Panorama traffic invisible

Reply
L4 Transporter

Panorama traffic invisible

PAN(VM) and PA1 management interfaces are both Zone A.

 

PA1 connects to PA2(remote site) on IPSEC tunnel. Traffic from PA2 on PA1 is considered in Zone A and viceversa on PA2 for traffic from PA1. 

 

If i do packet capture on either PA, I can see there is bidirectional traffic between PA2 and PAN. But traffic logs don't show anything, I may select any PAN/PA as source or destination. 

L6 Presenter

Re: Panorama traffic invisible

Not sure if l fully understood your question, but for the traffic visibility on VM you must have an active licenses, otherwise no traffic will be shown in the monitor tab.

L4 Transporter

Re: Panorama traffic invisible

We have License for that. We manage both firewalls through Panorama and also push logs to it.

As both the management interface for PA1 and PAN are in same zone, I do not see traffic for it as it doesnot has to cross firewall. But for the remote site PA2 which is also managed by Panorama (location same as PA1), traffic has to pass though tunnel to PA2's management interface. This traffic should be vissible at both PA1 and PA2, which is not.

 

 image.png

 

L7 Applicator

Re: Panorama traffic invisible

Traffic inside same zone will match to intrazone-default rule that does not log traffic by default.

Choose intrazone-default rule and click override.

Then you can edit rule settings to enable log at session end.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
Community Manager

Re: Panorama traffic invisible

Is the session visible in the session table?

The connection from a firewall back to panorama is a permanent ssl session

Because it is permanently up, it will not show up in the logs until it is terminated (it is 1 connection for an 'unlinited' amount of time, rather than a bunch of ssl sessions oer time) because logs are generated when a session ends (log at end)


Help the community: Like helpful comments and mark solutions
Reaper out
L4 Transporter

Re: Panorama traffic invisible

So what is the recomended log setting. As malacious traffic session if is able to stay up for long we would not see it.

Community Manager

Re: Panorama traffic invisible

No need to change anything
This is only a unique issue with panorama 'call home' connections, this does not normally apply to regular traffic
If a threat is detected the threat will be logged and if the session is terminated becauer of the threat (in case threat action is reset or drop for example) that will be logged too

Help the community: Like helpful comments and mark solutions
Reaper out
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!