How To Create DX NetOps VPN Health Monitoring Dashboards
Published June 2, 2023, 10:20 p.m. by Liam Bradley
How to create DX NetOps VPN Health Monitoring dashboards using just three metrics as well as how to set thresholds for proactive alerting.
You may also like to read about:
hi everybody my name is Keshawn silver
at NIDA
and I'm a customer success architect
here at Broadcom as we are all
experiencing most companies are asking
their employees to work from home as
many employees will now repin into their
company network how can you ensure a
stable and reliable experience when
implementing a work from home strategy
do you have the insight into your VPN
gateway user load to ensure that the
added load will not affect performance
so today what we will go over is how we
can quickly build a DXi off the
dashboard with three metrics VPN
specific that gives you variable insight
into your VPN infrastructure and also
help you deliver a reliable work from
home experience to your end users so
let's get started so the first step
would be to discover your VPN devices in
your environment and to do that within
the external ops portal we would go into
administration monitored items
management and discovery profiles you'll
click on new to create a new discovery
profile we would call it begin gateways
and add the list of devices that we want
to discover in addition to this
configuration you can also define a
schedule we find which specific SNMP
profiles you want to associate with the
discovery profile and also define the
naming order and whether you want to
create ping Abele's
during discovery we are going to leave
these these configurations
as the defaults and save this discovery
profile and execute it so during
discovery it will go out to the network
and see whether those devices exist in
the network and if it does then it will
use the SNMP profiles and the SNMP
community strings to interrogate those
devices to see if SNMP is enabled and if
they are manageable then it will gather
some basic mid-to data from those
devices for example the vendor this is
named the location so basics SNMP lib to
data so let's refresh this and the
discovery is complete as you can see so
we'll select the discovery profile and
click on the history button to
understand some details with regards to
the discovery so we see the discovery
summary here it's found three new
devices three new manageable devices and
it has a start time and an end time and
as you can see it about eleven seconds
to do that discovery and down below here
it shows us the three devices that were
discovered and the system name the model
it's done a classification of these
devices to be firewalls it found out the
vendor there to be Palo Alto Networks
and then the location and finally it
also lists the SNMP profile it used for
that interrogation so let's click OK
and the next step would be to create a
collection of these devices so we can
apply some monitoring configuration
against that set of devices specifically
to get the VPN performance metrics so to
create a collection of devices within
the external portal we'd go into
administration group settings and into
the group section
and in the group configuration
management section we will go into the
collections expand collections select
collections and add a group so I will
call it VPN gateways so there are a
couple of ways to populate this VPN
gateways collection this device
collection with the devices that we want
it to have so one way is to manually add
these devices into this collection or we
could use a rule to populate these this
particular collection with the devices
that we want the advantage of using a
rule is if there's a naming convention
that you follow in your environment
against these particular types of
devices then you could create a rule
that looks for that naming convention
format and then automatically applies
them into this group so in the future
when you discover a new device and it
matches that naming naming convention
and the format it would automatically
get added to this device collection and
the monitoring configuration applied to
that device collection would
automatically get applied to that device
as well so you would have to manually
come in and add that device to this
collection so let's go ahead and add
that rule so since this is a device
collection I am going to select devices
and add the condition for my naming
convention and for my device name is
like and in my environment the naming
convention is P I wall if W dot VPN
alright so we'll click OK and let's
preview the results to make sure that my
rule is
sufficient expand and I can see the
three devices that I had discovered
previously all right so we'll go ahead
and run the rule save and run the rules
and now when I go into the items tab I
see the three devices that had
discovered earlier now they're part of
this device collection so now that we
created this device collection the next
step would be to create the monitoring
configuration and apply that against
these devices and the monitoring
configuration is to collect those VPN
metrics that we are interested in so to
do that within the the external ops
portal we'll go into administration
monitored items management and
monitoring profiles so the monitoring
profiles is basically the monitoring
configuration that you want to pull
against a set of devices so which metric
families and which metrics you want to
go and poll and collect information
against and it also defines how often
you want to go and pour that what your
poll rate is so let's go ahead and
create a new monitoring profile so in
here we will specify the VPN gateway in
Gateway all right we'll leave the
default SNMP for it and the change
detection and in here the remote user
gateway stats is the metric family that
contains the VPN metrics that we are
interested in so I'm gonna add that and
save there so all we've done so far is
discover the devices created the
collection of those devices and then
created a monitoring profile now we got
to marry those the monitoring profile
and the collection together so that this
monitoring configuration applies to
those devices in that collection so to
do that while we select once we select
this monitoring profile you'll go into
collections and select that collection
we created
and now has he done that now this
monitoring configuration has been
applied to that collection and then all
the devices under that collection would
get this monitoring configuration so in
this case it's the remote user stats you
know the VPN metrics so it would start
collecting that data on those devices so
let's let's validate that so to validate
that will go into the monitored
inventory monitored devices and in here
we will see the collection that we had
created previously
once we expand that we see the three
devices that is part of that VPN gateway
gateway is collection select the device
going to polled metric families and we
will do a filter here for remote and
there you go we see that the metric
family remote user gateway stats has
been applied against this device and it
has interrogated that device and found
out that the Palo Alto global protect
gateway vendor certification is
supported on that device and if we
select this line it shows that those
metrics are being actively polled now
every five minutes right so now we can
validate this on the other two VPN
gateways as well yep and as you can see
it's being actively polled and then
finally the last one here same there as
well it's actively polled now to see
which metrics are being polled and
calculated against these devices for VPN
stats we can click on the vendor
certification and it shows us the
metrics that are being polled so you
know the name and description of course
but the performance metrics are the ones
down here that the three down here so
there's the number of active users right
now the concurrent users then there's
the percentage of the gateway tunnel
utilization and then finally the maximum
number of allowed connections right the
user
actions into that gateway so those are
the 3 VPN metrics that we're collecting
on those 3 devices so now that it's
collecting these metrics the next step
would be to go ahead and create a
dashboard to report on these metrics so
to create a dashboard in the external
ops portal what you would do is you go
into the dashboard section I'm gonna
click on dashboard so it gives me a
listing of all the dashboards under each
menu item and we're going to create this
dashboard under the infrastructure
health menu I'm going to click on add
dashboards and that'll bring us into the
dashboard configuration section and I'll
give it a dashboard name I'm going to
call it VPN gateway health all right and
then you can select a layout I'm gonna
select this particular layout and then
on the left-hand side here you see all
the different views that are available
for you to just drag and drop into this
dashboard what I'm going to create is
some custom views configure some custom
views so I'm going to create a multi
trend a multi view and use a table so in
the multi trend configuration what this
particular view allows you to do is see
multiple trends of a particular metric
and what I like to do in case of these
VPN metrics is I'd like to see a stacked
chart for the concurrent users and you
would see for each particular VPN
gateway its own area and then once it
gets stacked you would see the total
number of VPN connections in your
environment so it's a great view to have
so I'm gonna say stack chart go to
remote user gateway stat and then
concurrent user connection so that's the
metric that I was looking for I'm gonna
say maximum number of charts 250 all
right do it by device and then you also
have the capability to lock this view to
always report on a certain range of time
and then also on a specific set of
devices in a group so I'm gonna use our
device collection that we had created
earlier so I'm going to lock this to
that particular collection so it always
reports on that data and now that I've
done that I'll give it a title so as a
[Music]
connection trend all right okay so
that's good I'm gonna save that then the
multi view this will break down for each
component for each device a particular
metric and in this case I'd like I like
to report on the percentage of the
utilization of the connections so use a
connection percent utilization use the
connections and I will change the title
connections alright and I'm gonna do a
trend chart by device and the number of
page
charts on a page I just say 20 and then
just like the previous one I'm gonna
Lock this to that particular collection
we had created earlier so it always
reports on this on these devices
[Music]
it's the same and then finally you have
a table here and in the table what I
like to report on is what has been the
maximum number of user connections to a
particular VPN gateway for a given
period of time and what the maximum
allowed user connections are for a given
VPN gateway so I just call this VPN
connection stats and then change you
metric family to the VPN one dated name
and description out and so I want the
maximum number of concurrent user
connections that have come in for a
given EP and gateway and then also show
me what the maximum allowed user
connections for a given gateway right so
really show top 50 and then again I'm
going to lock this to that particular
collection we had created you can
gateways and great so we save that and
now once we click Save this will go
ahead and start populating the
performance data it's been collecting on
those three devices and as you can see
here we have some data that we've
already collected so it's showing us a
stack chart here of the concurrent user
connection so for each VPN gateway we
get a number and then the total number
of VPN users connected currently right
you know the trend chart is around what
between four point five and five that's
thousand here so that between 4500 and
5000 users or maybe around 4000
750 right so there's around 4,000 750
users connected through VPN and then on
the right hand side this is the
percentage of user connections for each
VPN gateway right and then finally we
also see the the maximum number of user
connections that have come in for a
given gateway a VPN gateway and then
this is the maximum allowed right so you
can see that this particular gateway the
San Jose gateway you know it's hovering
close to 50% right the maximum has been
close to 50% and the other ones not so
much right so it gives you an idea of
what your VPN utilization numbers are in
your environment so in addition to
creating a dashboard to view and report
these VPN get a metrics we can also
configure thresholds to proactively
monitor the VPN environment before a
major outlet outage occurs so to do that
within the external ops portal we'll go
into administration monitored items
management and threshold profiles and we
will create a new folder here for
organization purposes and we call it VPN
client connections Save there and
underneath this folder will create a new
threshold profile so we'll name it in
connections over 90% and create a new
true for the condition Oh 90% all right
and the metric family and the metric we
would be interested in is the percentage
metric for the VPN connections and we
will say if it's above 90% say above or
equal to 90% then generate this major
event and if it's below 90% then go
ahead and clear that violation and we
use the time to threshold technique in
the exner ops to understand if a
threshold has reached within the
environment so it would look at this
particular metric and look at the
duration and the window and take those
things into consideration to understand
if that threshold has occurred so now
that we've configured our event rule we
will save that and save our threshold
profile and the next thing would be to
apply this threshold profile against the
group of devices that we would be
interested in stress holding against so
we would go and apply this particular
threshold profile to our VPN gateway
collection right okay and there you have
it
so within a few easy steps we were able
to quickly create a threshold profile
and specify the rules for those
thresholds and then apply to a set of
devices so now that we've gone through
the process of discovering your VPN
gateway and configuring monitoring on
those devices creating a dashboard and
setting up thresholds let's take a look
at a production
environment and what it may look like so
looking at this particular dashboard
right at the top here we see a Geo map
of the VPN sites showing the status of
each VPN gateway we can drill down to a
specific location and see very specific
VPN related data right you can exit out
those and then if you scroll down to the
other parts of this dashboard we see the
you know VPN gateway total user
connections showing us a stacked chart
of all the users connected to each
particular VPN gateway and it gives us
an overall view of the total number of
VPN users so you see here that you know
the total number of VPN users across the
globe here is around a little over 10k
right then on the right hand side here
we see a trend chart of the percentage
of users connected to each VPN gateway
and down here a table of the maximum
number of users that have connected to a
gateway and the maximum allowed number
of connections to each gateway so that
they can understand are they getting
close to those limits and then in
addition to these VPN related metrics
right user connections they have also
configured CP utilization to understand
the CPUs on these VPN gateways are they
running hot for example these CPU 2 CPUs
are the data plane CPUs that are
responsible for the data plane
processing so if any of those CPUs are
running hot then performance on those
VPN gateways could be affected and then
further down here there's a table view
of showing us some VPN interface
statistics
that shows us discussion area so if
there are any sorts of discards and
errors taking place on those interfaces
then again that user experience would be
affected because now there are packets
being dropped so this kind of gives you
an overall view of what your production
VPN health dashboard may look like so I
want to thank you for taking the time
today to listen to this webcast and hope
this was beneficial to you thank you
