path monitoring failure has been detected on a card located within the firewall's slots.

Class: Health

Category: Hardware

This alert detects if the policy config memory usage exceeds a critical threshold.

Class: Health

Category: Resource limits

A failure related to the management physical port or one of the high-availability physical ports has been detected.

Class: Health

Category: Hardware

The device’s management plane processes are depleting its available memory.

Class: Health

Category: Resource limits

The device’s management plane processes are depleting its available memory.

Class: Health

Category: Resource limits

The device’s management plane processes are depleting its available memory.

Class: Health

Category: Resource limits

The device’s management plane processes are depleting its available memory.

Class: Health

Category: Resource limits

The device’s management plane processes are depleting its available memory.

Class: Health

Category: Resource limits

The device’s management plane processes are depleting its available memory.

Class: Health

Category: Resource limits

The IPsec VPN tunnel usage is below normal usage.

Class: Health

Category: Site-to-Site VPN

Power supply redundancy is not attained either because it hasn't been inserted, the power supply has malfunctioned, or complete redundancy hasn't been accomplished.

Class: Health

Category: Hardware

When the Authentication Profile filters specific groups for GlobalProtect or Captive Portal users, or both, authentication failures may occur. Even if users seem to belong to the group listed in the allow list, they still encounter the "user not in allow list" message. Changing the allow list to include "all" groups rather than specific ones enables successful user authentication.

Class: Health

Category: Logging

This alert detects if the SCP scheduled log export has failed.

Class: Health

Category: Logging

Sessions can fail in the firewall, which can result in the increment of various global counters. These global counters indicate the reason that traffic session failed.

Class: Health

Category: Traffic

This alert indicates that the device has experienced a hardware failure in either the drive or the drive connector.

Class: Health

Category: Hardware

This alert detects the upcoming expiration of the Terminal Server agent self-signed certificate.

Class: Health

Category: Certificates

Device temperature is outside of the normal range.

Class: Health

Category: Hardware

Packet Descriptor (on-chip) resources are running low on the device.

Class: Health

Category: Flood/DoS

The IPsec VPN tunnel has has unidirectional traffic.

Class: Health

Category: Site-to-Site VPN

This alert is raised if the part number for any transceiver (SFP, SFP+, QSFP, QSFP+), within a single device, is incompatible with the specifications supported by Palo Alto Networks.

Class: Health

Category: Hardware

When the user attempts to log in to GlobalProtect, the Captive Portal, or the Admin UI, if using an Identity Provider (IdP), the IdP sends a SAML Assertion to the PAN-OS device’s Assertion Consumer Service (ACS) URL. Even if the authentication with the IdP is successful, the PAN-OS device must still validate the SAML Assertion to successfully validate the authentication. This alert is triggered when the PAN-OS device is not expecting a SAML Assertion but receives one, indicating some user’s login attempt was unsuccessful.

Class: Health

Category: Account Monitoring and Control

This alert indicates that the Security Assertion Markup Language (SAML) Identity Provider's authentication message encountered a "max_clock_skew" error due to time discrepancies between the Identity Provider (IdP) and the firewall/Panorama. This issue is often caused by out-of-sync local time or network latency.

Class: Health

Category: Account Monitoring and Control

This alert detects the upcoming expiration of the User-ID agent self-signed certificate. The alert detects if a PAN-OS device has a User-ID policy configured, meets the PAN-OS version requirements per Table 1 of the advisory, and is using a self-signed certificate. It does not apply if custom certificates are in use or User-ID mappings are provided only by an NGFW that serves as a User-ID agent or from GlobalProtect agents.

Class: Health

Category: Certificates

Connections established on the zone or the incoming packet rate are excessive or abnormal.

Class: Health

Category: Flood/DoS

A zone is missing a Zone Protection profile or the threshold values in a Zone Protection profile need adjustment.

Class: Health

Category: Flood/DoS