topic Re: Issue that specific policy traffic logs fail to forward to syslog server and drop from firewall in General Topics

Issue that specific policy traffic logs fail to forward to syslog server and drop from firewall

JoHyeonJae — Tue, 20 Sep 2022 02:53:11 GMT

Hello,

OS : 9.1.6

Currently, my customer is facing Issues where logs generated (TO_DNS policy) from a specific policy of more than 10,000 LPS are dropped without being forwarded to the syslog server.

The Traffic Log of the firewall is verifiable, but the Forwarding Stats Syslog Drop Count is constantly increasing, debug log-receiver statistics have been confirmed, and less than 1,000 Total LPS appear in addition to this policy.

There is no logs for that policy on the syslog server because it is dropped without being forwarded by the firewall.

The Log Setting/Log Forwarding Profile in the policy settings is set normally, so it seems to be no problem with the settings.

I will let you know, if you guys need additional info.

The Device Log Forwarding Limit of PA-3260 is written in 24,000/LPS as shown in the document below, so I wonder why it is dropped.

Thanks,

Re: Issue that specific policy traffic logs fail to forward to syslog server and drop from firewall

PavelK — Tue, 20 Sep 2022 04:38:25 GMT

Hello @JoHyeonJae

your customer might be hitting an issue PAN-185616 addressed in 9.1.14:

Kind Regards

Pavel

Re: Issue that specific policy traffic logs fail to forward to syslog server and drop from firewall

JoHyeonJae — Tue, 20 Sep 2022 04:44:18 GMT

Thank you for your information.

Due to this bug can cause drop in a particular policy?

I am not sure this can match about this issue..

Thanks

Re: Issue that specific policy traffic logs fail to forward to syslog server and drop from firewall

PavelK — Tue, 20 Sep 2022 04:58:31 GMT

Thank you for reply @JoHyeonJae

this fix is applied to sending queue which is processing all the logs irrespectively what policy has generated it.

Kind Regards

Pavel

Re: Issue that specific policy traffic logs fail to forward to syslog server and drop from firewall

JoHyeonJae — Tue, 20 Sep 2022 06:07:40 GMT

@PavelK

I have one more question.

Since the send queue has become smaller due to the OS bug, is the issue caused when the LPS value increases?

Thanks,

Re: Issue that specific policy traffic logs fail to forward to syslog server and drop from firewall

PavelK — Tue, 20 Sep 2022 22:06:25 GMT

Thank you for reply @JoHyeonJae

I can't answer this with certainty. In any case, I would recommend to upgrade PAN-OS to the version that has this fix or newer, then observe this issue again. The symptom of this bug is random log loss while sending logs to 3rd party system causing difference in logs between Firewall and 3rd party SIEM. If you are hitting serios syslog drop count after reaching certain log rate, then the issue might be something else. Opening a ticket to support might be appropriate in this case.

Kind Regards

Pavel

Re: Issue that specific policy traffic logs fail to forward to syslog server and drop from firewall

JoHyeonJae — Wed, 21 Sep 2022 00:18:44 GMT

Thanks!