This alert triggers when the error "Card heartbeat failure - Max restarts attempted" is detected in one of the line cards in the chassis, indicating a software or hardware issue that has caused the card to enter a failure state.

Class: Health

Category: Hardware

This alert triggers when the IKEv2 IPsec tunnel is down due to an IKE Crypto Profile configuration mismatch. This configuration is crucial for ensuring the secure negotiation of cryptographic parameters necessary for establishing and maintaining a secure IPsec VPN connection.

Class: Health

Category: Site-to-Site VPN

The firewall attempts to reliably forward logs to Panorama, log collectors, or the Strata Logging Service. When a forwarded log is successfully received, the firewall will receive an acknowledgment from these destinations. This alert is triggered when the firewall’s ability to track the unacknowledged logs is at capacity. A backlog of too many unacknowledged logs results in log loss.

Class: Health

Category: Logging

When the user attempts to log in to GlobalProtect, the Captive Portal, or the Admin UI, if using an Identity Provider (IdP), the IdP sends a SAML Assertion to the PAN-OS device’s Assertion Consumer Service (ACS) URL. Even if the authentication with the IdP is successful, the PAN-OS device must still validate the SAML Assertion for successful authentication. This alert is triggered when, during the transmission of the SAML assertion to the PAN-OS device, one of two potential points of failure occur: 1. The SAML assertion may be encrypted, which PAN-OS does not support, preventing successful assertion processing. 2. The IdP may fail to transmit the SAML assertion due to misconfiguration. This Alert automatically clears if no failures are noticed for 24 hours since the detection of the last failure.

Class: Health

Category: Account Monitoring and Control

This alert detects if the Application Command Center (ACC) query has failed.

Class: Health

Category: Logging

This alert is triggered when this NGFW's BGP peer notifies it that its maximum prefix capacity has been exceeded.

Class: Health

Category: Traffic

This incident triggers when the Session Table utilization (%) goes too high in the output of > show session info for a sustained period of time.

Class: Health

Category: System Resources

Approaching MAX Capacity: High Session Table Utilization

Class: Health

Category: System Resources

This incident is triggered when the device candidate configuration size approaches the maximum supported limit.

Class: Health

Category: NA

This incident triggers when Connections per Second (CPS) utilization is nearing or at that respective firewall models capacity limit for a sustained period of time.

Class: Health

Category: NA

The number of EDL Custom List objects is approaching the maximum capacity the firewall can support.

Class: Health

Category: Capacity

The firewall has anomalous values for connections per second (CPS), throughput, or number of sessions.

Class: Health

Category: NA

The number of URLs, IPs, or Domains within the configured EDL(s) used in policy on this firewall is approaching the maximum capacity that the firewall can support.

Class: Health

Category: Resource limits

The candidate configuration size of this device has reached its capacity limit.

Class: Health

Category: NA

The IPsec VPN tunnel usage is close to maximum.

Class: Health

Category: Site-to-Site VPN

This alert is triggered when a BGP speaker decides to reset the peering with a neighbor administratively. In such cases, the speaker SHOULD send a NOTIFICATION message with the Error Code "Cease" (6) and the Error Subcode "Administrative Reset" (4). Common reasons for a BGP administrative reset include: 1. A configuration change to BGP parameters on one of the peers e.g., A loss of connectivity due to a cut cable or failed link, The blocking of TCP port 179, which is used by BGP, Misconfiguration of the IGP or the static routing that establishes connectivity between the two peers 2. Loss of connectivity between BGP peers - Changing BGP routing policies, router IDs, or IP addresses of particular interfaces/peers may cause an immediate reset. 3. Misconfiguration of the BGP peering parameters- e.g., An administrator performs a manual BGP reset for any newly configured or modified routing policies to take effect.

Class: Health

Category: Traffic

This alert is triggered when a BGP notification message with the Administrative Shutdown code is sent by the neighbor to the NGFW, indicating that the neighbor has initiated a termination of the BGP peering. Refer to the RFC below regarding BGP's Error Subcode = Administrative Shutdown (2): https://datatracker.ietf.org/doc/html/rfc8203 If a BGP speaker decides to terminate its session with a BGP neighbor and sends a NOTIFICATION message with the Error Code 'Cease' and Error Subcode 'Administrative Shutdown' or 'Administrative Reset' [RFC4486], it MAY include a UTF-8 encoded string. The contents of the string are at the operator's discretion.

Class: Health

Category: Traffic

This alert is triggered when the system receives a BGP connection (OPEN) message from a peer that is not configured locally. The alert identifies this issue using Error Code = Cease (6) and Error Subcode = Connection Rejected (5).

Class: Health

Category: Traffic

This alert detects if a BGP speaker decides to de-configure the peer, The relevance of this alert is to determine which peer has initiated Peer De-configuring. As per the BGP RFC, (https://datatracker.ietf.org/doc/html/rfc4486) " If a BGP speaker decides to de-configure a peer, then the speaker SHOULD send a NOTIFICATION message with the Error Code Cease and the Error Subcode "Peer De-configured".

Class: Health

Category: Traffic

This alert is triggered when the NGFW's BGP AS information doesn't match its peer's AS information. In a standard BGP peering configuration, both peers must agree on the local AS number and the peer's AS number, and this should hold true in both directions. However, more complex BGP setups, such as Cisco's dual-AS configuration (https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/15-sy/irg-15-sy-book/irg-dual-as.pdf) or BGP peering between a 4-byte ASN device and a 2-byte ASN device (discussed here - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004LXFCA2), can present challenges for users configuring basic BGP peering.

Class: Health

Category: Traffic

This alert is triggered when one peer fails to receive keepalive messages from its peer. These messages are exchanged periodically to confirm the connection is still active. Without them, the BGP speaker cannot verify the connection's status and drops the peering session.

Class: Health

Category: Traffic

This alert triggers when the error "Card start timeout - Max restarts attempted" is detected in one of the line cards in the chassis, indicating a software or hardware issue that has caused the card to enter a failure state.

Class: Health

Category: Hardware

This alert triggers when the error "Path monitor failure - Max restarts attempted" is detected in one of the line cards in the chassis, indicating a software or hardware issue that has caused the card to enter a failure state.

Class: Health

Category: Hardware

A card failure has been detected, suggesting a potential issue with the card or its seating within the chassis.

Class: Health

Category: Hardware

This alert detects if a card is stuck in "Starting" state.

Class: Health

Category: Hardware

This alert triggers when the error "Slot runtime software failure - Max restarts attempted" is detected in one of the line cards in the chassis, indicating a software or hardware issue that has caused the card to enter a failure state.

Class: Health

Category: Hardware

The firewall's configuration is approaching its maximum memory usage limit. During commits, the firewall's total config memory must accommodate two copies: the current 'in-use' configuration and the new 'to-be-used' configuration. If the allocated memory per configuration exceeds 50%, the firewall reaches capacity, resulting in commit failure.

Class: Health

Category: Resource limits

This incident is triggered when the device candidate configuration size approaches the maximum supported limit.

Class: Health

Category: Resource limits

This alert indicates a connection failure between the firewall or Panorama and the LDAP server.

Class: Health

Category: Logging

This alert triggers when the firewall loses connectivity to the configured Syslog server used for PAN-OS integrated (agentless) User-ID. This server supplies login and logout events that the firewall relies on to maintain accurate IP-to-username mappings.

Class: Health

Category: User-ID

This alert is triggered when a firewall’s dataplane interface configured as an IPv4 DHCP client either fails to obtain an IP address or has lost its assigned IP address.

Class: Health

Category: Traffic

This alert triggers when evidence of the issue PAN-160633 occurring was detected in a PA-3200 device.

Class: Health

Category: PAN-OS and Subscriptions

This alert triggers when evidence of the issue PAN-160633 occurring was detected in a PA-5200 device.

Class: Health

Category: PAN-OS and Subscriptions

This alert triggers when evidence of the issue PAN-214186 has been detected in the device.

Class: Health

Category: Traffic

A degraded system drive has been identified by monitoring its attributes values.

Class: Health

Category: Hardware

The analytics engines have no new telemetry from this NGFW/Panorama.

Class: Health

Category: Telemetry

This alert triggers when a firewall or Panorama in a high availability (HA) pair transitions to an unhealthy state, such as Initial, Suspended, Non-Functional, or Tentative. These states indicate that the device may be unable to perform normal operations, maintain HA synchronization, or communicate effectively with peers or management systems.

Class: Health

Category: High-Availability

This alert is triggered when a firewall or Panorama's internal log forwarding queue becomes full and starts dropping logs while trying to forward them to an external log destination like a Syslog server or HTTP server. This can occur even if there are no connectivity issues between the firewall or Panorama and the external log server.

Class: Health

Category: Logging

This alert is triggered when a duplicate IP address is detected. The firewall's configuration can cause IP address conflicts on the network if any of the following conditions apply: 1. One of the firewall's interfaces has the same IP address. 2. A static Source Network Address Translation (SNAT) address is assigned that conflicts. 3. A static Destination Network Address Translation (DNAT) address is assigned that conflicts. 4. An IP address from a configured SNAT pool overlaps an existing subnet. 2. The IdP may fail to transmit the SAML assertion due to misconfiguration. This Alert automatically clears if no new errors are noticed for 24 hours since the detection of the duplicate IP address.

Class: Health

Category: Traffic

The IPsec VPN tunnel has no traffic in both ingress and egress.

Class: Health

Category: Site-to-Site VPN

This alert triggers when the "****Heartbeats failed previously" error is seen in the firewall.

Class: Health

Category: Logging

This alert triggers if the firewall has detected that a dataplane ethernet interface is down.

Class: Health

Category: Hardware

A calibration error has been detected on the FE100 chip in the firewall. This issue usually indicates a hardware failure.

Class: Health

Category: Hardware

This alert is triggered when the Panorama is used as a client to SSH into a remote system (e.g., when using SCP to copy files over), it keeps a record of the public certificate of the remote system with the corresponding IP address. When the remote system's certificate has changed, perhaps due to a transition from a self-signed certificate to a public-signed certificate, or the generation of a new certificate and key pair, the old SSH certificate stored in the Panorama will need to be deleted. This alert will clear automatically if the host key verification failure is not detected for 24 hours since the last time it was noticed.

Class: Health

Category: Certificates

A fan or fan tray triggered an alarm on the device.

Class: Health

Category: Hardware

A Fatal Machine check failure was detected. This issue usually indicates a hardware failure in the CPU.

Class: Health

Category: Hardware

The connection between Firewall and Panorama has been lost.

Class: Health

Category: System state

This alert triggers when a device in an HA pair undergoes a failover, causing the secondary device to assume the active role. This may indicate a disruption in the primary device or a configuration or environmental issue that triggered the HA state transition.

Class: Health

Category: High-Availability

This alert indicates that DP logs (such as traffic, threat, URL, Netflow, User-ID, GP, Decryption, EAL, etc.) that are supposed to be generated based on inspected traffic and logging configurations are being lost. When logs are generated in the DP, they are moved into logging queues, which are then handed over to the logrcvr in the Management Plane (DP to MP). To prevent the DP-to-MP channel from being overwhelmed, a rate-limiting mechanism was implemented to control the transfer of logs from the Data Plane to the Management Plane. This mechanism regulates either the logging count rate (logs/sec) or bandwidth usage (KB/sec). The control is in place to ensure that other services such as packet capture and any requests from DP to the cloud (e.g., URL, Wildfire, etc.), are not dropped due to excessive logging bandwidth consumption.

Class: Health

Category: Logging

This alert indicates that DP logs (such as traffic, threat, URL, Netflow, User-ID, GP, Decryption, EAL, etc.) that are supposed to be generated based on inspected traffic and logging configurations are being lost. When logs are generated in the DP, they are moved into logging queues, which are then handed over to the logrcvr in the Management Plane (DP to MP). To prevent the DP-to-MP channel from being overwhelmed, a rate-limiting mechanism was implemented to control the transfer of logs from the Data Plane to the Management Plane. This mechanism regulates either the logging count rate (logs/sec) or bandwidth usage (KB/sec). The control is in place to ensure that other services such as packet capture and any requests from DP to the cloud (e.g., URL, Wildfire, etc.), are not dropped due to excessive logging bandwidth consumption.

Class: Health

Category: Logging

This alert triggers when multi-vsys is enabled on one firewall in an HA pair but not on the peer. Since multi-vsys capability does not sync between peers, the unmatched firewall enters the Suspended state.

Class: Health

Category: High-Availability

This alert triggers when a firewall in an HA pair is suspended because the peer firewall is running an older PAN-OS version. This typically occurs during an HA upgrade when the peer has not been upgraded to the same PAN-OS version.

Class: Health

Category: High-Availability

This alert triggers when a firewall enters the Suspended state due to a preemption loop. This condition can occur in both Active/Passive and Active/Active HA setups: In Active/Passive, the higher-priority firewall flaps between Active → Non-Functional → Passive → Active. In Active/Active, the higher-priority firewall flaps between Primary-Active → Non-Functional → Secondary-Active → Primary-Active. When the configured maximum number of flaps (default 3 within 15 minutes) is exceeded, the firewall is suspended to prevent further instability. Unlike suspension caused by non-functional loops, this state is triggered specifically by preemption behavior.

Class: Health

Category: High-Availability

This alert is triggered when the number of free chunks in the firewall's flexible memory pool falls below a critical threshold, signaling an imminent risk of memory depletion. A chunk is a 32 KB block of memory within the variable-size memory pool, which the firewall uses to handle requests for memory of different sizes across various processes. When a process requires memory, a full 32 KB chunk is allocated from this pool and then subdivided into appropriately-sized elements to fulfill the specific request.

Class: Health

Category: System Resources

This alert is triggered when a Generic Routing Encapsulation (GRE) tunnel on the firewall has gone down due to Keep Alive failure. The GRE tunnel is no longer operational, disrupting the encapsulated traffic flow between the connected networks.

Class: Health

Category: Traffic

This alert is triggered when a Generic Routing Encapsulation (GRE) tunnel on the firewall has gone down due to recursive routing. The GRE tunnel is no longer operational, disrupting the encapsulated traffic flow between the connected networks.

Class: Health

Category: Traffic

The HA Backup link(s) are not currently configured.

Class: Health

Category: High-Availability

This alert triggers when a change is detected in the status of one or more HA(High Availability) links between firewall peers. These links are critical for synchronizing session information, configuration, and state data. A status change may indicate that one or more HA links are down or unstable.

Class: Health

Category: High-Availability

One of the firewalls in the HA pair is in a non-healthy state.

Class: Health

Category: High-Availability

The active/active HA pair is exceeding 100% resource usage.

Class: Health

Category: High-Availability

This alert triggers when a firewall in a high-availability (HA) pair fails to receive heartbeat pings from its HA peer on the HA1 or HA1-backup link for four consecutive attempts. 

Class: Health

Category: High-Availability

This alert indicates that the HA2 or HA2-backup keep-alive, which monitors the connection stability between the firewall and the HA peer on the HA2 connection, is down or it is flapping between up and down status.

Class: Health

Category: High-Availability

A Dual In-Line Memory Module (DIMM) is a hardware component responsible for storing and accessing data in the firewall's random access memory (RAM). This memory module plays a critical role in the firewall's performance, facilitating rapid processing of network traffic and execution of security tasks. An error related to this component typically indicates a memory failure, where processes encounter issues reaching the specific memory location.

Class: Health

Category: Hardware

This alert is triggered when the dataplane processing latency on the firewall exceeds the predefined threshold. Dataplane processing latency refers to the time taken by the firewall to process network traffic and make forwarding decisions.

Class: Health

Category: Resource limits

This incident triggers when the disk space usage in the pancfg partition exceeds the defined threshold, indicating that the partition is running low on available storage capacity.

Class: Health

Category: System Resources

This incident is triggered when the pancfg partition on the device reaches a high level of disk utilization.

Class: Health

Category: Resource limits

This incident triggers when the disk space usage in the panlogs partition exceeds the defined threshold, indicating that the partition is running low on available storage capacity.

Class: Health

Category: System Resources

This incident is triggered when the panlogs partition on the device reaches a high level of disk utilization.

Class: Health

Category: Resource limits

This incident is triggered when the root partition on the device reaches a high level of disk utilization.

Class: Health

Category: Resource limits

This alert is triggered if the shared memory (/dev/shm) disk partition reaches a high level of disk utilization on a firewall. The /dev/shm is a temporary filesystem used for shared memory in Linux systems.

Class: Health

Category: Capacity

This alert triggers when the number of incoming logs to this device is high, and log throttling has begun to occur.

Class: Health

Category: Logging

This incident is triggered when the management plane (MP) CPU utilization exceeds 95%.

Class: Health

Category: System Resources

This alert indicates that the firewall's ability to create new NAT sessions is at risk.It identifies the NAT policy utilization with a graph and points to a situation where the NAT address pool may become exhausted, preventing new connections. This is a critical indicator that the current NAT configuration or network usage pattern may not be sustainable.

Class: Health

Category: Resource limits

One or more computing resources are running low on the device. System performance and functionality may be negatively affected.

Class: Health

Category: Resource limits

This incident triggers when Connections per Second (CPS) utilization is nearing or at that respective firewall models capacity limit for a sustained period of time.

Class: Health

Category: NA

The firewall has anomalous values for System Throughput.

Class: Health

Category: NA

This alert is triggered when the IKEv1 IPsec tunnel is down due to an IKE Crypto Profile configuration mismatch. This configuration is crucial for ensuring the secure negotiation of cryptographic parameters necessary for establishing and maintaining a secure IPsec VPN connection.

Class: Health

Category: Traffic

This alert is triggered when the IKEv1 IPsec tunnel is down due to an IPsec Crypto Profile configuration mismatch, which is vital for establishing secure communication between peers in an IPsec VPN connection.

Class: Health

Category: Traffic

This alert triggers when the IKEv1 IPsec tunnel is down due to a Peer Identification mismatch, which is vital for establishing secure communication between peers in an IPsec VPN connection; a discrepancy in Peer Identification between the local and remote ends can prevent the tunnel from establishing or maintaining a connection.

Class: Health

Category: Site-to-Site VPN

This alert triggers when the IKEv1 IPsec tunnel is down due to a Peer Identification mismatch, which is vital for establishing secure communication between peers in an IPsec VPN connection.

Class: Health

Category: Site-to-Site VPN

This alert triggers when the IKEv2 IPsec tunnel is down due to an IPsec Crypto Profile configuration mismatch, which is vital for establishing secure communication between peers in an IPsec VPN connection. A discrepancy in the IPsec Crypto Profile configuration between the local and remote ends can lead to the failure of the Child SA negotiation, thereby preventing the establishment or maintenance of phase 2 of the tunnel.

Class: Health

Category: Site-to-Site VPN

This alert triggers when the IKEv2 IPsec tunnel is down due to a Peer Identification mismatch, which is vital for establishing secure communication between peers in an IPsec VPN connection. Any discrepancy in Peer Identification between the local and remote ends can prevent the tunnel from establishing or maintaining a connection.

Class: Health

Category: Site-to-Site VPN

This alert triggers when the IKEv2 IPsec tunnel is down due to a Peer Identification mismatch, which is vital for establishing secure communication between peers in an IPsec VPN connection.

Class: Health

Category: Site-to-Site VPN

An IPQ (Ingress Packet Queue) error has been detected on one of the FE100 chips in the firewall. This error usually indicates a reseat is needed, or there is a hardware failure.

Class: Health

Category: Hardware

This alert triggers when a VPN tunnel or security association (SA) fails to negotiate and form successfully due to misconfigured traffic selectors (routes or Proxy IDs) between the two peers. This Alert automatically clears if no failures are noticed for 1 hour since the detection of the last failure.

Class: Health

Category: Site-to-Site VPN

This alert is triggered when an IPsec tunnel fails to establish due to the mismatch in DH group of the IPsec crypto profile.

Class: Health

Category: Site-to-Site VPN

This alert triggers when the error "SFP Ports Doesn't Support this media type" is found in the device, indicating an incompatible or faulty SFP or cable is inserted.

Class: Health

Category: Hardware

This alert triggers when a PA-850 has an incorrect port speed configured for the installed SFP type.

Class: Health

Category: Traffic

This alert triggers when one of the Panoramas in Panorama mode or Log Collector mode becomes disconnected from the Collector Group. The Collector Group provides a centralized repository for NGFWs to forward logs such as system, config, traffic, and threat logs. Additionally, it supports reporting and querying functionalities.

Class: Health

Category: Logging

This alert is triggered when a firewall or Panorama with an active Cloud-Delivered Security Services (CDSS) license does not have a valid device certificate. Beginning February 11, 2026, device certificates will be mandatory for all PAN-OS devices using CDSS subscriptions. The device certificate is required for authentication and secure connectivity to CDSS. Without it, the device will be unable to access licensed services.

Class: Health

Category: Certificates

Device power levels are outside of the normal range.

Class: Health

Category: Hardware

One or more of your licenses are nearing or have reached expiration.

Class: Health

Category: PAN-OS and Subscriptions

Detect inter-LC log forwarding delays, in an ideal environment LCs in a CG shouldn't be operating in an environment where the latency of communication between LCs is more than 10ms or the logging rate between LCs is higher than the prescribed limit.

Class: Health

Category: Logging

A failed logging drive has been identified through the monitoring of the firewall's disk status.

Class: Health

Category: Hardware

This alert indicates that a connection to the Log Collector, Panorama or Strata Logging Service is unstable, causing increased memory usage for the LFC log loss recovery hint mechanism.

Class: Health

Category: Logging

This alert indicates that a kernel failure caused memory retention on the Log Forwarding Card (LFC) due to connection flaps with Panorama while forwarding logs.

Class: Health

Category: Logging

This alert is triggered when a Management Plane (MP) process on the firewall consumes too much memory without releasing it, potentially indicating a memory leak or abnormal behavior.

Class: Health

Category: System Resources

The Management Processor Card (MPC) is an essential component for the PA-5450, providing management, logging, and high availability functions. The MPC card has experienced a failure due to an issue with its component, the Complex Programmable Logic Device (CPLD).

Class: Health

Category: Hardware

This alert is triggered when the source username displayed in the traffic logs differs from the one shown in the session details.

Class: Health

Category: User-ID

This alert indicates that users and groups defined through LDAP server group mapping are missing on the PAN-OS device, even though they are correctly configured in the LDAP server. It may also indicate that users and groups have not been removed from the PAN-OS device, despite being deleted from the LDAP server.

Class: Health

Category: User-ID

This alert triggers when the NGFW is not configured with a Preference List. A Preference List enables the NGFW to determine the Log Collector to which logs are sent. If the first Log Collector in the list is unavailable, the NGFW forwards the logs to the subsequent Log Collector in the list.

Class: Health

Category: Logging

This alert is triggered when the NGFW's BGP peer notifies it that its maximum prefix capacity has been reached.

Class: Health

Category: Traffic

This alert is triggered when this NGFW's BGP peer advertises more routes than the NGFW can handle based on its configured max prefixes capacity.

Class: Health

Category: Traffic

This alert detects the expiration of the NGFW/Panorama Management Certificate.

Class: Health

Category: Certificates

Network Processing Cards (NPCs) provide network connectivity and are essential for network traffic processing. An NPC card has experienced an issue with its FE100 component, leading to its failure.

Class: Health

Category: Hardware

This alert is triggered when the logging level of a service is not set to its default configuration. This alert ensures that services consistently maintain their designated logging settings.

Class: Health

Category: Resource limits

This alert indicates a configuration discrepancy between High Availability (HA) peers, primarily due to the "Enable Config Sync" option being disabled in the High Availability General settings.

Class: Health

Category: High-Availability

The system configurations on the high availability peers do not match.

Class: Health

Category: High-Availability

This alert triggers when dynamic content, such as Applications, Threats, or Antivirus versions, is not synchronized between firewalls in a high-availability (HA) pair.

Class: Health

Category: High-Availability

Sessions are not matching or up to date between the High availability Peers.

Class: Health

Category: High-Availability

The PAN-OS software versions on the high availability peers do not match.

Class: Health

Category: High-Availability

The dynamic content installed on the device is stale when compared to the content that is available on the update server.

Class: Health

Category: Dynamic content

This alert is triggered when a PA-400 Series firewall runs a PAN-OS version below the fixed versions (10.1.10, 10.2.5, 11.0.2, or 11.1.0) that address a critical software issue.

Class: Health

Category: Hardware

Networking Cards (NCs) provide network connectivity and are essential for network traffic processing. An NC card has experienced an issue with its FE100 component, which triggers its internal link fault, causing path monitoring failure on the Dataplane Processing Card (DPC).

Class: Health

Category: Hardware

Your current version of PAN-OS is no longer supported.

Class: Health

Category: PAN-OS and Subscriptions

Your current version of PAN-OS has known vulnerabilities.

Class: Health

Category: PAN-OS and Subscriptions

The root certificate and the default certificate on the firewall expired.

Class: Health

Category: Certificates

The root certificate and the default certificate on the firewall expired.

Class: Health

Category: Certificates

This alert is triggered when the server, monitored by the PAN-OS integrated User-ID Agent (Agentless User-ID), loses connection with the firewall. This monitored server is a critical component for mapping user identities to network activities.

Class: Health

Category: Hardware

A Peripheral Component Interconnect (PCI) is responsible for connecting the Management Plane (MP) to the Control Plane (CP). A certain error related to this component indicates a failure in its functionality.

Class: Health

Category: Hardware

This alert triggers when the IP address of Panorama or the Log Collector changes, causing the ring file's configuration linked to the old IP address. As a result, Panorama or the Log Collector disconnects from the Collector Group, preventing NGFWs from sending their logs to Panorama or the Log Collector.

Class: Health

Category: Logging

A path monitoring failure has been detected on a card located within the firewall's slots.

Class: Health

Category: Hardware

This alert triggers when a peer firewall in an HA pair becomes non-functional because the brdagent (Board Agent) process has exited. brdagent is a low-level PAN-OS process responsible for managing hardware components on the firewall’s main board, including loading processor modules, verifying hardware link statuses, managing interfaces and transceivers, and communicating hardware status to other system processes via SysD.

Class: Health

Category: High-Availability

This alert triggers when the peer firewall becomes non-functional due to a dataplane exit failure. The dataplane is responsible for processing and forwarding traffic, and its failure prevents the firewall from performing its core functions.

Class: Health

Category: High-Availability

This alert triggers when the HA1 control link IP address configured on one firewall in a High Availability (HA) pair does not match the HA1 IP address configured for that firewall on its peer. This mismatch prevents proper HA communication between the devices, causing the peer firewall to become non-functional.

Class: Health

Category: High-Availability

This alert triggers when a peer firewall in an HA pair is in a non-functional state because it is waiting for a policy push to complete on the dataplane. Until the policy synchronization finishes, the peer cannot fully participate in HA operations.

Class: Health

Category: High-Availability

This alert triggers when the peer firewall in an Active/Active (A/A) high-availability configuration becomes non-functional due to a device-ID overlap.

Class: Health

Category: High-Availability

This alert triggers when a peer firewall in a High Availability (HA) configuration enters a non-functional state due to a link group link-detection failure. Link group monitoring is used to track the health of critical physical interfaces. If a monitored interface in the link group fails, HA considers the firewall unable to assume or maintain the Active role, resulting in the peer being marked non-functional.

Class: Health

Category: High-Availability

This alert triggers when a path group used for HA path monitoring fails in an Active/Passive or Active/Active setup. Path monitoring uses ICMP pings to verify the reachability of configured destination IP addresses. If the defined failure condition is met, a failover occurs and the peer firewall becomes active while the originally active firewall transitions to a non-functional state.

Class: Health

Category: High-Availability

This alert triggers when a peer firewall in an Active/Passive (A/P) or Active/Active (A/A) high availability configuration becomes non-functional because it fails to push security or network policy changes to the dataplane. This failure prevents the firewall from processing traffic according to the latest configuration.

Class: Health

Category: High-Availability

This alert triggers when a peer firewall in a High Availability (HA) configuration enters a non-functional state because a card in a slot went down due to the brdagent process exiting.

Class: Health

Category: High-Availability

This alert triggers when a peer firewall in an Active/Passive (A/P) or Active/Active (A/A) high availability configuration becomes non-functional because of a mismatch in session synchronization settings between the devices.

Class: Health

Category: High-Availability

This alert triggers when the peer firewall in a high-availability (HA) configuration becomes non-functional due to a detected logging drive error.

Class: Health

Category: High-Availability

This alert triggers when the peer firewall in a high-availability (HA) configuration becomes non-functional due to a mismatch in URL Vendor.

Class: Health

Category: High-Availability

This alert detects if the policy config memory usage exceeds a critical threshold.

Class: Health

Category: Resource limits

A failure related to the management physical port or one of the high-availability physical ports has been detected.

Class: Health

Category: Hardware

This alert triggers when at least two of five software packet buffers are depleted for at least an hour. This condition may result from a sudden spike in traffic or a software issue. This behavior can be associated with the software issue PAN-286255.

Class: Health

Category: Traffic

The device’s management plane processes are depleting its available memory.

Class: Health

Category: Resource limits

The device’s management plane processes are depleting its available memory.

Class: Health

Category: Resource limits

The device’s management plane processes are depleting its available memory.

Class: Health

Category: Resource limits

The device’s management plane processes are depleting its available memory.

Class: Health

Category: Resource limits

The device’s management plane processes are depleting its available memory.

Class: Health

Category: Resource limits

The device’s management plane processes are depleting its available memory.

Class: Health

Category: Resource limits

This alert triggers when the NGFW's log-receiver fills up, causing it to drop logs. This issue can stem from several factors, including: • A network connectivity problem to an external logging service (like a Log collector, syslog, SNMP, email server). • An issue with the external logging service itself, such as it being offline or unable to process incoming logs. • A resource constraint on the NGFW or the external logging service, such as high CPU or memory utilization. When this occurs, a significant portion of the NGFW's log data isn't forwarded to its intended destination.

Class: Health

Category: Logging

The IPsec VPN tunnel usage is below normal usage.

Class: Health

Category: Site-to-Site VPN

This alert triggers when a firewall has insufficient power supplies installed to meet redundancy requirements.

Class: Health

Category: Hardware

When the Authentication Profile filters specific groups for GlobalProtect or Captive Portal users, or both, authentication failures may occur. Even if users seem to belong to the group listed in the allow list, they still encounter the "user not in allow list" message. Changing the allow list to include "all" groups rather than specific ones enables successful user authentication.

Class: Health

Category: Logging

This alert is triggered when the Identity Provider (IdP) sends a SAML assertion without a signature. In such cases, the Service Provider (NGFW/Panorama) rejects the SAML process. After the principal (user) successfully authenticates with the IdP, the IdP sends a SAML assertion to the Service Provider's Assertion Consumer Service (ACS) URL. However, even if authentication is successful, the Service Provider must validate the SAML assertion to complete the process.

Class: Health

Category: Account Monitoring and Control

This alert detects if the SCP scheduled log export has failed.

Class: Health

Category: Logging

Sessions can fail in the firewall, which can result in the increment of various global counters. These global counters indicate the reason that traffic session failed.

Class: Health

Category: Traffic

This alert is triggered when the operation 'show config candidate' takes longer than expected. This alert will clear automatically if the slow operation 'show config candidate' is not detected for 3 days since the last time it was noticed.

Class: Health

Category: System State

This alert is triggered when the admin tries to push changes and the Panorama takes too long to display the push scope UI. This alert will clear automatically if the slow push-scope operation is not detected for 3 days since the last time it was noticed.

Class: Health

Category: System State

This alert is triggered when the Save, Load, or Revert config operations take longer than expected. This alert will clear automatically if the slow operations like Save, Load or Revert are not detected for 3 days since the last time it was noticed.

Class: Health

Category: System State

This alert triggers when evidence of the issue PAN-265160 occurring was detected.

Class: Health

Category: Logging

This alert indicates that the device has experienced a hardware failure in either the drive or the drive connector.

Class: Health

Category: Hardware

This alert indicates that the device has experienced a hardware failure in either the drive or the drive connector.

Class: Health

Category: Hardware

This alert indicates that the device has experienced a hardware failure in either the drive or the drive connector.

Class: Health

Category: Hardware

This alert indicates that the device has experienced a hardware failure in either the drive or the drive connector.

Class: Health

Category: Hardware

Increased Traffic Latency - Packet Descriptor

Class: Health

Category: System Resources

This alert detects the expiration of the Terminal Server agent self-signed certificate on November 18, 2024.

Class: Health

Category: Certificates

This alert triggers when the device temperature exceeds the defined operational range.

Class: Health

Category: Hardware

Packet Descriptor (on-chip) resources are running low on the device.

Class: Health

Category: Flood/DoS

This alert triggers when the error "Failed to write value from byte 0 to offset" is found in the device, usually indicating a faulty transceiver, cable, or SFP port in the device.

Class: Health

Category: Hardware

This alert triggers when the firewall is unable to establish a secure connection with the Strata Logging Service (SLS) because the required certificate or key file is missing or invalid. Without this certificate, the device cannot authenticate with Cortex Data Lake (also known as SLS).

Class: Health

Category: Logging

The IPsec VPN tunnel has has unidirectional traffic.

Class: Health

Category: Site-to-Site VPN

This alert triggers when the firewall's dynamic content update for the Application Database uses an unofficial URL to download the update. Administrators may use QA servers for troubleshooting dynamic update downloads, sometimes without realizing these are test servers. After successful testing, they may forget to reset the firewall to the correct URL for downloading updates.

Class: Health

Category: Dynamic Content

This alert triggers when the firewall's dynamic content update for the Cloud Services uses an unofficial URL to download the update. Administrators may use QA servers for troubleshooting dynamic update downloads, sometimes without realizing these are test servers. After successful testing, they may forget to reset the firewall to the correct URL for downloading updates.

Class: Health

Category: Dynamic Content

This alert triggers when the firewall's dynamic content update for the PAN-DB URL Filtering | Advanced URL Filtering uses an unofficial URL to download the update. Administrators may use QA servers for troubleshooting dynamic update downloads, sometimes without realizing these are test servers. After successful testing, they may forget to reset the firewall to the correct URL for downloading updates.

Class: Health

Category: Dynamic Content

This alert triggers when the firewall's dynamic content update for WildFire | Advanced WildFire uses an unofficial URL to download the update. Administrators may use QA servers for troubleshooting dynamic update downloads, sometimes without realizing these are test servers. After successful testing, they may forget to reset the firewall to the correct URL for downloading updates.

Class: Health

Category: Dynamic Content

This alert is raised if the part number for any transceiver (SFP, SFP+, QSFP, QSFP+), within a single device, is incompatible with the specifications supported by Palo Alto Networks.

Class: Health

Category: Hardware

This alert indicates the number of users or user groups configured in the firewall policies has exceeded the supported limit.

Class: Health

Category: User-ID

When the user attempts to log in to GlobalProtect, the Captive Portal, or the Admin UI, if using an Identity Provider (IdP), the IdP sends a SAML Assertion to the PAN-OS device’s Assertion Consumer Service (ACS) URL. Even if the authentication with the IdP is successful, the PAN-OS device must still validate the SAML Assertion to successfully validate the authentication. This alert is triggered when the PAN-OS device is not expecting a SAML Assertion but receives one, indicating some user’s login attempt was unsuccessful.

Class: Health

Category: Account Monitoring and Control

This alert indicates that the Security Assertion Markup Language (SAML) Identity Provider's authentication message encountered a "max_clock_skew" error due to time discrepancies between the Identity Provider (IdP) and the firewall/Panorama. This issue is often caused by out-of-sync local time or network latency.

Class: Health

Category: Account Monitoring and Control

This alert detects the expiration of the User-ID agent self-signed certificate on November 18, 2024. The alert detects if a PAN-OS device has a User-ID policy configured, meets the PAN-OS version requirements per Table 1 of the advisory, and uses a self-signed certificate. It does not apply if custom certificates are in use or User-ID mappings are provided only by an NGFW that serves as a User-ID agent or from GlobalProtect agents.

Class: Health

Category: Certificates

Connections established on the zone or the incoming packet rate are excessive or abnormal.

Class: Health

Category: Flood/DoS

A zone is missing a Zone Protection profile or the threshold values in a Zone Protection profile need adjustment.

Class: Health

Category: Flood/DoS

Starting with version 11.0, the User-ID Edge Service was introduced to collect and distribute user identity data across all firewalls. This alert is triggered when the firewall fails to connect to the User-ID Edge Service at the FQDN: identity.services-edge.paloaltonetworks.com.

Class: Health

Category: User-ID