- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-29-2019 01:23 PM - edited 04-29-2019 01:24 PM
i have configured the command below but still got email alert
model: PA-5050
sw-version: 8.0.9
-NGFW-1(active)> show system state | match aggressive-cleaning
cfg.debug-sw-du.config: { 'aggressive-cleaning': True, }
domain: 1
receive_time: 2019/04/29 05:03:23
serial: 002201001803
seqno: 6880362
actionflags: 0x8000000000000000
type: SYSTEM
subtype: general
config_ver: 0
time_generated: 2019/04/29 05:03:23
dg_hier_level_1: 0
dg_hier_level_2: 0
dg_hier_level_3: 0
dg_hier_level_4: 0
vsys_name:
device_name: NGFW-1
vsys_id: 0
vsys:
eventid: general
object:
fmt: 0
id: 0
module: general
severity: critical
opaque: Disk usage for / exceeds limit, 96 percent in use, cleaning filesystem
I thought when you configure aggressive cleaning it should do this automaticalls and we should not get email alert?
04-29-2019 05:16 PM
I have to get this out of the way first: Please upgrade to a more current code version. 8.0.9 was released over a year ago and has several vulnerabilities at medium or high priority. Unpatched devices are the most common vectors for attacks. Also, 8.0 has six months before it is End of Life as well, so that might be a good opportunity to begin upgrading to 8.1, which is supported on the PA-5000 series until 2024.
PAN-SA-2019-0002 (High). Cross site scripting (XSS) vulnerability in the management interface. Fixed in 8.0.15.
PAN-SA-2018-0008 (High). Denial of Service (DoS) in the management interface. Fixed in 8.0.10.
PAN-SA-2018-0009 (medium). XSS in the GP login page. Fixed in 8.0.11.
PAN-SA-2018-0015 (medium). OpenSSL vulnerabilities. Fixed in 8.0.13.
PAN-SA-2018-0012 (medium). FragmentSmack vulnerability. Fixed in 8.0.13.
PAN-SA-2019-0001 (medium). XSS in external dynamic lists. Fixed in 8.0.15.
PAN-SA-2019-0007 (medium). DoS in the management interface. Fixed in 8.0.16.
With that said, it depends on how much logging you are doing. Check your logging rate (debug log-receiver statistics) to see where you're at for logs/second. Even with aggressive cleaning the system may simply be getting so many logs it cannot keep up.
You may be able to reduce that as well. Make sure you're not logging at session start, don't log on the default deny rule (logging is disabled by default on it). You may also want to exclude logging for things like NTP, DNS, Ping, etc. by disabling the 'log at session end' in a rule dedicated just to that type of traffic.
04-29-2019 09:53 PM
Hello,
Actually you should edit the rule for the email logging, by adding a AND condition with negate option on the descrtiption.
Hope that helps
PCSNE - CISSP
Best Effort contributor
Check out our PANCast Channel
Disclaimer : All messages are my personal ones and do not represent my company's view in any way.
04-30-2019 05:31 PM - edited 04-30-2019 05:32 PM
Right now it is after hours and logging rate is low as users are gone
here is info from that command
> debug log-receiver statistics
Logging statistics
------------------------------ -----------
Log incoming rate: 83/sec
Log written rate: 83/sec
Corrupted packets: 0
Corrupted URL packets: 0
Corrupted HTTP HDR packets: 0
Corrupted EMAIL HDR packets: 0
Logs discarded (queue full): 0
Traffic logs written: 124003056
GTP logs written: 0
Tunnel logs written: 0
Auth logs written: 0
Userid logs written: 11898465
URL logs written: 5368
Wildfire logs written: 193
Anti-virus logs written: 0
Widfire Anti-virus logs written: 0
Spyware logs written: 16432611
Spyware-DNS logs written: 0
Attack logs written: 0
Vulnerability logs written: 1923724
Fileext logs written: 0
Fileext logs URL not written: 0
Fileext logs URL not written (timedout): 0
URL cache age out count: 0
URL cache full count: 0
URL cache key exist count: 0
URL cache wrt incomplete http hdrs count: 0
URL cache rcv http hdr before url count: 0
URL cache full drop count(url log not received): 0
URL cache age out drop count(url log not received): 0
Email hdr cache count: 127
Email hdr cache hit count: 124
Traffic alarms dropped due to sysd write failures: 0
Traffic alarms dropped due to global rate limiting: 0
Traffic alarms dropped due to each source rate limiting: 0
Traffic alarms generated count: 0
Netflow incoming count: 0
Log Forward count: 501
Log Forward discarded (queue full) count: 0
Log Forward discarded (send error) count: 0
Total logs not written due to disk unavailability: 0
Logs not written since disk became unavailable: 0
Summary Statistics:
Num current drop entries in trsum:0
Num cumulative drop entries in trsum:0
Num current drop entries in thsum:0
Num cumulative drop entries in thsum:0
Num current drop entries in gtpsum:0
Num cumulative drop entries in gtpsum:0
External Forwarding stats:
Type Enqueue Count Send Count Drop Count Queue Depth Send Rate(last 1min)
syslog 266368006 266368006 0 0 14796
snmp 0 0 0 0 0
email 0 0 0 0 0
raw 142364950 142364950 0 0 7906
http 0 0 0 0 0
autotag 0 0 0 0 0
we are only logging at sessiond end.
also we are logging at default deny rule
also we have logging for intrazone enabled.
There is not much ntp or dns traffic.
How can i verify that the logging rate at peak time is high for PA 5050?
Any baseline i could check?
04-30-2019 05:34 PM
can you please explain in more detail about email logging?
05-01-2019 07:23 PM
what is the config you have done to receive the alerts by email?
PCSNE - CISSP
Best Effort contributor
Check out our PANCast Channel
Disclaimer : All messages are my personal ones and do not represent my company's view in any way.
05-01-2019 07:25 PM
please follow this link.
You can choose what sev you want for email alert
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/monitoring/configure-email-alerts
05-01-2019 07:28 PM
ok, then in the log settings, you have "filter builder".
PCSNE - CISSP
Best Effort contributor
Check out our PANCast Channel
Disclaimer : All messages are my personal ones and do not represent my company's view in any way.
05-01-2019 07:31 PM
yes like
sev equal critical
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!