topic Re: Palo Alto firewall does not display traffic log in General Topics

Palo Alto firewall does not display traffic log

prenatip — Tue, 17 Jul 2018 02:20:26 GMT

I've just installed Palo Alto firewall VM version in virtual box.

I was able to access it via WEB (https) and SSH.

However, when I check traffic log it was empty.

I generated a few traffic such as ping and nmap scan against firewall IP, but still no traffic log appear in it.

log-receiver statistics shows 0 traffic logs written meaning no traffic at all.

I've also restarted `log-receiver` as advised in https://live.paloaltonetworks.com/t5/Management-Articles/Traffic-Log-is-Not-Generated-and-Not-Displayed-on-the-WebGUI/ta-p/62177 but didn't help.

admin@PA-VM> debug software restart log-receiver

Process 'logrcvr' executing RESTART

admin@PA-VM>

What went wrong with this firewall and how to fix it?

admin@PA-VM> debug log-receiver statistics

Logging statistics
------------------------------ -----------
Log incoming rate:             0/sec
Log written rate:              0/sec
Corrupted packets:             0
Corrupted URL packets:         0
Corrupted HTTP HDR packets:    0
Logs discarded (queue full):   0
Traffic logs written:          0
URL logs written:              0
Wildfire logs written:         0
Anti-virus logs written:       0
Widfire Anti-virus logs written: 0
Spyware logs written:          0
Attack logs written:           0
Vulnerability logs written:    0
Fileext logs written:          0
URL cache age out count:       0
URL cache full count:          0
URL cache key exist count:     0
URL cache wrt incomplete http hdrs count: 0
URL cache rcv http hdr before url count: 0
URL cache full drop count(url log not received): 0
URL cache age out drop count(url log not received): 0
Traffic alarms dropped due to sysd write failures: 0
Traffic alarms dropped due to global rate limiting: 0
Traffic alarms dropped due to each source rate limiting: 0
Traffic alarms generated count:  0
Log Forward count:             0
Log Forward discarded (queue full) count: 0
Log Forward discarded (send error) count: 0

Summary Statistics:
Num current drop entries in trsum:0
Num cumulative drop entries in trsum:0
Num current drop entries in thsum:0
Num cumulative drop entries in thsum:0

External Forwarding stats:
      Type  Enqueue Count     Send Count     Drop Count    Queue Depth     Send Rate(last 1min)
    syslog              0              0              0              0                        0
      snmp              0              0              0              0                        0
     email              0              0              0              0                        0
       raw              0              0              0              0                        0

admin@PA-VM>

Re: Palo Alto firewall does not display traffic log

RobinClayton — Tue, 17 Jul 2018 08:03:56 GMT

Are your default rules actualy set to log??

Rob

Re: Palo Alto firewall does not display traffic log

santonic — Tue, 17 Jul 2018 08:40:43 GMT

You have only MGMT interface configured and pinging that? PA has out of band MGMT interface which is seperated from the FW functions.

Re: Palo Alto firewall does not display traffic log

prenatip — Wed, 18 Jul 2018 05:34:49 GMT

@RobinClayton wrote:
Are your default rules actualy set to log??

Rob

Yes, here is the screenshot.

Re: Palo Alto firewall does not display traffic log

prenatip — Wed, 18 Jul 2018 06:05:48 GMT

@santonic wrote:
You have only MGMT interface configured and pinging that? PA has out of band MGMT interface which is seperated from the FW functions.

Thanks ... I do configure another interface, but still don't see any changes.

This time, I can't even ping internal ip of Palo Alto firewall from another Client.

Here is my topology. Has anyone successfully setup a lab of PA in VirtualBox before?

Client (10.1.1.110) --> PA (10.1.1.254)

VirtualBox Adapter setting

VirtualBox Adapter 1: Host-only (out of band MGMT interface)

VirtualBox Adapter 2: Internal Network

Palo Alto interface setting

admin@PA-VM> show interface all

total configured hardware interfaces: 1

name                    id    speed/duplex/state        mac address       
--------------------------------------------------------------------------------
ethernet1/1             16    1000/full/up              bb:bb:bb:bb:bb:bb 

aggregation groups: 0


total configured logical interfaces: 1

name                id    vsys zone             forwarding               tag    address                          
               
------------------- ----- ---- ---------------- ------------------------ ------ ------------------
ethernet1/1         16    1                     N/A                      0      10.1.1.254/32     

admin@PA-VM>

Client Config

user@linux:~$ ifconfig | grep ad | grep -v 127
eth0      Link encap:Ethernet  HWaddr 00:00:00:AA:AA:A1  
          inet addr:192.168.56.110  Bcast:192.168.56.255  Mask:255.255.255.0
eth1      Link encap:Ethernet  HWaddr 00:00:00:AA:AA:A2  
          inet addr:10.1.1.110  Bcast:10.1.1.255  Mask:255.255.255.0
user@linux:~$

Ping test from Client to Palo Alto internal interface

user@linux:~$ ping 10.1.1.254 -c 5
PING 10.1.1.254 (10.1.1.254): 56 data bytes

--- 10.1.1.254 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
user@linux:~$

ARP Entry on client

user@linux:~$ arp
? (192.168.56.1) at 00:00:00:00:00:11 [ether]  on eth0
? (192.168.56.254) at aa:aa:aa:aa:aa:a1 [ether]  on eth0
? (10.1.1.254) at <incomplete>  on eth1
user@linux:~$

ARP Entry on PA fw

admin@PA-VM> show arp all

maximum of entries supported :      500
default timeout:                    1800 seconds
total ARP entries in table :        0
total ARP entries shown :           0
status: s - static, c - complete, e - expiring, i - incomplete

interface         ip address      hw address        port              status   ttl  
--------------------------------------------------------------------------------

admin@PA-VM>

Re: Palo Alto firewall does not display traffic log

santonic — Wed, 18 Jul 2018 06:19:31 GMT

You will never see any traffic to MGMT interface in traffic log as that interface is not a part of firewall.

If you don't get MAC address of PA non-mgmt IP then you have issues at layers below level 3. So untill you get MAC address you won't be able to send any traffic to PA. So logs will remain empty till then.

Re: Palo Alto firewall does not display traffic log

RobinClayton — Wed, 18 Jul 2018 07:57:45 GMT

have you set a managemetn profile on the lan interface?

Re: Palo Alto firewall does not display traffic log

prenatip — Wed, 18 Jul 2018 08:27:11 GMT

@santonic wrote:
You will never see any traffic to MGMT interface in traffic log as that interface is not a part of firewall.

If you don't get MAC address of PA non-mgmt IP then you have issues at layers below level 3. So untill you get MAC address you won't be able to send any traffic to PA. So logs will remain empty till then.

Thanks @santonic, based on ARP and tcpdump output, I suspect this is Layer 1 issue between VirtualBox and PA-VM ethernet1/1 interface.

I've open seperate topic for this ... let me know if you need more info.

https://live.paloaltonetworks.com/t5/General-Topics/PA-VM-network-setting-in-VirtualBox/m-p/222701#M64042