09-27-2012 01:10 AM
Dears,
I have a serious issue, yesterday the internet became down suddenly, when i check the firewall, i find out their is big changes happened on the firewall without us knowing, no one have change anything, when i went to the system log to see the commit for which admin, i find the commit is showing without the user?
it should show in this way: Commit job succeeded for user admin
but i find it in the log as: Commit job succeeded
//--------------
2012/09/26 14:50:06info general general 0 Commit job succeeded for user omer
2012/09/26 15:14:52info general general 0 Commit job succeeded
//---------------
and i check the audit version for that commit, and it was a big changes on the policy, even if someone want to do this changes he needs hours...
if someone can tell, What happened? Who? and Why in not telling me which user commit?
Thanks.
09-27-2012 10:01 AM
Hi,
"2012/09/26 15:12:24info general general 0 synchronized running configuration from HA peer and local candidate configuration" . Some one did the changes on the passive (or slave) device and committed the config. Since the devices are in HA the passive device pushed the config to the active device. So when this happens the active device will get the config changes from the passive and will commit this changes. So this commit on the active device will not show which user did it. So the message "general 0 Commit job succeeded" is expected. Please go to the passive device and see who did the changes. And also the answer for your question is it possible to push the config changes from the PASSIVE device to ACTIVE device -YES .We can do changes from either side in HA.
09-27-2012 01:35 AM
Would it be possible to to export the system log between 14:45 and 15:14 and attach it here?
Normally it should say the user who did a commit change on the firewall.
If there is not indication in the system logs, we might have to look into the tech support file of the device.
Which version of software PANOS?
Regards
Parth
09-27-2012 01:39 AM
On the UI of the firewall Go to Monitor > Logs > Configuration. You should be able to see the user and the changes.
Let me know if this helps
Regards
Parth
09-27-2012 03:39 AM
Hi Parth,
I can't see Configuration under Logs!! our PAN-OS is 4.1.7
Please check the logs between the time you requested...
//------------------------
2012/09/26 14:41:12info general general 0 Commit job succeeded for user omer
2012/09/26 14:42:33info general general 0 User omer accessed Monitor tab
2012/09/26 14:48:39info general general 0 Commit job started, user=omer, command=commit, client type=2, Commit parameters: force=false, device_n
etwork=true, shared_object=true. Commit All Vsys. .
2012/09/26 14:49:19info routing routed- 0 Route daemon configuration load phase-1 succeeded.
2012/09/26 14:49:22info vpn ike-con 0 IKE daemon configuration load phase-1 succeeded.
2012/09/26 14:49:26info ras rasmgr- 0 RASMGR daemon configuration load phase-1 succeeded.
2012/09/26 14:49:43info routing routed- 0 Route daemon configuration load phase-2 succeeded.
2012/09/26 14:49:44info vpn ike-con 0 IKE daemon configuration load phase-2 succeeded.
2012/09/26 14:49:44info ras rasmgr- 0 RASMGR daemon configuration load phase-2 succeeded.
2012/09/26 14:49:45info general general 0 Config installed
2012/09/26 14:49:51high ha config- 0 HA Group 1: Commit on local device with running configuration not synchronized; synchronize manually
2012/09/26 14:49:53info ntpd restart 0 NTP restart synchronization performed
2012/09/26 14:50:06info general general 0 Commit job succeeded for user omer
2012/09/26 14:55:06info general general 0 User omer accessed Monitor tab
2012/09/26 15:12:24info general general 0 synchronized running configuration from HA peer and local candidate configuration
2012/09/26 15:13:12info routing routed- 0 Route daemon configuration load phase-1 succeeded.
2012/09/26 15:13:15info vpn ike-con 0 IKE daemon configuration load phase-1 succeeded.
2012/09/26 15:13:20info ras rasmgr- 0 RASMGR daemon configuration load phase-1 succeeded.
2012/09/26 15:14:17info routing routed- 0 Route daemon configuration load phase-2 succeeded.
2012/09/26 15:14:19info general general 0 Config installed
2012/09/26 15:14:20info vpn ike-con 0 IKE daemon configuration load phase-2 succeeded.
2012/09/26 15:14:20info ras rasmgr- 0 RASMGR daemon configuration load phase-2 succeeded.
2012/09/26 15:14:38info ntpd restart 0 NTP restart synchronization performed
2012/09/26 15:14:52info general general 0 Commit job succeeded
2012/09/26 15:15:52info general general 0 Session for user shoieb via Web from 10.13.2.145 timed out
//-----------------------
Also check this:
2012/09/26 15:12:24info general general 0 synchronized running configuration from HA peer and local candidate configuration
is it related to the commit, and how the Master can get the config from the slave if this log correct.
Thanks
09-27-2012 03:51 AM
Hi ,
I am surprised that you are not able to see the configuration logs under Monitor Tab.
Can you expand the logs section under Monitor Tab?
Can you check the peer device around 15:12 , as it appears that the config sync was done from the peer's running config.
Regards
Parth
09-27-2012 10:01 AM
Hi,
"2012/09/26 15:12:24info general general 0 synchronized running configuration from HA peer and local candidate configuration" . Some one did the changes on the passive (or slave) device and committed the config. Since the devices are in HA the passive device pushed the config to the active device. So when this happens the active device will get the config changes from the passive and will commit this changes. So this commit on the active device will not show which user did it. So the message "general 0 Commit job succeeded" is expected. Please go to the passive device and see who did the changes. And also the answer for your question is it possible to push the config changes from the PASSIVE device to ACTIVE device -YES .We can do changes from either side in HA.
09-27-2012 03:20 PM
Please log on to both HA PA using ssh and execute the following commands:
show jobs all
show jobs all - This sample shows that commit completed with a date and time.
Enqueued ID Type Status Result Completed
--------------------------------------------------------------------------
2012/09/27 14:36:46 5 Commit FIN OK 14:37:02
2012/09/27 11:41:20 4 Commit FIN OK 11:41:37
2012/09/27 11:39:05 3 Commit FIN OK 11:40:00
2012/09/27 11:31:54 2 Commit FIN OK 11:32:51
2012/09/27 11:00:44 1 Commit FIN OK 11:01:00
If there is a commit job for the date/time you are reference or a HA sync.
If you need additional data let us know.
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
