article 在Palo Alto防火墙上验证Cortex Data Lake的连通性 in 配置和实施 https://live.paloaltonetworks.com/t5/%E9%85%8D%E7%BD%AE%E5%92%8C%E5%AE%9E%E6%96%BD/%E5%9C%A8palo-alto%E9%98%B2%E7%81%AB%E5%A2%99%E4%B8%8A%E9%AA%8C%E8%AF%81cortex-data-lake%E7%9A%84%E8%BF%9E%E9%80%9A%E6%80%A7/ta-p/526461 <DIV class="lia-message-template-symptoms-zone"> <H2>症状</H2> <P><SPAN>在Explore app或Panorama上看不到日志(当日志只发送到Cortex Data Lake时)。</SPAN></P> </DIV> <DIV class="lia-message-template-diagnosis-zone"> <H2>环境</H2> <P><SPAN>Palo Alto防火墙</SPAN><BR /><SPAN>PAN-OS 8.0和8.1</SPAN><BR /><SPAN>日志转发到Cortex Data Lake (CDL)</SPAN></P> </DIV> <DIV class="lia-message-template-solution-zone"> <H2>解决办法</H2> <P><SPAN>这个步骤对PanOS 8.0.X有效。当duplicate&nbsp;logging没有被启用时,它也对PanOS 8.1.X有效。</SPAN></P> <P><SPAN>验证<STRONG>Cortex Data Lake</STRONG>的功能。</SPAN></P> <P>&nbsp;</P> <P><SPAN>1.运行下面的命令并注意客户ID(Customer ID,后面客户ID也是指这个)(对每个客户都是唯一的)和区域信息(目前可以是欧洲或美洲,基于在Data Lake的初始设置中选择的位置)。</SPAN></P> <P>&nbsp;</P> <P>&gt; request logging-service-forwarding customerinfo show</P> <P><SPAN><STRONG>该命令的输出示例:</STRONG></SPAN></P> <P><SPAN><STRONG><FONT face="Courier New, serif"><FONT size="2"><FONT>Ingest endpoint:&nbsp;</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>xxxxxxxx</FONT></FONT></FONT><A href="http://d8c4bae6-b919-4853-bc9c-b412ae9432d7.in3.lcaas-beta.us.paloaltonetworks.com/" target="_blank" rel="noopener"><FONT color="#0000ff"><FONT face="Courier New, serif"><FONT size="2"><FONT><U>.in3.lcaas-beta.us.paloaltonetworks.com</U></FONT></FONT></FONT></FONT></A><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Query endpoint:&nbsp;</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>xxxxxxxx</FONT></FONT></FONT><A href="http://d8c4bae6-b919-4853-bc9c-b412ae9432d7.api3.lcaas-beta.us.paloaltonetworks.com/" target="_blank" rel="noopener"><FONT color="#0000ff"><FONT face="Courier New, serif"><FONT size="2"><FONT><U>.api3.lcaas-beta.us.paloaltonetworks.com</U></FONT></FONT></FONT></FONT></A><FONT face="Courier New, serif"><FONT size="2"><FONT>:444</FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Customer ID:&nbsp;</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT><FONT color="#ff0000">Customer_Tenant_Id</FONT></FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Region :&nbsp;<FONT color="#ff0000">Selected Region</FONT></FONT></FONT></FONT></STRONG></SPAN></P> <P>&nbsp;</P> <P><SPAN>2.运行下面的命令并检查证书中的CN值。它应该与上一步看到的客户ID相同。序列号应与防火墙的序列号相同。</SPAN></P> <P>&gt; request logging-service-forwarding certificate info<SPAN><BR /><BR />输出示例:<BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>....Omitted output....</FONT></FONT></FONT><BR /><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Validity</FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Not Before: May 1</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>04:48:36</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>2018</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>GMT</FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Not After : Jul 30</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>04:48:36</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>2018</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>GMT</FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Subject: C=US, L=Palo Alto Networks, OU=Cloud/serialNumber=<FONT color="#ff0000"><STRONG>FW_S/N</STRONG></FONT></FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>, CN=<FONT color="#ff0000"><STRONG>Customer_Tenant_Id</STRONG></FONT></FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Subject Public Key Info:</FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Public Key Algorithm: rsaEncryption</FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Public-Key: (2048</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>bit)</FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Modulus:</FONT></FONT></FONT></SPAN></P> <P>&nbsp;</P> <P><SPAN>3.如果你没有看到正确的S/N或客户ID(证书的CN参数),你应该运行下面的命令,然后按照步骤1和2来检查序列号和CN值是否正确。</SPAN></P> <P>&gt;&nbsp;request logging-service-forwarding certificate delete<BR />&gt;&nbsp;request logging-service-forwarding certificate fetch</P> <P>&nbsp;</P> <P><SPAN>4.你应该检查 "show logging-status "输出,以确定日志转发是否成功。<BR />命令 "show logging-status "的输出示例。(7k和5200系列除外)</SPAN></P> <P><SPAN>•&nbsp;<FONT face="Courier New, serif"><FONT size="3"><FONT>US: 65.154.226.0/24</FONT></FONT></FONT><BR />•&nbsp;<FONT face="Courier New, serif"><FONT size="3"><FONT>EU: 154.59.126.0/24</FONT></FONT></FONT></SPAN></P> <P><EM><FONT face="Courier New, serif">查找'Log collection log forwarding agent'是激活的,并连接到&lt;IP_address&gt;line。由于选择的地区不同,IP地址会发生变化。你可以从下面的子网看到基于区域的IP地址。</FONT></EM></P> <P><SPAN>如果你在这个输出中看到日志转发代理处于活动状态但没有连接,你应该重启mgmtsrvr进程以刷新与Cortex Data Lake的连接。在PanOS 8.1.8中,你将不需要重启进程。将会有一个增强功能,无需重启即可刷新连接。</SPAN></P> <P><SPAN>运行命令,重新启动管理服务器。</SPAN></P> <P>&gt; debug software restart process management-server<SPAN><BR /></SPAN></P> <P><SPAN>命令 "show logging-status "的输出示例。(7k和5200系列除外)</SPAN></P> <P><SPAN>•&nbsp;<FONT face="Courier New, serif"><FONT size="3"><FONT>US: 65.154.226.0/24</FONT></FONT></FONT><BR />•&nbsp;<FONT face="Courier New, serif"><FONT size="3"><FONT>EU: 154.59.126.0/24</FONT></FONT></FONT></SPAN></P> <P><EM><FONT face="Courier New, serif"><FONT size="3"><FONT>查找找 "PANW_LOG_RECEPTOR_SRV",MS(mgmtserver)和LR(Log receiever)都是激活的,并且连接到&lt;IP_address&gt;line。由于选择的地区不同,IP地址会发生变化。你可以在下面看到基于区域的子网的IP地址。</FONT></FONT></FONT></EM></P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rtaImage.jpg" style="width: 695px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/46883i163C4DB99BD0ECB9/image-dimensions/695x225?v=v2" width="695" height="225" role="button" title="rtaImage.jpg" alt="rtaImage.jpg" /></span> <P><SPAN>5200和7K系列有不同的结构,因为有high log rate。日志接收程序负责转发流量、威胁等日志</SPAN><BR /><SPAN>Mgmtserver负责转发系统和配置日志。</SPAN></P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rtaImage.jpg" style="width: 696px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/46884i453EB237A4287014/image-dimensions/696x207?v=v2" width="696" height="207" role="button" title="rtaImage.jpg" alt="rtaImage.jpg" /></span> <P><SPAN>如果你在这个输出中看到MS或LR的连接状态是不活动的,你应该重新启动mgmtsrvr进程和日志接收器,以刷新与Cortex Data Lake的连接。在PanOS 8.1.8中,你将不需要重启进程。将会有一个增强功能,无需重启即可刷新连接。</SPAN></P> <P>&nbsp;</P> <P><SPAN>运行命令来重新启动管理服务器。</SPAN><BR /><SPAN>debug software restart process management-server</SPAN></P> <P><SPAN>运行命令来重启日志接收器。</SPAN><BR /><SPAN>debug software restart process log-receiver</SPAN></P> <P>&nbsp;</P> <P><SPAN>验证Cortex Data Lake的功能(PanOS 8.1.X当duplicate logging被启用时)。</SPAN><BR /><BR /><SPAN>1.运行下面的命令并注意客户ID(每个客户都是唯一的)和区域信息(目前它可以是欧洲或美洲,基于在Data Lake的初始设置中选择的位置)</SPAN></P> <P>&nbsp;</P> <P>&gt; request logging-service-forwarding customerinfo show</P> <P><SPAN><STRONG>该命令的输出示例:</STRONG></SPAN></P> <P><SPAN><STRONG><FONT face="Courier New, serif"><FONT size="2"><FONT>Ingest endpoint:&nbsp;</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>xxxxxxxx</FONT></FONT></FONT><A href="http://d8c4bae6-b919-4853-bc9c-b412ae9432d7.in3.lcaas-beta.us.paloaltonetworks.com/" target="_blank" rel="noopener"><FONT color="#0000ff"><FONT face="Courier New, serif"><FONT size="2"><FONT><U>.in3.lcaas-beta.us.paloaltonetworks.com</U></FONT></FONT></FONT></FONT></A><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Query endpoint:&nbsp;</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>xxxxxxxx</FONT></FONT></FONT><A href="http://d8c4bae6-b919-4853-bc9c-b412ae9432d7.api3.lcaas-beta.us.paloaltonetworks.com/" target="_blank" rel="noopener"><FONT color="#0000ff"><FONT face="Courier New, serif"><FONT size="2"><FONT><U>.api3.lcaas-beta.us.paloaltonetworks.com</U></FONT></FONT></FONT></FONT></A><FONT face="Courier New, serif"><FONT size="2"><FONT>:444</FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Customer ID:&nbsp;</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT><FONT color="#ff0000">Customer_Tenant_Id</FONT></FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Region :&nbsp;<FONT color="#ff0000">Selected Region</FONT></FONT></FONT></FONT></STRONG></SPAN></P> <P>&nbsp;</P> <P><SPAN>2.运行下面的命令并检查证书中的CN值。它应该与上一步看到的客户ID相同。序列号应与防火墙的序列号相同。</SPAN></P> <P>&gt; request logging-service-forwarding certificate info<SPAN><BR /><BR />输出示例:<BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>....Omitted output....</FONT></FONT></FONT><BR /><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Validity</FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Not Before: May 1</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>04:48:36</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>2018</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>GMT</FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Not After : Jul 30</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>04:48:36</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>2018</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>GMT</FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Subject: C=US, L=Palo Alto Networks, OU=Cloud/serialNumber=<FONT color="#ff0000"><STRONG>FW_S/N</STRONG></FONT></FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>, CN=<FONT color="#ff0000"><STRONG>Customer_Tenant_Id</STRONG></FONT></FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Subject Public Key Info:</FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Public Key Algorithm: rsaEncryption</FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Public-Key: (2048</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>bit)</FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Modulus:</FONT></FONT></FONT></SPAN></P> <P>&nbsp;</P> <P><SPAN>3.如果你没有看到正确的S/N或客户ID(证书的CN参数),你应该运行下面的命令,然后按照步骤1和2来检查序列号和CN值是否正确。</SPAN></P> <P>&gt;&nbsp;request logging-service-forwarding certificate delete<BR />&gt;&nbsp;request logging-service-forwarding certificate fetch</P> <P><SPAN>然后按照步骤1和2,检查信息是否匹配。</SPAN></P> <P>&nbsp;</P> <P><SPAN>4.启用duplicate logging后,你会看到以下命令的输出。</SPAN></P> <P>&gt; request logging-service-forwarding status<SPAN><BR /><FONT size="2"><FONT>结果是:</FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT><STRONG>&nbsp;LCaaS forwarding enabled: No</STRONG></FONT></FONT></FONT><FONT size="2"><FONT>(duplicate logging没有启用,你会看到&nbsp;“Yes”)</FONT></FONT><BR /><BR /></SPAN>&gt; show system state | match lcaas<SPAN><BR /><FONT size="2"><FONT>结果是:&nbsp;</FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT><STRONG>cfg.lcaas-enabled: False</STRONG></FONT></FONT></FONT><FONT size="2"><FONT>(duplicate logging没有启用, 你会看到 “True”)</FONT></FONT><BR /><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT><STRONG>&gt; </STRONG></FONT></FONT></FONT></SPAN>show logging-status<SPAN><FONT size="2"><FONT>(duplicate logging启用,你只能看到客户网络中的日志收集器的IP地址。预计不会看到与子网的任何连接&nbsp;</FONT></FONT><FONT size="3"><FONT>US: 65.154.226.0/24 EU: 154.59.126.0/24</FONT></FONT><FONT size="2"><FONT>)</FONT></FONT><BR /><FONT size="2"><FONT>结果是:</FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT><STRONG>Panorama log forwarding agent is active but not connected to Logging Service</STRONG></FONT></FONT></FONT></SPAN></P> <P>&nbsp;</P> <P><SPAN>5.你可以用下面的命令验证日志是否被转发到Data Lake。</SPAN></P> <P>&nbsp;</P> <P><SPAN>当duplicate logging被启用时,show logging-status将只显示正在被发送到Panorama的日志。</SPAN></P> <P><SPAN><BR />为了验证日志在当前设置中被发送,你需要运行以下命令。</SPAN></P> <P>&gt; debug log-receiver rawlog_fwd_trial stats global show<SPAN>(将显示发送到云端的日志统计数据,关注掉线计数器(drop counters)很重要。运行该命令2-3次,检查掉线次数的增加。)<BR /><BR /></SPAN>&gt; debug log-receiver rawlog_fwd_dpi stats global show (将显示发送至云端的增强型应用程序日志的统计数据,重要的是关注下降计数器<SPAN>(drop counters)</SPAN>。运行该命令2-3次,检查下降计数器的增加情况)<SPAN><BR /><BR /></SPAN>&gt; debug log-receiver rawlog_fwd_trial evtmgr<SPAN>(将显示与Cortex Data Lake实例的连接)</SPAN><SPAN><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>servers=1 timers=1 proxies=0 msg_class=1 int_timer=13 last_id=1000001<BR />debug counters:<BR />56134 56134 67 0<BR />56142 56142 0 0<BR />0 0 56100 56100<BR />0 0 2 1<BR />0 0<BR />error counters:<BR />56098 0 0 0<BR />0 0<BR />currtime=337001 last_check=337000<BR />Server port=0 fd=-100 ssl=no clients=1 max_pending_msg=250<BR />triallr-74.217.90.122-def 1000001 26 2 0 0<BR />msg total=0 in=0 out=0 outdated=0 leak=0 option_bytes=0 data_bytes=0</FONT></FONT></FONT></SPAN></P> <P>&nbsp;</P> <P>6.<SPAN>如果你看到下降计数器(drop counters)的增加,请遵循以下步骤。</SPAN><BR /><BR /><SPAN>(如果不是7k和5200系列)</SPAN><BR /><SPAN>运行命令,重新启动管理服务器。</SPAN></P> <P>&gt; debug software restart process management-server<SPAN><BR /><BR />(7k和5200系列)<BR />运行命令,重新启动管理服务器。</SPAN><BR />&gt; debug software restart process management-server<BR /><BR /><SPAN>运行命令重启log receiver。</SPAN><BR />&gt; debug software restart process log-receiver</P> </DIV> Tue, 10 Jan 2023 07:57:21 GMT yishi 2023-01-10T07:57:21Z 在Palo Alto防火墙上验证Cortex Data Lake的连通性 https://live.paloaltonetworks.com/t5/%E9%85%8D%E7%BD%AE%E5%92%8C%E5%AE%9E%E6%96%BD/%E5%9C%A8palo-alto%E9%98%B2%E7%81%AB%E5%A2%99%E4%B8%8A%E9%AA%8C%E8%AF%81cortex-data-lake%E7%9A%84%E8%BF%9E%E9%80%9A%E6%80%A7/ta-p/526461 <DIV class="lia-message-template-symptoms-zone"> <H2>症状</H2> <P><SPAN>在Explore app或Panorama上看不到日志(当日志只发送到Cortex Data Lake时)。</SPAN></P> </DIV> <DIV class="lia-message-template-diagnosis-zone"> <H2>环境</H2> <P><SPAN>Palo Alto防火墙</SPAN><BR /><SPAN>PAN-OS 8.0和8.1</SPAN><BR /><SPAN>日志转发到Cortex Data Lake (CDL)</SPAN></P> </DIV> <DIV class="lia-message-template-solution-zone"> <H2>解决办法</H2> <P><SPAN>这个步骤对PanOS 8.0.X有效。当duplicate&nbsp;logging没有被启用时,它也对PanOS 8.1.X有效。</SPAN></P> <P><SPAN>验证<STRONG>Cortex Data Lake</STRONG>的功能。</SPAN></P> <P>&nbsp;</P> <P><SPAN>1.运行下面的命令并注意客户ID(Customer ID,后面客户ID也是指这个)(对每个客户都是唯一的)和区域信息(目前可以是欧洲或美洲,基于在Data Lake的初始设置中选择的位置)。</SPAN></P> <P>&nbsp;</P> <P>&gt; request logging-service-forwarding customerinfo show</P> <P><SPAN><STRONG>该命令的输出示例:</STRONG></SPAN></P> <P><SPAN><STRONG><FONT face="Courier New, serif"><FONT size="2"><FONT>Ingest endpoint:&nbsp;</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>xxxxxxxx</FONT></FONT></FONT><A href="http://d8c4bae6-b919-4853-bc9c-b412ae9432d7.in3.lcaas-beta.us.paloaltonetworks.com/" target="_blank" rel="noopener"><FONT color="#0000ff"><FONT face="Courier New, serif"><FONT size="2"><FONT><U>.in3.lcaas-beta.us.paloaltonetworks.com</U></FONT></FONT></FONT></FONT></A><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Query endpoint:&nbsp;</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>xxxxxxxx</FONT></FONT></FONT><A href="http://d8c4bae6-b919-4853-bc9c-b412ae9432d7.api3.lcaas-beta.us.paloaltonetworks.com/" target="_blank" rel="noopener"><FONT color="#0000ff"><FONT face="Courier New, serif"><FONT size="2"><FONT><U>.api3.lcaas-beta.us.paloaltonetworks.com</U></FONT></FONT></FONT></FONT></A><FONT face="Courier New, serif"><FONT size="2"><FONT>:444</FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Customer ID:&nbsp;</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT><FONT color="#ff0000">Customer_Tenant_Id</FONT></FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Region :&nbsp;<FONT color="#ff0000">Selected Region</FONT></FONT></FONT></FONT></STRONG></SPAN></P> <P>&nbsp;</P> <P><SPAN>2.运行下面的命令并检查证书中的CN值。它应该与上一步看到的客户ID相同。序列号应与防火墙的序列号相同。</SPAN></P> <P>&gt; request logging-service-forwarding certificate info<SPAN><BR /><BR />输出示例:<BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>....Omitted output....</FONT></FONT></FONT><BR /><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Validity</FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Not Before: May 1</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>04:48:36</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>2018</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>GMT</FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Not After : Jul 30</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>04:48:36</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>2018</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>GMT</FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Subject: C=US, L=Palo Alto Networks, OU=Cloud/serialNumber=<FONT color="#ff0000"><STRONG>FW_S/N</STRONG></FONT></FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>, CN=<FONT color="#ff0000"><STRONG>Customer_Tenant_Id</STRONG></FONT></FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Subject Public Key Info:</FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Public Key Algorithm: rsaEncryption</FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Public-Key: (2048</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>bit)</FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Modulus:</FONT></FONT></FONT></SPAN></P> <P>&nbsp;</P> <P><SPAN>3.如果你没有看到正确的S/N或客户ID(证书的CN参数),你应该运行下面的命令,然后按照步骤1和2来检查序列号和CN值是否正确。</SPAN></P> <P>&gt;&nbsp;request logging-service-forwarding certificate delete<BR />&gt;&nbsp;request logging-service-forwarding certificate fetch</P> <P>&nbsp;</P> <P><SPAN>4.你应该检查 "show logging-status "输出,以确定日志转发是否成功。<BR />命令 "show logging-status "的输出示例。(7k和5200系列除外)</SPAN></P> <P><SPAN>•&nbsp;<FONT face="Courier New, serif"><FONT size="3"><FONT>US: 65.154.226.0/24</FONT></FONT></FONT><BR />•&nbsp;<FONT face="Courier New, serif"><FONT size="3"><FONT>EU: 154.59.126.0/24</FONT></FONT></FONT></SPAN></P> <P><EM><FONT face="Courier New, serif">查找'Log collection log forwarding agent'是激活的,并连接到&lt;IP_address&gt;line。由于选择的地区不同,IP地址会发生变化。你可以从下面的子网看到基于区域的IP地址。</FONT></EM></P> <P><SPAN>如果你在这个输出中看到日志转发代理处于活动状态但没有连接,你应该重启mgmtsrvr进程以刷新与Cortex Data Lake的连接。在PanOS 8.1.8中,你将不需要重启进程。将会有一个增强功能,无需重启即可刷新连接。</SPAN></P> <P><SPAN>运行命令,重新启动管理服务器。</SPAN></P> <P>&gt; debug software restart process management-server<SPAN><BR /></SPAN></P> <P><SPAN>命令 "show logging-status "的输出示例。(7k和5200系列除外)</SPAN></P> <P><SPAN>•&nbsp;<FONT face="Courier New, serif"><FONT size="3"><FONT>US: 65.154.226.0/24</FONT></FONT></FONT><BR />•&nbsp;<FONT face="Courier New, serif"><FONT size="3"><FONT>EU: 154.59.126.0/24</FONT></FONT></FONT></SPAN></P> <P><EM><FONT face="Courier New, serif"><FONT size="3"><FONT>查找找 "PANW_LOG_RECEPTOR_SRV",MS(mgmtserver)和LR(Log receiever)都是激活的,并且连接到&lt;IP_address&gt;line。由于选择的地区不同,IP地址会发生变化。你可以在下面看到基于区域的子网的IP地址。</FONT></FONT></FONT></EM></P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rtaImage.jpg" style="width: 695px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/46883i163C4DB99BD0ECB9/image-dimensions/695x225?v=v2" width="695" height="225" role="button" title="rtaImage.jpg" alt="rtaImage.jpg" /></span> <P><SPAN>5200和7K系列有不同的结构,因为有high log rate。日志接收程序负责转发流量、威胁等日志</SPAN><BR /><SPAN>Mgmtserver负责转发系统和配置日志。</SPAN></P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rtaImage.jpg" style="width: 696px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/46884i453EB237A4287014/image-dimensions/696x207?v=v2" width="696" height="207" role="button" title="rtaImage.jpg" alt="rtaImage.jpg" /></span> <P><SPAN>如果你在这个输出中看到MS或LR的连接状态是不活动的,你应该重新启动mgmtsrvr进程和日志接收器,以刷新与Cortex Data Lake的连接。在PanOS 8.1.8中,你将不需要重启进程。将会有一个增强功能,无需重启即可刷新连接。</SPAN></P> <P>&nbsp;</P> <P><SPAN>运行命令来重新启动管理服务器。</SPAN><BR /><SPAN>debug software restart process management-server</SPAN></P> <P><SPAN>运行命令来重启日志接收器。</SPAN><BR /><SPAN>debug software restart process log-receiver</SPAN></P> <P>&nbsp;</P> <P><SPAN>验证Cortex Data Lake的功能(PanOS 8.1.X当duplicate logging被启用时)。</SPAN><BR /><BR /><SPAN>1.运行下面的命令并注意客户ID(每个客户都是唯一的)和区域信息(目前它可以是欧洲或美洲,基于在Data Lake的初始设置中选择的位置)</SPAN></P> <P>&nbsp;</P> <P>&gt; request logging-service-forwarding customerinfo show</P> <P><SPAN><STRONG>该命令的输出示例:</STRONG></SPAN></P> <P><SPAN><STRONG><FONT face="Courier New, serif"><FONT size="2"><FONT>Ingest endpoint:&nbsp;</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>xxxxxxxx</FONT></FONT></FONT><A href="http://d8c4bae6-b919-4853-bc9c-b412ae9432d7.in3.lcaas-beta.us.paloaltonetworks.com/" target="_blank" rel="noopener"><FONT color="#0000ff"><FONT face="Courier New, serif"><FONT size="2"><FONT><U>.in3.lcaas-beta.us.paloaltonetworks.com</U></FONT></FONT></FONT></FONT></A><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Query endpoint:&nbsp;</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>xxxxxxxx</FONT></FONT></FONT><A href="http://d8c4bae6-b919-4853-bc9c-b412ae9432d7.api3.lcaas-beta.us.paloaltonetworks.com/" target="_blank" rel="noopener"><FONT color="#0000ff"><FONT face="Courier New, serif"><FONT size="2"><FONT><U>.api3.lcaas-beta.us.paloaltonetworks.com</U></FONT></FONT></FONT></FONT></A><FONT face="Courier New, serif"><FONT size="2"><FONT>:444</FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Customer ID:&nbsp;</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT><FONT color="#ff0000">Customer_Tenant_Id</FONT></FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Region :&nbsp;<FONT color="#ff0000">Selected Region</FONT></FONT></FONT></FONT></STRONG></SPAN></P> <P>&nbsp;</P> <P><SPAN>2.运行下面的命令并检查证书中的CN值。它应该与上一步看到的客户ID相同。序列号应与防火墙的序列号相同。</SPAN></P> <P>&gt; request logging-service-forwarding certificate info<SPAN><BR /><BR />输出示例:<BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>....Omitted output....</FONT></FONT></FONT><BR /><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Validity</FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Not Before: May 1</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>04:48:36</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>2018</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>GMT</FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Not After : Jul 30</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>04:48:36</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>2018</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>GMT</FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Subject: C=US, L=Palo Alto Networks, OU=Cloud/serialNumber=<FONT color="#ff0000"><STRONG>FW_S/N</STRONG></FONT></FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>, CN=<FONT color="#ff0000"><STRONG>Customer_Tenant_Id</STRONG></FONT></FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Subject Public Key Info:</FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Public Key Algorithm: rsaEncryption</FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Public-Key: (2048</FONT></FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT>bit)</FONT></FONT></FONT><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>Modulus:</FONT></FONT></FONT></SPAN></P> <P>&nbsp;</P> <P><SPAN>3.如果你没有看到正确的S/N或客户ID(证书的CN参数),你应该运行下面的命令,然后按照步骤1和2来检查序列号和CN值是否正确。</SPAN></P> <P>&gt;&nbsp;request logging-service-forwarding certificate delete<BR />&gt;&nbsp;request logging-service-forwarding certificate fetch</P> <P><SPAN>然后按照步骤1和2,检查信息是否匹配。</SPAN></P> <P>&nbsp;</P> <P><SPAN>4.启用duplicate logging后,你会看到以下命令的输出。</SPAN></P> <P>&gt; request logging-service-forwarding status<SPAN><BR /><FONT size="2"><FONT>结果是:</FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT><STRONG>&nbsp;LCaaS forwarding enabled: No</STRONG></FONT></FONT></FONT><FONT size="2"><FONT>(duplicate logging没有启用,你会看到&nbsp;“Yes”)</FONT></FONT><BR /><BR /></SPAN>&gt; show system state | match lcaas<SPAN><BR /><FONT size="2"><FONT>结果是:&nbsp;</FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT><STRONG>cfg.lcaas-enabled: False</STRONG></FONT></FONT></FONT><FONT size="2"><FONT>(duplicate logging没有启用, 你会看到 “True”)</FONT></FONT><BR /><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT><STRONG>&gt; </STRONG></FONT></FONT></FONT></SPAN>show logging-status<SPAN><FONT size="2"><FONT>(duplicate logging启用,你只能看到客户网络中的日志收集器的IP地址。预计不会看到与子网的任何连接&nbsp;</FONT></FONT><FONT size="3"><FONT>US: 65.154.226.0/24 EU: 154.59.126.0/24</FONT></FONT><FONT size="2"><FONT>)</FONT></FONT><BR /><FONT size="2"><FONT>结果是:</FONT></FONT><FONT face="Courier New, serif"><FONT size="2"><FONT><STRONG>Panorama log forwarding agent is active but not connected to Logging Service</STRONG></FONT></FONT></FONT></SPAN></P> <P>&nbsp;</P> <P><SPAN>5.你可以用下面的命令验证日志是否被转发到Data Lake。</SPAN></P> <P>&nbsp;</P> <P><SPAN>当duplicate logging被启用时,show logging-status将只显示正在被发送到Panorama的日志。</SPAN></P> <P><SPAN><BR />为了验证日志在当前设置中被发送,你需要运行以下命令。</SPAN></P> <P>&gt; debug log-receiver rawlog_fwd_trial stats global show<SPAN>(将显示发送到云端的日志统计数据,关注掉线计数器(drop counters)很重要。运行该命令2-3次,检查掉线次数的增加。)<BR /><BR /></SPAN>&gt; debug log-receiver rawlog_fwd_dpi stats global show (将显示发送至云端的增强型应用程序日志的统计数据,重要的是关注下降计数器<SPAN>(drop counters)</SPAN>。运行该命令2-3次,检查下降计数器的增加情况)<SPAN><BR /><BR /></SPAN>&gt; debug log-receiver rawlog_fwd_trial evtmgr<SPAN>(将显示与Cortex Data Lake实例的连接)</SPAN><SPAN><BR /><FONT face="Courier New, serif"><FONT size="2"><FONT>servers=1 timers=1 proxies=0 msg_class=1 int_timer=13 last_id=1000001<BR />debug counters:<BR />56134 56134 67 0<BR />56142 56142 0 0<BR />0 0 56100 56100<BR />0 0 2 1<BR />0 0<BR />error counters:<BR />56098 0 0 0<BR />0 0<BR />currtime=337001 last_check=337000<BR />Server port=0 fd=-100 ssl=no clients=1 max_pending_msg=250<BR />triallr-74.217.90.122-def 1000001 26 2 0 0<BR />msg total=0 in=0 out=0 outdated=0 leak=0 option_bytes=0 data_bytes=0</FONT></FONT></FONT></SPAN></P> <P>&nbsp;</P> <P>6.<SPAN>如果你看到下降计数器(drop counters)的增加,请遵循以下步骤。</SPAN><BR /><BR /><SPAN>(如果不是7k和5200系列)</SPAN><BR /><SPAN>运行命令,重新启动管理服务器。</SPAN></P> <P>&gt; debug software restart process management-server<SPAN><BR /><BR />(7k和5200系列)<BR />运行命令,重新启动管理服务器。</SPAN><BR />&gt; debug software restart process management-server<BR /><BR /><SPAN>运行命令重启log receiver。</SPAN><BR />&gt; debug software restart process log-receiver</P> </DIV> Tue, 10 Jan 2023 07:57:21 GMT https://live.paloaltonetworks.com/t5/%E9%85%8D%E7%BD%AE%E5%92%8C%E5%AE%9E%E6%96%BD/%E5%9C%A8palo-alto%E9%98%B2%E7%81%AB%E5%A2%99%E4%B8%8A%E9%AA%8C%E8%AF%81cortex-data-lake%E7%9A%84%E8%BF%9E%E9%80%9A%E6%80%A7/ta-p/526461 yishi 2023-01-10T07:57:21Z