https://live.paloaltonetworks.com/t5/general-topics/syslog-issue/m-p/40386#M29642 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P>has anyone experienced any issue with high amount of traffic sent to a Syslog server by PAN device, when updating from 3.0.8 to 3.1?</P><P></P><P>It seems to be a bug (or a very strange beahvior) introduced in 3.1 release that cause many logs generated by sessions.</P><P></P><P>We are in trouble with some customers that disabled syslog log forwarding to preserve the syslog server (flooded by pan device).</P><P></P><P>We already opened a case (22118) in October but we are waiting for a response by PAN support.</P><P></P><P>Thanks in advance</P></BODY></HTML> Tue, 30 Nov 2010 18:54:10 GMT migration 2010-11-30T18:54:10Z https://live.paloaltonetworks.com/t5/general-topics/syslog-issue/m-p/40386#M29642 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P>has anyone experienced any issue with high amount of traffic sent to a Syslog server by PAN device, when updating from 3.0.8 to 3.1?</P><P></P><P>It seems to be a bug (or a very strange beahvior) introduced in 3.1 release that cause many logs generated by sessions.</P><P></P><P>We are in trouble with some customers that disabled syslog log forwarding to preserve the syslog server (flooded by pan device).</P><P></P><P>We already opened a case (22118) in October but we are waiting for a response by PAN support.</P><P></P><P>Thanks in advance</P></BODY></HTML> Tue, 30 Nov 2010 18:54:10 GMT https://live.paloaltonetworks.com/t5/general-topics/syslog-issue/m-p/40386#M29642 migration 2010-11-30T18:54:10Z https://live.paloaltonetworks.com/t5/general-topics/syslog-issue/m-p/40387#M29643 <HTML><HEAD></HEAD><BODY><P>I checked your referenced case and it was updated today with the following explanation:</P><P></P><P>Engineering has informed us that this is expected behavior on 3.1.x and was due to a change in behavior in how syslog sessions are generated from PanOS 3.0.x to 3.1.x. In PanOS 3.0.x syslog sessions used the same source port, whereas syslog sessions in PanOS 3.1.x use different source ports.</P><P></P><P>The result of using the same source port (PanOS 3.0.x) in the syslog session could result in the downstream firewall resuing the same session for the syslog messages. The result of using a different source port (PanOS 3.1.x) will result in the downstream firewall having to create a new session for each new syslog message, which is why you were seeing a higher number of syslog sessions originating from the PAN firewall.</P></BODY></HTML> Tue, 30 Nov 2010 23:51:10 GMT https://live.paloaltonetworks.com/t5/general-topics/syslog-issue/m-p/40387#M29643 nrice 2010-11-30T23:51:10Z