topic Re: PA syslog app id - problems in General Topics

PA syslog app id - problems

Alex_Samad — Fri, 14 Feb 2020 07:11:48 GMT

so 5220 - 9.0.5

I have a syslog client and syslog server.

the path goes through my PA.

I have a rule basically says any internal ip is allowed to the syslog server if the app it syslog

that doesn't work, the packets are too short for the PA to distinguish them .. sigh so add in unknown - udp .

now they go through.

next problem tcp syslog on port 514 - default for centos and rhel when using tcp

pa don't think syslog goes on port 514.

okay application override

I say any internal ip going to syslog server on tcp 514 . make it syslog application.

doesn't work . my session are still marked as unkown ... again i am guessing causes it too small.

WTF do you do .

I can see packets on both side. client and server .. and the client is trying to send the pa is not letting through.

FFS 🙂 sigh

any suggestions. I am thinking of just setting any app as long as its port 514 hopefully that will fix it

Re: PA syslog app id - problems

Alex_Samad — Fri, 14 Feb 2020 07:16:11 GMT

tried allowing any app id but to that ip and only port 514..

no luck 😞

Re: PA syslog app id - problems

SutareMayur — Fri, 14 Feb 2020 08:25:22 GMT

Hi @Alex_Samad

What do you see in the traffic logs ? Is it actually using syslog default port?

Can you try to configure policy for app - syslog and port any?

Mayur

Re: PA syslog app id - problems

OtakarKlier — Fri, 14 Feb 2020 17:59:19 GMT

Hello,

Have you tried setting CentOS to send syslog over 514/UDP?

Re: PA syslog app id - problems

Alex_Samad — Sat, 15 Feb 2020 06:52:02 GMT

@OtakarKlier Not sure why I have to change my setup to make he firewall work :).

So the reason I am using TCP over 514 is that the reliabe transfer setup for syslog. I can guarantee messages being sent from one server to the central logging server.

The issue seems to be that the PA doesn't allow traffic to flow from client to server and back. because it can't id (my guess why the packets aren't flowing).

initially I have it as

any int ip to syslog server allow applicaiton syslog on port 514 udp and tcp.

UDP works fine. but when i tried my tcp connections. no go.

So did some investigating and found that PA application syslog doesn't recognise tcp/514 as syslog ..

So I thought this is simple ! I do an applicaiton override for any int ip to syslog on tcp 514 say its syslog application.

that didn't seem to work ! when i look at current session they still show up as undecide .. so it just gets stuck and ages out.

So what next ! I have raised this with support ..

but why do I have to change my setup to make the firewall work properly

Re: PA syslog app id - problems

SutareMayur — Sat, 15 Feb 2020 13:50:05 GMT

Hi @OtakarKlier,

Seeing 'session aged out' does not mean that firewall is actually dropping traffic. There are multiple reasons for that. It may be the case there are some changes at server end itself. Also if you are trying to access it on TCP port, have you tried to telnet syslog server from client on tcp port?

Are you able to do so?

Mayur

Re: PA syslog app id - problems

Alex_Samad — Sat, 15 Feb 2020 14:25:26 GMT

Very true, but I had tcpdump on both side - client and server.

syn tick

syn ack tick

syn ack ack tick

then I see the client trying to push and then flush the tcp connection they don't actually make it to the syslog server.

Re: PA syslog app id - problems

Alex_Samad — Mon, 17 Feb 2020 22:43:40 GMT

So the word i got from support you can't use app override to a preconfigure app and override the port number...

sigh ... tried that and its still not working 😞

Re: PA syslog app id - problems

Alex_Samad — Tue, 18 Feb 2020 02:21:13 GMT

Okay worked out the issue !

asym routing

client -> external address

client -> fw -> syslog server via internal address -> loopback (external address !).

return packet was directly back to the client. the FW wasn't seeing all of the packets !'