topic Searching for missing logs in Next Gen Firewall monitor log. in Next-Generation Firewall Discussions

Searching for missing logs in Next Gen Firewall monitor log.

Eric_Barger — Fri, 04 Jun 2021 03:06:27 GMT

I am trying to firgure out two things.

background

I have a Cisco ASA VPN concentrator that comes to my PA-5220 then goes to an application server.

I am having issues where i see logs in the ASA of traffic coming from the far end point of the tunnel on a constant basis, then going to the application server. I am not constantly seeing any logs in the Monitor. The application vendor acknowlegdes the traffic as well.

The logs I see is about 20 -30 minutes most of the time.

More interestingly is I have many customers coming in the ASA to the same Policy going to same application server on the same port. Those other IPs are showing constant logging.

Second issue is we see latency traffic between the two sides.. The application should have constant traffic every second or quicker.. What see is sometimes on a constant basis there is delays from 5 to 45 seconds.. again no logs in the PA

First how can I check for the traffic in CLI ?

In addition How Can I check to traffic to see if the PA is possibly causing the latency.?

thanks

Re: Searching for missing logs in Next Gen Firewall monitor log.

nikoolayy1 — Sat, 29 May 2021 08:16:44 GMT

So the Palo Alto sees clean traffic without any VPN as the VPN concentrator is the ASA? Do you have split tunnel configured on the ASA that can cause asymmetrical routing and not all traffic going to the Palo Alto when reachig the app servers?

Another thing to look for is the application shift on the Palo Alto firewall as when for example the traffic is ssl it will pass the security policy rule selection and after the decryption on Palo Alto and it is seen that the traffic google, facebook etc. it will again pass the security rule match from top to bottom as this is called application shift. Maybe you have application shift that after that matches a rule that is without "Log at the session end enabled".

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWZCA0

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1aCAC

For the latency it is the best to check the global counters by filter by source and destination for something that can cause issues and to do pcap capture at receive and transmit stage for the traffic in the two directions from the client to server and server to client to see if the firewall causes the latency issues. Also you may enable flow basic and flow log option "appid" to see the application shift if you need it. Before months I have made article for such issues:

https://live.paloaltonetworks.com/t5/general-topics/palo-alto-checking-for-drops-rejects-discards-slowness-latency/m-p/402102#M91777

Re: Searching for missing logs in Next Gen Firewall monitor log.

RoutingWithJon — Fri, 09 Jul 2021 08:39:51 GMT

Hey Eric,

Q.How can I check for the traffic in CLI ?

A. #show session all (I recommend using the filter command to only match the sessions your after). Alternatively you can go to the session browser on the GUI.

Q. How Can I check to traffic to see if the PA is possibly causing the latency?

A. I find the best way in determining this is to complete a packet capture and look at the timestamps between packets. There's a great article you can find here on how to do it on a NGFW --> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTJCA0

Hope this helps!