We have a PA-7000 (7.1) and Tufin (for syslog).
The system was previously setup to forward syslog traffic to Tufin.
Then all of a sudden, Tufin wasn't receiving any traffic.
What I have done so far:
If someone could push me in the right direction to correct this I would greatly appreciate it.
Solved! Go to Solution.
No we haven't.
I'll give it a try next week. Don't want to make any changes on a Friday. Especially before a long weekend.
Well, scratch that.
A colleague said the system was restarted 8 days ago because a security bug.
So, that answer is yes, the management plane was restarted.
So that would indicate that this issue is at least more than 8 days old, and didn't start with the restart?
A couple things that I would check.
1) Verify that nobody removed the log-forwarding profile from your security policies. I've seen this happen in the pass with multiple firewall admins.
2) Verify that you can actually get a response from Tufin and that there isn't a routing issue. I would expect the Session End Reason to show as 'aged-out' on Syslog traffic, as the firewall never gets anything to tell it to close the session.
Is Tufin functioning for other devices okay?
Yes, Tufin is functioning for other devices.
I just restarted the monitoring for the Palo Alto on Tufin and now I'm seeing that syslog traffic is arriving at the Tufin interface.
But, I'm a little confused. If I execute tcpdump it says it is doing the dump an eth0
e13itfd@fw-f-wm-dc-1c(active)> tcpdump filter "src 10.63.249.5 and port 514" snaplen 0
Press Ctrl-C to stop capturing
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
e13itfd@fw-f-wm-dc-1c(active)> view-pcap mgmt-pcap mgmt.pcap
07:33:17.762228 IP 10.63.249.5.43067 > 10.63.98.59.syslog: SYSLOG user.error, length: 330
07:34:15.498597 IP 10.63.249.5.46508 > 10.63.98.59.syslog: SYSLOG user.error, length: 316
07:35:40.596228 IP 10.63.249.5.38662 > 10.63.98.59.syslog: SYSLOG user.error, length: 316
07:37:00.204343 IP 10.63.249.5.43067 > 10.63.98.59.syslog: SYSLOG user.error, length: 330
07:37:35.926424 IP 10.63.249.5.46508 > 10.63.98.59.syslog: SYSLOG user.error, length: 330
07:37:35.926518 IP 10.63.249.5.38662 > 10.63.98.59.syslog: SYSLOG user.error, length: 329
07:37:40.205790 IP 10.63.249.5.43067 > 10.63.98.59.syslog: SYSLOG user.error, length: 330
07:39:09.685971 IP 10.63.249.5.37782 > 10.63.98.59.syslog: SYSLOG user.info, length: 265
07:39:09.685980 IP 10.63.249.5.35845 > 10.63.98.59.syslog: SYSLOG user.info, length: 277
What confuses me is that on the Palo Alto I don't see any TRAFFIC labled packets. On Tufin a tcpdump with the src=10.63.249.5 also shows no packets at all.
Then I decided to see if there are syslog traffic being sent on the Log Card IP. Tufin is seeing syslog TRAFFIC from the Log Card IP; however, the Palo Alto shows no TRAFFIC at all.
This is confusing.
@BPry, thanks for the help.
Actually, it's one of the interface on the NPC-20GQ module.
For example, we have ethernet1/3 (type: Log Card) configured for passing log information to Tufin.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!