Management Articles

Featured Article
This article discusses the change in behaviour from PAN-OS 7.0 and higher where the 'deny' action in the security policy results in the application-specific 'deny' action.   From PAN-OS 7.0 branch onwards, the 'deny' policy action is noted as per the default deny action for the application. For example, the default deny action for application 'SSL' is 'drop-reset' and listed in the traffic logs as 'reset-both'.   For checking the default 'deny' action of an application, please refer to Applipedia or Objects > Application on the firewall GUI.   Below is an example showing the action 'Deny' for application 'SSL'            Note the 'Deny Action' for application SSL is 'drop-reset'       The action listed for a security policy with action 'deny' in the previous PANOS version 6.1 can be seen as 'deny' itself          NOTE : The above change in behaviour for action 'deny' may result in the logs and reports capturing results with action as 'reset-both' and this is expected behaviour.   For more details on the change in security policy actions and options, please refer to:   Granular Actions for Blocking Traffic in Security Policy  Configurable Deny Action   Applicable actions with all available options:   1. Action 'Deny'       2. Action 'Allow'       3. Action 'Drop'         4. Action 'Reset-client'       5. Action 'Reset-server'       5. Action 'Reset both client and server'    
View full article
syadav ‎01-08-2018 06:53 AM
5,471 Views
0 Replies
To create a report that includes only SSL decrypted traffic follow the steps below:   Steps Go to Monitor > Manage Custom Reports and click Add Enter the name of the report in Name field and select Database Detailed logs (Slower) Traffic Select the desired Time Frame Select Sort By and Group By as determined In selected columns add Source Address, Destination Address, Flags, and Session ID Create a specific query in order to filter the output Under the Attribute column select Flags Under the Operator column select has Under the Value column select SSL proxy Click Add Click OK and commit this configuration Open the custom report and select the option Run Now Note: If you would like to use this report as a scheduled report, you need to make sure that the Scheduled checkbox is selected.   See also SSL decryption resource list The SSL decryption resource list has a long list of articles dealing with SSL decryption only.    owner: npoprzen
View full article
npoprzen ‎11-13-2017 04:18 PM
8,658 Views
2 Replies
Issue Inbound SSL decryption fails even if a valid certificate and supported cipher suite are used. This may occur when Apache is used as a web server and curl (or old version of Chrome/FireFox) is used as a client.   Cause The issue occurs when SSL Compression is enabled on both client and server. To verify, take a packet capture and look for "Compression Method" in "Client Hello" and "Server Hello".   Resolution SSL Compression is disabled by default in most of the latest clients and web servers due to a security issue called "CRIME attack". The resolution is to use newer versions of server and client software. Update Apache to 2.4.3 or later which has an option to disable SSL Compression ("SSLCompression"). Update Curl to 7.28.1 or later. Use the latest version of Chrome or FireFox.   (IE, Safari and Opera have never supported SSL Compression.)   owner: ymiyashita
View full article
ymiyashita ‎11-10-2017 05:47 AM
5,987 Views
0 Replies
1 Like
Question Why is my botnet report not working?     In some instances, a botnet report may fail to generate on a device. This can be verified by the following factors.   Botnet reports are not available for selection in bold on the report calendar located within Monitor > Botnet > Date In mp-log > botnet.log content is not loaded In mp-log > botnet.log the progress_file is empty In mp-log > botnet.log the following error is returned:  failed: cannot open file /opt/pancfg/mgmt/av/botnet.db Answer Several factors can prevent successful generation of the botnet report.   Botnet reports have not been configured. No URL Filtering logs are present with a category of "malware".  These are necessary for botnet report correlation. There is no active AV content installed on the device.** The device does not have an active Threat Prevention (AV) license.** ** In scenarios 3 & 4 the following error will be present in mp-log > botnet.log: failed: cannot open file /opt/pancfg/mgmt/av/botnet.db   The botnet.db (database) file is downloaded as part of Antivirus (AV) dynamic updates.  Without a valid Threat license or AV content on the device it is not possible to download the botnet.db file.  Therefore, one will not be able to successfully run or generate the botnet report.
View full article
bvandivier ‎03-31-2017 01:41 PM
2,989 Views
0 Replies
To create a custom report to see the least used rules based on the number of bytes/packets, go through the following steps.   Steps Create one custom report from Monitor > Manage Custom Reports and click on Add. Load Template and select “Top security rules”. Set Database to Traffic Log. The Selected Columns on the right must contain "Rules", "Bytes" and "Count" only. Set Time Frame as desired. Sort by “Bytes” or “Packets”.  All other options can be left as is. You can schedule the report or hit “Run now” to get the report instantly. The output of the report should be similar to the one below. owner: aciobanu
View full article
aciobanu ‎03-17-2017 07:06 AM
9,197 Views
5 Replies
Symptoms Cleared all logs from web interface of the Palo Alto Networks firewall at Device > Log settings > Manage logs.         We still see data in the Application Command Center (ACC).   Diagnosis Clearing logs from web interface will not clear ACC data. Solution Clear the ACC data by running the below command in command line interface (CLI) of the firewall. >clear log acc   Thereafter, you will not see any data in the ACC.
View full article
rchougale ‎06-22-2016 03:35 PM
1,796 Views
2 Replies
2 Likes
Details The Palo Alto Networks device deletes the oldest log data when the logdb-quota is reached. The device purges logs based upon categories seen in show system logdb-quota . Refer to When are Logs Purged on the Palo Alto Networks Devices? for behavior of purging on different platforms.   The root partition can become full, requiring manual file deletion. If the root is full, the device cannot to perform maintenance tasks such as content installs (AV, APP/Threat, URL, DB) or generate tech support files.  To check the status of the root partition, use the show system disk-space command. Core files consume large amounts of disk space: show system files . Delete large core files: delete core management-plane file <filename>.   Use these commands to view and delete core files:   > show system disk-space   Filesystem            Size  Used Avail Use% Mounted on /dev/sda3            3.8G  3.8G    0 100% / /dev/sda5            7.6G  3.4G  3.8G  48% /opt/pancfg /dev/sda6            3.8G  2.7G  940M  75% /opt/panrepo tmpfs                493M  36M  457M  8% /dev/shm /dev/sda8              51G  6.6G  42G  14% /opt/panlogs   Check the output of show system file to see core files using up a large amount of disk space. > show system files /opt/dpfs/var/cores/: total 4.0K drwxrwxrwx 2 root root 4.0K Jun 10 20:05 crashinfo /opt/dpfs/var/cores/crashinfo: total 0   /var/cores/: total 115M drwxrwxrwx 2 root root 4.0K Jun 10 20:15 crashinfo -rw-rw-rw- 1 root root 867M Jun 12 13:38 devsrvr_4.0.3-c37_1.gz -rw-rw-rw- 1 root root  51M Jun 12 13:39 core.20053   /var/cores/crashinfo: total 16K -rw-rw-rw- 1 root root 15K Jun 10 20:15 devsrvr_4.0.3-c37_0.inf o   Delete unnecessary core files: > delete core management-plane file devsrvr_4.0.3-c37_1.gz (this example deletes a device server core file from the management-plane). Report deletion can be done from the command line as well.  To delete a set of summary reports starting with 864: > delete report summary scope shared report-name predefined file-name 864* Delete rotated files and files with extention .old as follows. These files contain monitoring details and service related logs on the firewall. Hence they can be deleted safely if you don't need them. If TAC investigates an ongoing issue,  you may prefer to keep them until you upload the tech support file to the case manager.    > delete debug-log mp-log file *.1 > delete debug-log mp-log file *.2 > delete debug-log mp-log file *.3 > delete debug-log mp-log file *.old           owner: bpappas
View full article
panagent ‎06-14-2016 03:50 AM
113,414 Views
29 Replies
4 Likes
Issue A PDF summary report was created in Manage PDF Summary , but the report does not appear in Reports > PDF Summary Reports.   Resolution Creation of a PDF summary report does not populate in Reports instantaneously. The report must be scheduled and will display 24-hours later.   owner:  rkalugdan
View full article
panagent ‎09-10-2015 03:08 PM
6,192 Views
2 Replies
1 Like
Overview This document describes how to create a custom report on Panorama for WildFire threats that are sent to the cloud. Note: The Device Threat Summary database referenced in the steps below is is populated from logs collected from the Palo Alto Networks firewalls and is available in Panorama.   Steps To identify the WildFire threats sent to the cloud, Go to Monitor > Manage Custom Reports Add a new custom report and select Device Threat Summary for the Database Configure a filter under Query Builder for a Threat ID range from 3000000 to 4000000 Note: A current WildFire subscription license is required to produce this report.   The example below shows a report with the name, WildFire, and configuration as described in the above steps: The following screenshot shows an example of a report:   owner: ssunku
View full article
Phoenix ‎09-09-2015 01:48 PM
3,132 Views
0 Replies
2 Likes
Overview There are many rules available on the firewall. Knowing which rule is used the most can identify the one that is allowing or denying the most traffic, along with sourc e and destination IP addresses. This document describes how to determine the most used security rule(s).   Steps Go to Monitor > Manage Custom Reports and click Add. Select Traffic Log as the Database. Select a value for Time Frame. For example: Last 30 Days. Sort by Bytes and group by Rule. In Selected Columns, add the following: Source Zone Destination Zone Source address Destination address Bytes Rule Session ID Click Run Now to view the generated report. The report can be generated as a PDF, CSV or in an XML format.   owner: dantony
View full article
dantony ‎09-09-2015 07:32 AM
5,088 Views
2 Replies
Last 7 days This option will gather up data from the past 167 hours (7 days) starting at the exact time and date the report was generated. A report ran at 3pm on 7/24 will include data between 7/17 at 3pm to 7/24 at 3pm.   Last 7 calendar days This option will gather data from the last 7 complete days. A report ran at 3pm on 7/24 will include data from 7/17 to 7/23   Last calendar week This option will include data from Sunday to Saturday (inclusively) of last week. A report ran on 7/24 will include data from 7/15 to 7/21   owner: ssunku
View full article
Phoenix ‎09-09-2015 01:20 AM
6,001 Views
2 Replies
1 Like
Issue:   How can the source of excessive bandwidth consumption be determined?   Resolution:   View the Top Applications on the ACC tab and sort by the  number of sessions and number of bytes.     owner:  achitwadgi
View full article
panagent ‎09-09-2015 12:43 AM
2,169 Views
0 Replies
Issue When the URL log database is selected in Custom Report (Monitor > Manage Custom Reports and click Add), the bytes count (sent/received) is not showing in the available columns compared with traffic log database.     Cause Byte counters are based on the session and it is possible to have multiple URLs per session. Hence the URL report is not able to provide byte counts for each single URL.   owner: mzhou
View full article
mizhou ‎09-08-2015 08:12 AM
1,382 Views
0 Replies
Overview R eport results might be different depending on whether you select the summary database or the detailed database because of the way data is summarized from the traffic logs. Only 100,000 entries will be generated for each summary database on Palo Alto Networks devices and Panorama, starting from the most recent logs and going backwards. On the Palo Alto Networks M-100, 600,000 entries will be generated, starting with the most recent logs and going backwards. The summary database aggregates data from traffic logs every 15 mins. The detailed logs will show you all available data and will not be limited as the summarized logs. The database used can be configured under  Monitor > Manage Custom Reports.   owner: pmak
View full article
pmak ‎09-07-2015 06:15 AM
3,486 Views
0 Replies
2 Likes
This is a video describing the best ways to create a custom report.    
View full article
‎09-04-2015 03:10 PM
7,335 Views
2 Replies
2 Likes
Symptom When a role-based administrator account is used, logs and reports will display without usernames or IP addresses (1.2.3.4), instead networks will show (1.2.3.0/24), as shown in the example below:   The screenshot below shows an example of the Admin Role Profile configuration, with only the Traffic and URL Filtering options selected:   Cause The full IPs and names do not display because the Privacy Section options to “Show Full IP Addresses” and “Show User Names In Logs And Reports” was not enabled.   Resolution To configure full IPs and names in the logs and reports, go to Device > Admin Roles, under Privacy there are two items: Show Full IP Address Show User Names In Logs And Reports Click to enable both items and commit, as shown in the example below:   After the configuration is complete, the log or report will display the full IP address and usernames:   owner: jdelio
View full article
panagent ‎09-04-2015 04:51 AM
2,411 Views
1 Reply
Issue When performing a log query, if there are more than 100K entries that can match the query, the query will stop when this limit is reached.   The 100K limit is the current limit in report generation. The report generation performs the query in the 'backward" direction (search from the latest to the oldest log entry until hitting the 100K limit), therefore the newer dates are present but not the older dates. Depending on what columns are selected, adding certain columns may result in more matching individual entries. In most cases, the 100K limit is unlikely to be met. There are currently no plans to increase the limit.   Workaround Separate the query into shorter time periods to avoid hitting this limit and combine the results.   owner: ttan
View full article
snowcrash ‎09-03-2015 09:15 AM
2,890 Views
1 Reply
What is the difference between Traffic and Traffic Summary? The traffic summary is a roll up of all the traffic logs summarized every 15 minutes.  These summaries have many of the same fields as the detailed traffic logs, but the time stamps and other less commonly used fields are removed.  To see what fields are in common,  look at the custom report columns for traffic vs traffic summary. What is the difference between Traffic Summary and Daily Traffic Summary? The hourly, daily, and weekly summaries are roll ups of the 15 minute summaries on an hourly basis and a roll up of the hourly summaries on a daily basis and a roll up of the daily summaries on a weekly basis.  The summary reports are used on the ACC and custom reports that select the summary data bases. What kind of information is present in Traffic Summary and Threat Summary? It is the same information as the raw logs just summarized into 15 minute intervals with a few less commonly used columns removed.   owner: mbutt
View full article
panagent ‎09-03-2015 04:22 AM
3,843 Views
0 Replies
1 Like
Overview This document describes how to create a query to exclude non-US destinations from a traffic log custom report.   Steps Go to Monitor > Manage Custom Reports Click Add. For the Database, select "Traffic Log" under the "Detailed Logs (Slower)" section in the drop-down. Select columns as desired. In the Query Builder, include the following query: dstloc neq US Note: The Destination Country attribute is not available in the Query Builder, so the query must be entered manually. Please refer to the example.   Examples With the Query Builder configured to exclude US:   With the Query Builder left empty (no filters specified):   owner: kadak
View full article
kadak ‎09-02-2015 11:37 AM
11,256 Views
3 Replies
Issue The amount of data in the predefined reports do not match the logs. For example, a predefined report shows that for a particular user, the top application is Bittorrent with 20000 sessions totaling to 10GB of data during the last 24 hours. If a traffic log export is performed on the same user for the last 24hrs, the sum of all the data under the "session bytes" column calculates to 18GB of data.   Cause Pre-defined reports get their data from the summary logs. If there is not enough space allocated to summary traffic logs, then these logs will be purged/deleted at a faster rate when compare to the regular traffic logs. This results in the predefined reports showing different data than in an exported traffic log.   Verify if this is the case by looking at the ms logs using the following command:  less mp-log ms.log . The following lines indicate that summary logs are being purged: mp\ms.log 09-30 09:13:05 traffic log db size after purging : 356598 Mb. Total bytes purged: 18838 Mb mp\ms.log 09-30 19:45:07 trsum log db size after purging : 35545 Mb. Total bytes purged: 2077 Mb mp\ms.log 09-30 20:57:07 traffic log db size after purging : 356622 Mb. Total bytes purged: 18862 Mb   Note: Alternatively, the show system logdb-quota command shows the allocated disk size and the available free space  for the summary logs.   Resolution Increase the size allocation of the summary logs so that the logs will not get purged. Navigate to Device > Setup > Management tab Edit the Logging and Reporting Settings section. Modify the "Quota(%)" values for the summary logs in the fields shown below:   owner: sdurga
View full article
sdurga ‎09-02-2015 06:37 AM
3,680 Views
0 Replies
1 Like
Details The active sessions can be viewed/cleared either from the command line or from the WebGUI.   From the WebGUI: Go to Monitor > Session Browser to view or clear sessions. To view the entire session information click on the button shown in the following screenshot:   Now the entire session information can be viewed as shown below:   To clear the session go to Monitor > Session Browser and click on the symbol under the clear column, as shown below:   The session will now be cleared, as shown below:   From the CLI:  Use the following command: > clear session id <id_number>   owner: sdarapuneni
View full article
zarina ‎09-01-2015 06:49 AM
15,523 Views
3 Replies
PAN-OS 5.0   Issue On PAN-OS 5.0 and earlier versions, superusers with "read only" rights are unable to view Custom Reports from the Monitor tab.   Workaround The workaround is to create a custom admin role that only allows a custom report and everything else is either read-only or disabled per the user's requirement. To create the custom admin role, on the WebUI navigate to Device Tab > Admin Roles and (allow custom report and set everything else as either read-only or disabled): Go to Device > Administrator and click on the admin user with Superuser "read only" access and enable Role Based. This will give the user the option to choose the profile that has been created in the above step for Admin Roles : Commit the changes, now the "read only" Superuser can successfully view the reports.   owner: bsyeda
View full article
bsyeda ‎08-27-2015 07:35 AM
4,093 Views
0 Replies
Details This document explains how to export custom report templates from one Palo Alto Networks firewall configuration to another firewall. This document can be used to avoid manual configuration through WebUI in scenarios where multiple firewalls need to configured with same custom report templates.   Steps Under Monitor > Manage Custom Reports, create a custom report as desired. The following example shows a report created for traffic summary for the last 24 hours Commit the configuration   From the CLI Use the following commands to extract the custom report part from the configuration: > set cli config-output-format set > configure From the configuration mode: [edit] # show shared reports "NY-Traffic-Last 24 hours" set shared reports "NY-Traffic-Last 24 hours" type trsum aggregate-by [ src dst app dstloc ] set shared reports "NY-Traffic-Last 24 hours" type trsum values sessions set shared reports "NY-Traffic-Last 24 hours" period last-24-hrs set shared reports "NY-Traffic-Last 24 hours" topn 25 set shared reports "NY-Traffic-Last 24 hours" topm 10 set shared reports "NY-Traffic-Last 24 hours" caption "NY-Traffic-Last 24 hours" [edit]   Copy all the 'set' commands for  for "NY-Traffic-Last 24 hours" report into a Notepad file and edit as desired for other firewalls. Login into the CLI of the other firewall and in configuration mode, paste the configuration and commit.   owner: kadak
View full article
kadak ‎08-19-2015 02:35 PM
4,485 Views
0 Replies
2 Likes
Details By default, the traffic and all other monitor logs on the Palo Alto Networks firewall is logged with source and destination IP address. However, there is an option to resolve the IP to their hostnames. Steps 1.  Go to Monitor > Logs > Traffic and select the desired log to view. 2.  At the bottom of the page, enable the check box  > Resolve hostname. The following screens shows the Resolve hostname unabled: The following screen shows the monitor logs with Resolve hostname enabled: owner: skumarasam
View full article
skumarasam ‎11-12-2014 03:45 PM
7,415 Views
3 Replies
Overview Palo Alto Networks firewalls do not generate botnet logs. Botnet reports can be generated daily and configured to send in emails. Follow these steps to generate and send botnet reports. Create a Botnet report. Under Monitor > Botnet > Report setting. Check the Scheduled box, which runs the daily botnet report. Create a report group that includes the above botnet report. Monitor > PDF Reports > Report groups. Create an Email server profile. Go to Device > Server profiles > Email. Create an email scheduler with an email server profile that includes the report group. Go to Monitor > PDF Reports > Email scheduler. owner: harshanatarajan
View full article
harshanatarajan ‎10-15-2014 09:19 PM
6,030 Views
5 Replies
Overview It is possible to generate a single custom report on the Palo Alto Firewall for various activities for a particular user or create a single report for multiple user activities. Details Yes, This is possible by fine tuning the Query Builder under Monitor > Manage Custom Reports > Report Settings (give the appropriate settings). Go to the Query Builder column just below the Report setting and issue the "or" Connector so that it captures more than one user. Specify the Attribute as Source User and the Operator as "is present" and the Value as the "domain\username". Click on Add so that the first user "user1" is added Repeat by giving another value and click on Add so that "user2" is added The screenshot below shows User 1 added: The screenshot below shows User 2 added: The screenshot below shows Multiple Users added: Users are added in the "or" function and will be able to see all the User Activity information in one single document. When the Run Now button is clicked a single report is generated. See Also How to Receive Custom Reports via Email? owner: dantony
View full article
dantony ‎09-09-2014 10:09 PM
4,343 Views
0 Replies
1 Like
Symptom A user defines a scheduled Custom Report on Panorama for Device URL log, Using the Last Calendar Month, and action (for example, block-url from Manage Custom Reports from Monitor > Manage Custom Reports). As shown below, from the Custom Report the user selects Run Now and generates the Custom Report. From Monitor > Reports the user selects the same Custom Report defined from Manage Custom Reports. When both reports are downloaded, both reports are very different regarding the data. Both reports were generated using the same defined Custom Report, but produce absolutely different report data. Cause The discrepancy of the data for the same custom report from Run Now on Managed Custom Reports and from Reports, which is actually the result of the scheduled Custom Report, is a follows: Run Now on Managed Custom Reports will run the requested report on the existing URL logs on the device. For the Time Frame of Last Calendar Month, the report will consist of available logs on the device for this time frame. But since these are logs for Last Calendar Month for URL blocks, most of the logs for last month will most likely not be on the disk anymore and have already been over written. This will result in a report that only consists of what is still available on the disk to produce the report. The report for the Custom Report (under Reports) is actually a scheduled report. Since there is a Custom Report for URL blocks scheduled for Last Calendar Month, each day of a given month, the URL blocks are added to a report file for the first of the month, to the last day of the month. Each day being appended to the report file until the end of the month to get the full report of the Last Calendar Month. When selecting this report under Custom Reports on Reports, the user is given the option to download. The report is not actually running because in this scenario it was on Run Now on Managed Custom Report. This is the accurate data that has been collected for each day of the month till the end of the month, when the full report for the Last Calendar Month is generated. owner: gcapuno
View full article
gcapuno ‎07-21-2014 10:12 PM
5,062 Views
0 Replies
1 Like
Overview Sometimes after generating the stats dump file (Device > Support > Generate Stats Dump File), the result is an empty file with no data. Cause When a stats dump file is attempted to to be generated, the firewall by default takes data from the last 7 days. If the unit has been out of the proof of concept (POC) environment for more than 7 days, then the dump will be empty. Resolution Two options can be leveraged to extract the stats dump file: Roll the date back manually on the Palo Alto Networks firewall (Device > Setup > Management > General Settings). Then, generate the status dump file again. Use the SCP to pull the file within a specific time/data period. For example: > scp export stats-dump start-time equal 2014/06/01@00:00:00 end-time equal 2014/06/10@00:00:00 to <case number>@tacupload.paloaltonetworks.com:silent show system info... Generating Application Report... Generating HTTP Application Report... Generating Category Report... Generating Risk Report... Generating Threat Report... Generating Source Country Report... Generating Destination Country Report... Generating URL Category Report... Generating Subcategory Report... Generating Technology Report... Generating Data Report... show_system_info.txt reports/ reports/RiskReport.xml reports/TechnologyReport.xml reports/CategoryReport.xml reports/HTTPApplicationReport.xml reports/DataReport.xml reports/ApplicationReport.xml reports/DestinationCountryReport.xml reports/SubcategoryReport.xml reports/error.log reports/ThreatReport.xml reports/SourceCountryReport.xml reports/URLCategoryReport.xm Finished generating reports. Please press enter to continue... The authenticity of host 'tacupload.paloaltonetworks.com (199.167.52.81)' can't be established. RSA key fingerprint is d7:5d:70:12:60:6b:cf:99:a5:78:da:69:aa:c3:c5:d2. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'tacupload.paloaltonetworks.com,199.167.52.81' (RSA) to the list of known hosts. logdbcsv_20140618_1107.tar.gz           100% 4747      4.KB/s        00:00       Once the report is exported, the Application Visibility and Risk (AVR) Report Tool can be used for analysis. owner: kadak
View full article
kadak ‎06-18-2014 09:50 AM
11,002 Views
0 Replies
4 Likes
Symptom Custom reports that have the last calendar week or month as the time frame cannot be included into a PDF summary report. For example: Create a custom report under Monitor > Manage Custom Reports with a Time Frame value of "Last Calendar Week": Next, create a custom report with a Time Frame of "Last 7 days": In the PDF summary Report, only the report with "Last 7 days" time period can be selected: Cause The "Last Calendar Week" and "Last Calendar Month" reports only run once a week/month and are not considered appropriate for the PDF Summary Report, which should contain current data. Resolution Use the selections "Last 7 days" and "Last 30 days" time frames instead of "Last Calendar Week" and "Last Calendar Month" when the reports need to be included in a PDF Summary Report. owner: miletic
View full article
nmiletic ‎04-07-2014 04:29 AM
3,860 Views
0 Replies
Issue Custom Panorama reports based on device serial numbers generate empty reports when using the summary database. Details A custom report was configured (under Monitor > Manage Custom Reports) to display the top 10 traffic among two Palo Alto Networks firewalls (fw1 and fw2). The database used was the Panorama Traffic Log: This report displayed the following results: The database was then changed to use Panorama Traffic Summary, as generating reports using the Panorama Traffic Log database can take a longer time: However, running the report using the Panorama Traffic Summary database, resulted in "No Matching Records": Cause The reason behind this behavior is that for the Panorama Traffic Summary database, the serial number of the individual firewalls are changed to the serial number of Panorama (log-collector). Resolution Change the serial number in the query of the custom report, as shown below: Run the report and review the results: owner: rvanderveken
View full article
rvanderveken ‎03-04-2014 01:43 AM
3,172 Views
0 Replies
Ask Questions Get Answers Join the Live Community