INC_NGFW_RESOURCES_SESSION_TABLE_USAGE

Approaching High Session Table Utilization

INC_NGFW_CAPACITY_ARP_TABLE_SIZE

Data forecasting analysis shows that the ARP Table entries are on track to reach the firewall's maximum capacity soon.

INC_NGFW_CAPACITY_ADDRESS_GROUPS

The number of address group objects has been consistently high and is approaching the maximum capacity the firewall can support.

INC_NGFW_CAPACITY_ADDRESS_OBJECTS

The number of address objects has been consistently high and is approaching the maximum capacity the firewall can support.

INC_NGFW_RESOURCES_CONFIG_SIZE_USAGE

This incident triggers when the configuration file size approaches the maximum supported capacity, indicating that the device is nearing its configuration storage limit.

INC_NGFW_CAPACITY_CONNECTIONS_PER_SECOND

The firewall has anomalous values for connections per second (CPS).

INC_NGFW_CAPACITY_FQDN_ADDRESSES

The number of FQDN address objects has been consistently high and is approaching the maximum capacity the firewall can support.

INC_NGFW_CAPACITY_MANAGEMENT_PLANE_MEMORY

The management plane (MP) Memory usage has been consistently high and is approaching the maximum capacity the device can support.

INC_NGFW_CAPACITY_SECURITY_POLICIES

The number of security policy rules has been consistently high and is approaching the maximum capacity the firewall can support.

INC_NGFW_CAPACITY_SERVICE_OBJECTS

The number of service objects has been consistently high and is approaching the maximum capacity the firewall can support.

INC_NGFW_CAPACITY_SESSION_TABLE_UTILIZATION

Approaching MAX Capacity: High Session Table Utilization

INC_NGFW_CAPACITY_SYSTEM_THROUGHPUT

The firewall has anomalous values for throughput.

INC_NGFW_CARD_FAILURE_START_TIMEOUT

This alert triggers when the error "Card start timeout - Max restarts attempted" is detected in one of the line cards in the chassis, indicating a software or hardware issue that has caused the card to enter a failure state.

INC_NGFW_CARD_FAILURE_PATH_MONITOR_MAX_RESTARTS

This alert triggers when the error "Path monitor failure - Max restarts attempted" is detected in one of the line cards in the chassis, indicating a software or hardware issue that has caused the card to enter a failure state.

INC_NGFW_CARD_POWER_FAIL

A card failure has been detected, suggesting a potential issue with the card or its seating within the chassis.

INC_NGFW_CARD_STUCK_IN_STARTING_STATE

This alert detects if a card is stuck in "Starting" state.

INC_NGFW_CARD_FAILURE_SW_MAX_RESTARTS

This alert triggers when the error "Slot runtime software failure - Max restarts attempted" is detected in one of the line cards in the chassis, indicating a software or hardware issue that has caused the card to enter a failure state.

INC_NGFW_CERTIFICATE_EXPIRY_EXCEEDED_THRESHOLD

One or more certificate(s) on the firewall have been revoked or are expiring soon.

INC_NGFW_CONFIG_MEMORY_USAGE

The firewall's configuration is approaching its maximum memory usage limit. During commits, the firewall's total config memory must accommodate two copies: the current 'in-use' configuration and the new 'to-be-used' configuration. If the allocated memory per configuration exceeds 50%, the firewall reaches capacity, resulting in commit failure.

INC_NGFW_DHCP_CLIENT_IPV4_ASSIGN_FAIL

This alert is triggered when a firewall?s dataplane interface configured as an IPv4 DHCP client either fails to obtain an IP address or has lost its assigned IP address.

INC_NGFW_SYSTEM_DRIVE_ISSUE

A degraded system drive has been identified by monitoring its attributes values.

INC_NGFW_DELAYED_TELEMETRY

The analytics engines have no new telemetry from this NGFW/Panorama.

INC_NGFW_HA_STATE_TRANSITIONED_UNHEALTHY

This incident triggers when a firewall or Panorama in a high availability (HA) pair transitions to an unhealthy state, such as Initial, Suspended, Non-Functional, or Tentative. These states indicate that the device may be unable to perform normal operations, maintain HA synchronization, or communicate effectively with peers or management systems.

INC_NGFW_DUPLICATE_IP_ADDRESS

This incident is triggered when a duplicate IP address is detected. The firewall's configuration can cause IP address conflicts on the network if any of the following conditions apply: 1. One of the firewall's interfaces has the same IP address. 2. A static Source Network Address Translation (SNAT) address is assigned that conflicts. 3. A static Destination Network Address Translation (DNAT) address is assigned that conflicts. 4. An IP address from a configured SNAT pool overlaps an existing subnet. 2. The IdP may fail to transmit the SAML assertion due to misconfiguration. This Incident automatically clears if no new errors are noticed for 24 hours since the detection of the duplicate IP address.

INC_NGFW_ETHERNET_INTERFACE_DOWN

This alert triggers if the firewall has detected that a dataplane ethernet interface is down.

INC_NGFW_FE_100_FAILURE

A calibration error has been detected on the FE100 chip in the firewall. This issue usually indicates a hardware failure.

INC_NGFW_ENV_FAN_ISSUES

A fan or fan tray triggered an alarm on the device.

INC_NGFW_MACHINE_CHECK_FAIL

A Fatal Machine check failure was detected. This issue usually indicates a hardware failure in the CPU.

INC_NGFW_HA_FAILOVER

This incident triggers when a device in an HA pair undergoes a failover, causing the secondary device to assume the active role. This may indicate a disruption in the primary device or a configuration or environmental issue that triggered the HA state transition.

INC_NGFW_LOG_LOSS

This alert indicates that DP logs (such as traffic, threat, URL, Netflow, User-ID, GP, Decryption, EAL, etc.) that are supposed to be generated based on inspected traffic and logging configurations are being lost. When logs are generated in the DP, they are moved into logging queues, which are then handed over to the logrcvr in the Management Plane (DP to MP). To prevent the DP-to-MP channel from being overwhelmed, a rate-limiting mechanism was implemented to control the transfer of logs from the Data Plane to the Management Plane. This mechanism regulates either the logging count rate (logs/sec) or bandwidth usage (KB/sec). The control is in place to ensure that other services such as packet capture and any requests from DP to the cloud (e.g., URL, Wildfire, etc.), are not dropped due to excessive logging bandwidth consumption.

INC_NGFW_BACK_UP_LINK_NOT_CONFIGURED

The HA Backup link(s) are not currently configured.

INC_NGFW_HA_LINK_ISSUE

This incident triggers when a change is detected in the status of one or more HA(High Availability) links between firewall peers. These links are critical for synchronizing session information, configuration, and state data. A status change may indicate that one or more HA links are down or unstable.

INC_NGFW_HA_PEER_STATUS

One of the firewalls in the HA pair is in a non-healthy state.

INC_NGFW_DP_CPU_USAGE_EXCEEDED_THRESHOLD

High Dataplane CPU Activity Detected

INC_NGFW_DISK_RESOURCES_USAGE_PANCFG_PARTITION

This incident triggers when the disk space usage in the pancfg partition exceeds the defined threshold, indicating that the partition is running low on available storage capacity.

INC_NGFW_DISK_RESOURCES_USAGE_PANLOGS_PARTITION

This incident triggers when the disk space usage in the panlogs partition exceeds the defined threshold, indicating that the partition is running low on available storage capacity.

INC_NGFW_HIGH_DISK_USAGE_SHARED_MEM

This alert is triggered if the shared memory (/dev/shm) disk partition is full on a firewall. The /dev/shm is a temporary filesystem used for shared memory in Linux systems.

INC_NGFW_DISK_RESOURCES_ROOT_PARTITION_USAGE

This incident triggers when the disk space usage in the root partition exceeds the defined threshold, indicating that the partition is running low on available storage capacity.

INC_NGFW_MP_CPU_USAGE_EXCEEDED_THRESHOLD

High Management Plane CPU Activity Detected

INC_NGFW_MP_MEMORY_USAGE_EXCEEDED_THRESHOLD

High Management Plane memory usage has been detected.

INC_NGFW_SYSTEM_CONNECTIONS_PER_SECOND

The firewall has anomalous values for connections per second (CPS).

INC_NGFW_SYSTEM_THROUGHPUT

The firewall has anomalous values for throughput.

INC_NGFW_INCOMPATIBLE_SFP_MEDIA_TYPE

This alert triggers when the error "SFP Ports Doesn't Support this media type" is found in the device, indicating an incompatible or faulty SFP or cable is inserted.

INC_NGFW_PACKET_DESCRIPTORS_USAGE_EXCEEDED_THRESHOLD

Packet Descriptor resources are running low on the device.

INC_NGFW_POWER_RAIL_FAILURE

Device power levels are outside of the normal range.

INC_NGFW_LICENSE_EXPIRY_EXCEEDED_THRESHOLD

One or more of your licenses are nearing or have reached expiration.

INC_NGFW_LOG_DRIVE_FAIL

A failed logging drive has been identified through the monitoring of the firewall's disk status.

INC_NGFW_PA7050_SLOT8_PATH_MON_FAIL_OOM

This alert indicates that a connection to the Log Collector, Panorama or Strata Logging Service is unstable, causing increased memory usage for the LFC log loss recovery hint mechanism.

INC_NGFW_MP_PROCESS_MEMORY_DEPLETION

This incident triggers when a Management Plane (MP) process on the firewall consumes excessive memory without releasing it, which may indicate a memory leak or abnormal behavior.

INC_NGFW_MPC_CPLD_FAILURE

The Management Processor Card (MPC) is an essential component for the PA-5450, providing management, logging, and high availability functions. The MPC card has experienced a failure due to an issue with its component, the Complex Programmable Logic Device (CPLD).

INC_NGFW_GROUP_MAPPING_UPDATE_INTERRUPTED

This alert indicates that users and groups defined through LDAP server group mapping are missing on the PAN-OS device, even though they are correctly configured in the LDAP server. It may also indicate that users and groups have not been removed from the PAN-OS device, despite being deleted from the LDAP server.

INC_NGFW_NAT_ALLOCATION_FAILED

This alert triggers when at least one NAT rule is unable to allocate enough resources for translation.

INC_NGFW_NAT_POOL_USAGE

This alert triggers when one or more NAT rules have high resource usage.

INC_NGFW_BGP_MAX_PREFIXES_RECEIVED

This alert is triggered when this NGFW's BGP peer advertises more routes than the NGFW can handle based on its configured max prefixes capacity.

INC_NGFW_NPC_CARD_FE_100_FAILED

Network Processing Cards (NPCs) provide network connectivity and are essential for network traffic processing. An NPC card has experienced an issue with its FE100 component, leading to its failure.

INC_NGFW_NON_DEFAULT_LOGGING

This alert is triggered when the logging level of a service is not set to its default configuration. This alert ensures that services consistently maintain their designated logging settings.

INC_NGFW_OUT_OF_SYNC_PEERS_CONFIGURATION

This incident indicates a configuration discrepancy between High Availability (HA) peers, primarily due to the "Enable Config Sync" option being disabled in the High Availability General settings.

INC_NGFW_OUT_OF_SYNC_PEERS_DYNAMIC_CONTENT

This incident triggers when dynamic content, such as Applications, Threats, or Antivirus versions, is not synchronized between firewalls in a high-availability (HA) pair.

INC_NGFW_OUT_OF_SYNC_SESSIONS

Sessions are not matching or up to date between the High availability Peers.

INC_NGFW_OUT_OF_SYNC_PEERS_SW

The PAN-OS software versions on the high availability peers do not match.

INC_NGFW_OUTDATED_DYNAMIC_CONTENT_ANTIVIRUS

The dynamic content installed on your device is outdated compared to the latest version available on the update server. This means your device isn't leveraging the most current security intelligence.

INC_NGFW_OUTDATED_DYNAMIC_CONTENT_APPSANDTHREATS

The dynamic content installed on your device is outdated compared to the latest version available on the update server. This means your device isn't leveraging the most current security intelligence.

INC_NGFW_OUTDATED_DYNAMIC_CONTENT_WILDFIRE

The dynamic content installed on your device is outdated compared to the latest version available on the update server. This means your device isn't leveraging the most current security intelligence.

INC_NGFW_PA5450_NC_CARD_FE100_FAILURE

Networking Cards (NCs) provide network connectivity and are essential for network traffic processing. An NC card has experienced an issue with its FE100 component, which triggers its internal link fault, causing path monitoring failure on the Dataplane Processing Card (DPC).

INC_NGFW_END_OF_LIFE_SOFTWARE

Your current version of PAN-OS is no longer supported.

INC_NGFW_PANOS_KNOWN_VULNERABILITY_EXCEEDED_VALUE

Your current version of PAN-OS has known vulnerabilities.

INC_NGFW_USER_ID_AGENT_DISCONNECTION

This alert is triggered when the server, monitored by the PAN-OS integrated User-ID Agent (Agentless User-ID), loses connection with the firewall. This monitored server is a critical component for mapping user identities to network activities.

INC_NGFW_PATH_MON_FAIL_CARD

A path monitoring failure has been detected on a card located within the firewall's slots.

INC_NGFW_PORT_FAILURE

A failure related to the management physical port or one of the high-availability physical ports has been detected.

INC_NGFW_REDUCED_LOG_FORWARDING

This alert triggers when the NGFW's log-receiver fills up, causing it to drop logs. This issue can stem from several factors, including: • A network connectivity problem to an external logging service (like a Log collector, syslog, SNMP, email server). • An issue with the external logging service itself, such as it being offline or unable to process incoming logs. • A resource constraint on the NGFW or the external logging service, such as high CPU or memory utilization. When this occurs, a significant portion of the NGFW's log data isn't forwarded to its intended destination.

INC_NGFW_POWER_SUPPLY_FAILED

This incident triggers when a firewall has insufficient power supplies installed to meet redundancy requirements.

INC_NGFW_TS_AGENT_CERT_EXPIRATION

This alert detects the expiration of the Terminal Server agent self-signed certificate on November 18, 2024.

INC_NGFW_ENV_THERMAL_ISSUE

This incident triggers when the device temperature exceeds the defined operational range.

INC_NGFW_SFP_PORT_WRITE_FAIL

This alert triggers when the error "Failed to write value from byte 0 to offset" is found in the device, usually indicating a faulty transceiver, cable, or SFP port in the device.

INC_NGFW_CONFIG_EDL_USAGE

The number of URLs, IPs, or Domains within the configured EDL(s) used in policy on this firewall is approaching the maximum capacity that the firewall can support.

INC_NGFW_UNOFFICIAL_URL_FOR_APP_DB

This alert triggers when the firewall's dynamic content update for the Application Database uses an unofficial URL to download the update. Administrators may use QA servers for troubleshooting dynamic update downloads, sometimes without realizing these are test servers. After successful testing, they may forget to reset the firewall to the correct URL for downloading updates.

INC_NGFW_UNOFFICIAL_URL_FOR_CLOUD_SERVICES

This alert triggers when the firewall's dynamic content update for the Cloud Services uses an unofficial URL to download the update. Administrators may use QA servers for troubleshooting dynamic update downloads, sometimes without realizing these are test servers. After successful testing, they may forget to reset the firewall to the correct URL for downloading updates.

INC_NGFW_UNOFFICIAL_URL_FOR_PAN_DB

This alert triggers when the firewall's dynamic content update for the PAN-DB URL Filtering | Advanced URL Filtering uses an unofficial URL to download the update. Administrators may use QA servers for troubleshooting dynamic update downloads, sometimes without realizing these are test servers. After successful testing, they may forget to reset the firewall to the correct URL for downloading updates.

INC_NGFW_UNOFFICIAL_URL_FOR_WILDFIRE

This alert triggers when the firewall's dynamic content update for WildFire | Advanced WildFire uses an unofficial URL to download the update. Administrators may use QA servers for troubleshooting dynamic update downloads, sometimes without realizing these are test servers. After successful testing, they may forget to reset the firewall to the correct URL for downloading updates.

INC_NGFW_USER_GROUP_POLICY_LIMIT_EXCEEDED

This alert indicates the number of users or user groups configured in the firewall policies has exceeded the supported limit.

INC_NGFW_UID_AGENT_CERT_EXPIRATION

This alert detects the expiration of the User-ID agent self-signed certificate on November 18, 2024. The alert detects if a PAN-OS device has a User-ID policy configured, meets the PAN-OS version requirements per Table 1 of the advisory, and uses a self-signed certificate. It does not apply if custom certificates are in use or User-ID mappings are provided only by an NGFW that serves as a User-ID agent or from GlobalProtect agents.