topic Re: Non logging issue in General Topics

Non logging issue

Brinkman — Tue, 18 Jun 2013 14:09:15 GMT

OK a little background first I'm running 4.1 on a 5050 pair in A/P. I have a server that is trying to do 80 and 443 out to a specific address and we have some logging wierdness going on. If we don't have a rule in place allowing the traffic it will not show up with a log entry. If I do a packet capture I see it in the receive stage but not any other stage. At the very least I would expect to see it in the drop stage, also, it isn't showing up in any of the logs or being sent to our syslog server. If I have a rule in place allowing the traffic it will show up in the logs. I have verified that my any,any,deny at the end of the ruleset is logging at both the start and end of the session and I'm still not seeing anything. We are using the Anti-Spyware and Vulnerability protection but it currently is only setup in alert mode so it shouldn't be blocking. Also, I have tried connecting with different ports just to make sure it wasn't a specific application issue and that has no effect.

Any help is appreciated.

Kris

Re: Non logging issue

Retired Member — Tue, 18 Jun 2013 14:15:23 GMT

Do you have security rules for intrazones

Re: Non logging issue

Brinkman — Tue, 18 Jun 2013 14:20:21 GMT

I do not for this zone, but the connection is going from a trusted zone IP to an untrusted zone IP.

Re: Non logging issue

Retired Member — Tue, 18 Jun 2013 14:26:57 GMT

you mean that not logging issue happens for just that 1 client ?and also to just 1 ip ?

Re: Non logging issue

VinceM — Tue, 18 Jun 2013 15:25:27 GMT

Mean no logs neither in Monitor/Traffic nor in session browser ?

no routing issue ?

Re: Non logging issue

Brinkman — Tue, 18 Jun 2013 16:20:40 GMT

It will happen from that client to any IP on any port. What it looks like is if that client sends out a SYN and a SYN-ACK never comes back the firewall doesn't log the connection, even if it passed it. As soon as it gets the SYN-ACK back it logs it. Am I misunderstanding the way this should work.

And I don't see anything in monitor/traffic nor the session browser until the SYN-ACK is received back, if I never receive a SYN-ACK I never see an entry. No there aren't any routing issues because in the beginning the one connection was not allowed at the distant end but as soon as they put the access in it came up fine and starting working.

Re: Non logging issue

Retired Member — Tue, 18 Jun 2013 16:27:23 GMT

you have to see incomplete logs even you send syn.

Can you try to delete all logs and restrart log server ?

debug software restart log-receiver

Re: Non logging issue

Brinkman — Tue, 18 Jun 2013 16:56:56 GMT

OK I tried that and no change.

Re: Non logging issue

jcostello — Tue, 18 Jun 2013 17:01:00 GMT

The implicit deny rule on a PAN will not generate log entries.

You would need to have an explicit deny rule with logging enabled to see the traffic that is denied.

Re: Non logging issue

Brinkman — Tue, 18 Jun 2013 17:02:53 GMT

Yep that's what I have and it's set to log at the start and end of the session.

Re: Non logging issue

Retired Member — Tue, 18 Jun 2013 17:04:21 GMT

you should better open a case.

should take 2 captures

1- at client interface

2- at Paloalto interface

filter and look if client sends and paloalto receives support will investigate that.

Re: Non logging issue

jcostello — Tue, 18 Jun 2013 17:06:36 GMT

The deny all logging can put a strain on the log-receiver (in my experience)

From the CLI try the following command

debug log-receiver statistics

look for entries under Logs discarded (queue full)

Re: Non logging issue

Brinkman — Tue, 18 Jun 2013 17:07:12 GMT

I've already verified that the client is sending the packet and I know PA is receiving it. Is this just a case of how the underlying system works where it won't create any log entry until the 3 way handshake is complete.

Re: Non logging issue

Brinkman — Tue, 18 Jun 2013 17:09:32 GMT

There aren't any that showed they were discarded. The rate is 112/sec.

Re: Non logging issue

jcostello — Tue, 18 Jun 2013 17:10:56 GMT

With the settings of start and end on the logging of all traffic on that deny rule, you will fill the logging queue on the box and it will not be able to process all of the logs.

With something that is denied, it won't wait for the three way handshake to log an entry if logging functioning correctly

Re: Non logging issue

jcostello — Tue, 18 Jun 2013 17:11:45 GMT

Are you seeing incomplete traffic associated to another rule?

Re: Non logging issue

Brinkman — Tue, 18 Jun 2013 17:14:46 GMT

I was seeing incompletes in the logs with the connection before the distant end opened it up. I'm currently seeing it from another client IP here that I know the other end has yet to add to their firewalls.

Re: Non logging issue

jcostello — Tue, 18 Jun 2013 17:16:18 GMT

are you seeing sessions for the traffic in the session tables?

Re: Non logging issue

Retired Member — Tue, 18 Jun 2013 17:27:15 GMT

>debug log-receiver statistics

what's your output

Re: Non logging issue

Brinkman — Tue, 18 Jun 2013 17:27:37 GMT

Yes I am, they show up as below(IPs sanitized).

1245412 undecided	ACTIVE FLOW 144.100.71.22[60373]/ProdApp/6 ("SRC IP"[60373])
vsys2	"DST IP"[8005]/Deep Dark Woods (8.8.8.8[8005])