topic Re: Passive firewall initiating syslog connection in General Topics

Passive firewall initiating syslog connection

amey_13 — Mon, 23 Apr 2018 01:44:02 GMT

We've syslog configured on devices with tcp protocol on port 515. Our passive device syslog connection is breaking every 300 seconds. Can you help in understand why passive palo alto not sending keep-alive?

Re: Passive firewall initiating syslog connection

BPry — Mon, 23 Apr 2018 17:50:12 GMT

@amey_13,

What interface are you trying to make the syslog connection to? Unless it's the management interface this isn't going to work.

Re: Passive firewall initiating syslog connection

amey_13 — Tue, 24 Apr 2018 05:07:20 GMT

@BPry, It is management interface only. We are getting logs in Monitor > system saying syslog connection broken and in next second syslog connection is established, this logs are with High severity.

Re: Passive firewall initiating syslog connection

BPry — Tue, 24 Apr 2018 13:25:38 GMT

@amey_13,

Assuming that the Active and Passive firewall are not directly plugged into the same switch for management access, have you verified that it isn't actually losing connection to the syslog server? It may be that it actually is losing this connection for a second, hence why the logs are generating.

Re: Passive firewall initiating syslog connection

amey_13 — Thu, 26 Apr 2018 12:40:42 GMT

@BPry,

The firewalls (active/passive) makes a tcp connection with syslog server virtual ip configured on load balancer. On load balancer we have tcp idle timeout set to 300 seconds. The load balancer is sending reset packet to passive device after 300 seconds which breaks the connection. My query is why the passive device not sending any keep-alive to keep the tcp connection active???

Also if it sends keep-alive what is it default time, is it more then 300 seconds.

Thanks.

Re: Passive firewall initiating syslog connection

BPry — Thu, 26 Apr 2018 13:00:28 GMT

@amey_13,

To the best of my knowledge the firewall doesn't send a keep-alive, and will allow the connection to the syslog server to close if enough logs are not generated during this time frame; unlike the ESM server that actually sends a keep-alive message that you configure.