https://live.paloaltonetworks.com/t5/general-topics/interface-ping-logs-are-not-showing-in-traffic-log/m-p/245082#M69882 <P>Hi All,</P><P>&nbsp;</P><P>firewall interface configured with management profile where ICMP is enabled and i can ping the firewall ip. But we can't see any logs for ICMP in firewall .</P><P>&nbsp;</P><P>How we can get this ?</P> Mon, 07 Jan 2019 08:27:57 GMT gpsriram 2019-01-07T08:27:57Z https://live.paloaltonetworks.com/t5/general-topics/interface-ping-logs-are-not-showing-in-traffic-log/m-p/245082#M69882 <P>Hi All,</P><P>&nbsp;</P><P>firewall interface configured with management profile where ICMP is enabled and i can ping the firewall ip. But we can't see any logs for ICMP in firewall .</P><P>&nbsp;</P><P>How we can get this ?</P> Mon, 07 Jan 2019 08:27:57 GMT https://live.paloaltonetworks.com/t5/general-topics/interface-ping-logs-are-not-showing-in-traffic-log/m-p/245082#M69882 gpsriram 2019-01-07T08:27:57Z https://live.paloaltonetworks.com/t5/general-topics/interface-ping-logs-are-not-showing-in-traffic-log/m-p/245095#M69884 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/98460">@gpsriram</a>,</P> <P>&nbsp;</P> <P>As far as I know ICMP is not an option in the interface management profile.&nbsp;</P> <P>Ping is the selectable option as shown in the screenshot :</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="ping_profile.jpg" style="width: 377px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/18169i4B7679189253F050/image-dimensions/377x308?v=v2" width="377" height="308" role="button" title="ping_profile.jpg" alt="ping_profile.jpg" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Look for 'ping' application in your traffic log instead of icmp application ... + also make sure that the security rule which is being hit is actually being logged :</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="traffic_log.jpg" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/18170i1E7F083EEBDE3D65/image-size/medium?v=v2&amp;px=400" role="button" title="traffic_log.jpg" alt="traffic_log.jpg" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>I hope this helps.</P> <P>&nbsp;</P> <P>Cheers !</P> <P>-Kiwi.</P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Mon, 07 Jan 2019 09:57:01 GMT https://live.paloaltonetworks.com/t5/general-topics/interface-ping-logs-are-not-showing-in-traffic-log/m-p/245095#M69884 kiwi 2019-01-07T09:57:01Z https://live.paloaltonetworks.com/t5/general-topics/interface-ping-logs-are-not-showing-in-traffic-log/m-p/245099#M69885 <P>yes it displays as ping but only if you have a security policy that it matches with log enabled.</P><P>&nbsp;</P><P>you can only see it in <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11943">@kiwi</a>&nbsp;screen shot as it's&nbsp;hitting the rule "vdraad".&nbsp;</P><P>&nbsp;</P><P>if you are just relying on the management profile then it seems not to show in traffic log.&nbsp;</P> Mon, 07 Jan 2019 12:46:15 GMT https://live.paloaltonetworks.com/t5/general-topics/interface-ping-logs-are-not-showing-in-traffic-log/m-p/245099#M69885 Mick_Ball 2019-01-07T12:46:15Z https://live.paloaltonetworks.com/t5/general-topics/interface-ping-logs-are-not-showing-in-traffic-log/m-p/245322#M69926 <P>Most probably because you don't have specific rule allowing this traffic, but rather relying on the default intra-zone rule, which doesn't log any traffic.</P><P>&nbsp;</P><P>Even that you have interface management profile you still need a rule the policy to allow that traffic. It is common mistake to overlook this as in most of the cases the default intra-zone rule is already allowing this traffic. But default settings for the intra-zone rule is to NOT log the traffic.</P><P>&nbsp;</P><P>There is two ways to solve this:</P><P>- Create specific rule (same source and destination zone) for this traffic and enable the log option on this rule</P><P>- Override the default intra-zone rule and enable the logging.</P><P>&nbsp;</P><P>Note that the second option will log any other intra-zone traffic so, depending on your enviroment it migth generate lots of lots of unecessary logs</P> Wed, 09 Jan 2019 12:54:34 GMT https://live.paloaltonetworks.com/t5/general-topics/interface-ping-logs-are-not-showing-in-traffic-log/m-p/245322#M69926 aleksandar.astardzhiev 2019-01-09T12:54:34Z https://live.paloaltonetworks.com/t5/general-topics/interface-ping-logs-are-not-showing-in-traffic-log/m-p/245323#M69927 <P>Good point Mr Astardzhiev.</P> Wed, 09 Jan 2019 12:58:20 GMT https://live.paloaltonetworks.com/t5/general-topics/interface-ping-logs-are-not-showing-in-traffic-log/m-p/245323#M69927 Mick_Ball 2019-01-09T12:58:20Z