Wednesday, 24 May 2017

Palo Alto Networks Firewall not Forwarding Logs to Panorama (VM and M-100)

Symptom

Panorama, deployed as either the Palo Alto Networks M-100 device or as a virtual appliance, stops receiving logs from Palo Alto Networks firewalls. The traffic and threat logs can be viewed when looking directly on the firewalls, but are not visible on Panorama.

Details

The Palo Alto Networks firewall keeps track of the logs forwarded to Panorama with a sequence number. When the logs are received, Panorama acknowledges the sequence number. If the firewall is connected to a different Panorama (for example, to an HA peer of a Panorama), these sequence numbers can become out of sync causing the firewall not to forward any logs. The log upload process can also become stuck by a large volume of logs being sent to Panorama.

Resolution


Panorama 5.0, 5.1, 6.0, 6.1, 7.0, 7.1
  1. Check current logging status
    > show logging-status device <serial number>
  2. Start log forwarding with buffering, starting from last ack'ed log ID
    request log-fwd-ctrl device <serial number> action start-from-lastack
  3. Verify if logs are being forwarded
    > show logging-status device <serial number>
    If logs are not being forwarded, do the following:
  4. Make sure that log forwarding is stopped> request log-fwd-ctrl device <serial number> action stop
  5. Start log forwarding with no buffering  (leave in this state for about a minute)> request log-fwd-ctrl device <serial number> action live
  6. Start log forwarding with buffering> request log-fwd-ctrl device <serial number> action start

Important! The alphabet characters in the serial number must be all upper case. For example:
> request log-fwd-ctrl device 0000C123456 action live
scheduled a job with jobid 12

If lower case characters are used, then the following error message is returned:
> request log-fwd-ctrl device 0011c123456 action live
Server error : failed to schedule a job to do log fwd ctrl from panorama to device 0000c123456

Confirm that the device policies are set with log action forward to Panorama.
If the logging gets stuck, restart the log-receiver service with the following command:
> debug software restart log-receiver
Alternatively, restart the management server (which also restarts the log-receiver service) with the following command:
> debug software restart management-server

On PAN-OS 7.0 and 7.1, please use the following command to restart the management server process:
> debug software restart process management-server

No comments:

PAN-OS Supported ciphers

Following is a list of supported ciphers for PAN-OS 7.1 and later: SSLv3 Ciphers Supported (No change from PAN-OS 7.0) Non-FIPS mod...