INC_NGFW_RESOURCES_SESSION_TABLE_USAGE

Approaching High Session Table Utilization

INC_NGFW_RESOURCES_CONFIG_SIZE_USAGE

This incident triggers when the configuration file size approaches the maximum supported capacity, indicating that the device is nearing its configuration storage limit.

INC_NGFW_CAPACITY_CONNECTIONS_PER_SECOND

The firewall has anomalous values for connections per second (CPS).

INC_NGFW_CAPACITY_SESSION_TABLE_UTILIZATION

Approaching MAX Capacity: High Session Table Utilization

INC_NGFW_CAPACITY_SYSTEM_THROUGHPUT

The firewall has anomalous values for throughput.

INC_NGFW_CARD_POWER_FAIL

A card failure has been detected, suggesting a potential issue with the card or its seating within the chassis.

INC_NGFW_CERTIFICATE_EXPIRY_EXCEEDED_THRESHOLD

One or more certificate(s) on the firewall have been revoked or are expiring soon.

INC_NGFW_CONFIG_MEMORY_USAGE

The firewall's configuration is approaching its maximum memory usage limit. During commits, the firewall's total config memory must accommodate two copies: the current 'in-use' configuration and the new 'to-be-used' configuration. If the allocated memory per configuration exceeds 50%, the firewall reaches capacity, resulting in commit failure.

INC_NGFW_HA_STATE_TRANSITIONED_UNHEALTHY

This incident triggers when a firewall or Panorama in a high availability (HA) pair transitions to an unhealthy state, such as Initial, Suspended, Non-Functional, or Tentative. These states indicate that the device may be unable to perform normal operations, maintain HA synchronization, or communicate effectively with peers or management systems.

INC_NGFW_HA_FAILOVER

This incident triggers when a device in an HA pair undergoes a failover, causing the secondary device to assume the active role. This may indicate a disruption in the primary device or a configuration or environmental issue that triggered the HA state transition.

INC_NGFW_LOG_LOSS

This alert indicates that DP logs (such as traffic, threat, URL, Netflow, User-ID, GP, Decryption, EAL, etc.) that are supposed to be generated based on inspected traffic and logging configurations are being lost. When logs are generated in the DP, they are moved into logging queues, which are then handed over to the logrcvr in the Management Plane (DP to MP). To prevent the DP-to-MP channel from being overwhelmed, a rate-limiting mechanism was implemented to control the transfer of logs from the Data Plane to the Management Plane. This mechanism regulates either the logging count rate (logs/sec) or bandwidth usage (KB/sec). The control is in place to ensure that other services such as packet capture and any requests from DP to the cloud (e.g., URL, Wildfire, etc.), are not dropped due to excessive logging bandwidth consumption.

INC_NGFW_BACK_UP_LINK_NOT_CONFIGURED

The HA Backup link(s) are not currently configured.

INC_NGFW_HA_LINK_ISSUE

This incident triggers when a change is detected in the status of one or more HA(High Availability) links between firewall peers. These links are critical for synchronizing session information, configuration, and state data. A status change may indicate that one or more HA links are down or unstable.

INC_NGFW_HA_PEER_STATUS

One of the firewalls in the HA pair is in a non-healthy state.

INC_NGFW_DP_CPU_USAGE_EXCEEDED_THRESHOLD

High Dataplane CPU Activity Detected

INC_NGFW_DISK_RESOURCES_USAGE_PANCFG_PARTITION

This incident triggers when the disk space usage in the pancfg partition exceeds the defined threshold, indicating that the partition is running low on available storage capacity.

INC_NGFW_DISK_RESOURCES_USAGE_PANLOGS_PARTITION

This incident triggers when the disk space usage in the panlogs partition exceeds the defined threshold, indicating that the partition is running low on available storage capacity.

INC_NGFW_DISK_RESOURCES_ROOT_PARTITION_USAGE

This incident triggers when the disk space usage in the root partition exceeds the defined threshold, indicating that the partition is running low on available storage capacity.

INC_NGFW_MP_CPU_USAGE_EXCEEDED_THRESHOLD

High Management Plane CPU Activity Detected

INC_NGFW_MP_MEMORY_USAGE_EXCEEDED_THRESHOLD

High Management Plane memory usage has been detected.

INC_NGFW_SYSTEM_CONNECTIONS_PER_SECOND

The firewall has anomalous values for connections per second (CPS).

INC_NGFW_SYSTEM_THROUGHPUT

The firewall has anomalous values for throughput.

INC_NGFW_PACKET_DESCRIPTORS_USAGE_EXCEEDED_THRESHOLD

Packet Descriptor resources are running low on the device.

INC_NGFW_POWER_RAIL_FAILURE

Device power levels are outside of the normal range.

INC_NGFW_LICENSE_EXPIRY_EXCEEDED_THRESHOLD

One or more of your licenses are nearing or have reached expiration.

INC_NGFW_MP_PROCESS_MEMORY_DEPLETION

This incident triggers when a Management Plane (MP) process on the firewall consumes excessive memory without releasing it, which may indicate a memory leak or abnormal behavior.

INC_NGFW_NAT_ALLOCATION_FAILED

This alert triggers when at least one NAT rule is unable to allocate enough resources for translation.

INC_NGFW_NAT_POOL_USAGE

This alert triggers when one or more NAT rules have high resource usage.

INC_NGFW_OUT_OF_SYNC_PEERS_CONFIGURATION

This incident indicates a configuration discrepancy between High Availability (HA) peers, primarily due to the "Enable Config Sync" option being disabled in the High Availability General settings.

INC_NGFW_OUT_OF_SYNC_PEERS_DYNAMIC_CONTENT

This incident triggers when dynamic content, such as Applications, Threats, or Antivirus versions, is not synchronized between firewalls in a high-availability (HA) pair.

INC_NGFW_OUT_OF_SYNC_SESSIONS

Sessions are not matching or up to date between the High availability Peers.

INC_NGFW_OUT_OF_SYNC_PEERS_SW

The PAN-OS software versions on the high availability peers do not match.

INC_NGFW_OUTDATED_DYNAMIC_CONTENT_ANTIVIRUS

The dynamic content installed on your device is outdated compared to the latest version available on the update server. This means your device isn't leveraging the most current security intelligence.

INC_NGFW_OUTDATED_DYNAMIC_CONTENT_APPSANDTHREATS

The dynamic content installed on your device is outdated compared to the latest version available on the update server. This means your device isn't leveraging the most current security intelligence.

INC_NGFW_OUTDATED_DYNAMIC_CONTENT_WILDFIRE

The dynamic content installed on your device is outdated compared to the latest version available on the update server. This means your device isn't leveraging the most current security intelligence.

INC_NGFW_END_OF_LIFE_SOFTWARE

Your current version of PAN-OS is no longer supported.

INC_NGFW_PANOS_KNOWN_VULNERABILITY_EXCEEDED_VALUE

Your current version of PAN-OS has known vulnerabilities.

INC_NGFW_USER_ID_AGENT_DISCONNECTION

This alert is triggered when the server, monitored by the PAN-OS integrated User-ID Agent (Agentless User-ID), loses connection with the firewall. This monitored server is a critical component for mapping user identities to network activities.

INC_NGFW_PATH_MON_FAIL_CARD

A path monitoring failure has been detected on a card located within the firewall's slots.

INC_NGFW_REDUCED_LOG_FORWARDING

This alert triggers when the NGFW's log-receiver fills up, causing it to drop logs. This issue can stem from several factors, including: • A network connectivity problem to an external logging service (like a Log collector, syslog, SNMP, email server). • An issue with the external logging service itself, such as it being offline or unable to process incoming logs. • A resource constraint on the NGFW or the external logging service, such as high CPU or memory utilization. When this occurs, a significant portion of the NGFW's log data isn't forwarded to its intended destination.

INC_NGFW_POWER_SUPPLY_FAILED

This incident triggers when a firewall has insufficient power supplies installed to meet redundancy requirements.

INC_NGFW_ENV_THERMAL_ISSUE

This incident triggers when the device temperature exceeds the defined operational range.

INC_NGFW_CONFIG_EDL_USAGE

The number of URLs, IPs, or Domains within the configured EDL(s) used in policy on this firewall is approaching the maximum capacity that the firewall can support.