Details
Previously, the DP would aggregate all packet-diag logs into a single file directly on DP itself. Starting from PAN-OS 5.0, instead of letting DP write the aggregated log, aggregation is performed with a new operational CLI that can be done after the dataplane debug is completed.
Run the following CLI command:
> debug dataplane packet-diag aggregate-logs
Note: Be sure to do this AFTER disabling the data plane debug logging such as flow basic using command debug dataplane packet-diag set log off. Wait 10 - 20 seconds after the logging is stopped before starting the aggregation into single file. A dataplane (DP) kernel flush needs to occur before all the info in the log files can be retrieved.
you can force the flagged session to be ended by executing this command:
> debug dataplane packet-diag clear filter-marked-session all
This will result in all DP pan_task logs to be aggregated to single pan_packet_diag.log file. Use tail or less dp-log pan_packet_diag.log to view the output. Note that although we can aggregate each pan_task log within a single DP log file, each DP will generate its own log file. So for multi-DP platforms (PA-5000 and PA-7000 series), each DP log is separate. For 5000 series, use dpX-log instead of dp-log where X is equal to DP number (i.e. dp0-log, dp1-log). For 7000 series, use sXdpY-log where X is NPC slot number and Y is DP number within that slot (i.e. s1dp0-log, s7dp1-log)
Note: In order for a PA-200 to view the logs use the following CLI command:
> less mp-log pan_task_1.log
owner: rkim