I am a noob to Enterprise Security.
We recently had a PA event, and the matter of FIFO exceptions for PA devices came up. Someone observed that it would be pretty cool if we could alert on that, and then someone else said, "Sadly, PA firewalls don't let us see that data."
I am neither a network engineer nor an Enterprise Security, but I did poke around online and found a question related to a PA metric (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLJ7CAO) 'rcv_fifo_overrun'.
Can anyone direct me to a query or data model that contains that field?
Self-answered: that field is not logged by the devices, and would require significant efforts by PA to do so. It's not likely to be made available.
Apparently, the field is available if you query the device via its API. I'm looking into creating a script that will do so, creating a log file in the process.
The data is highly valuable - although it will primarily be an indication of bursty traffic (no big deal), it can also be an alarm bell for more significant problems.
Self-answered: that field is not logged by the devices, and would require significant efforts by PA to do so. It's not likely to be made available.
Apparently, the field is available if you query the device via its API. I'm looking into creating a script that will do so, creating a log file in the process.
The data is highly valuable - although it will primarily be an indication of bursty traffic (no big deal), it can also be an alarm bell for more significant problems.