- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
07-11-2014 08:55 PM
Hi All,
I have a problem with Panorama and devices log.
Panorama information
model: Panorama
serial: xzy......
sw-version: 5.1.0
app-version: 445-2292
app-release-date: unknown
av-version: 1317-1787
av-release-date: unknown
threat-version: 445-2292
threat-release-date: unknown
logdb-version: 5.0.2
My Device information
model: PA-3020
sw-version: 5.0.8
global-protect-client-package-version: 1.2.5
app-version: 445-2292
app-release-date: 2014/07/08 14:43:28
av-version: 1317-1787
av-release-date: 2014/07/10 08:20:01
threat-version: 445-2292
threat-release-date: 2014/07/08 14:43:28
wildfire-version: 0
wildfire-release-date: unknown
url-filtering-version: 2014.07.11.240
global-protect-datafile-version: 0
global-protect-datafile-release-date: unknown
logdb-version: 5.0.2
platform-family: 3000
I confirute forward log from device to panorama.
On panorama, I saw all "traffic log" but I can't see any "URL or Threat log".
I don't know where I missed configuration.
Please help me
07-11-2014 09:08 PM
Hello Register_Security,
1. Is it a new setup and not working from beginning ?
2. If yes than check Log Forwarding Option on Firewall, make sure Threat/URL are being forwarded along with Traffic.
3. Also you may want to check your search queries.
Normally if Panorama received Traffic log than it receives URL/Threat logs as well. This is either a configuration mistake or search query issue.
Regards,
Hardik Shah
07-11-2014 09:20 PM
1. My device have working about 1 year.
2. Log Forarding Configuration.
I really don't know why ?
07-11-2014 09:23 PM
Does Traffic and URL filtering logs are generated locally on the Firewall ?
07-12-2014 03:31 AM
Try the steps outlined in this document to restart logging.
Palo Alto Networks Firewall not Forwarding Logs to Panorama (VM and M-100)
07-13-2014 08:38 PM
Hi Hshah,
I see all of log locally device.
07-13-2014 08:41 PM
Hi Steven,
Please see my debug information below.
admin@Panorama> show logging-status device 001XXXXXXXXX
Type Last Log Rcvd Last Seq Num Rcvd Last Log Generated
config 2014/07/14 10:19:10 4918 2014/07/11 11:39:48
system 2014/07/14 04:02:32 49500 2014/07/14 04:02:05
threat
traffic 2014/07/14 10:19:10 2225666165 2014/07/14 10:19:10
hipmatch
admin@Panorama> request log-fwd-ctrl device 001XXXXXXXXX action stop
scheduled a job with jobid 27.
27
admin@Panorama> show logging-status device 001XXXXXXXXX
Type Last Log Rcvd Last Seq Num Rcvd Last Log Generated
config 2014/07/14 10:19:10 4918 2014/07/11 11:39:48
system 2014/07/14 04:02:32 49500 2014/07/14 04:02:05
threat
traffic 2014/07/14 10:20:11 2225687615 2014/07/14 10:20:10
hipmatch
admin@Panorama> request log-fwd-ctrl device 001XXXXXXXXX action start
scheduled a job with jobid 28. Converted log-fwd-ctrl action to 'start-from-lastack'
28
admin@Panorama> show logging-status device 001XXXXXXXXX
Type Last Log Rcvd Last Seq Num Rcvd Last Log Generated
config 2014/07/14 10:20:46 4918 2014/07/11 11:39:48
system 2014/07/14 04:02:32 49500 2014/07/14 04:02:05
threat
traffic 2014/07/14 10:20:46 2225699275 2014/07/14 10:20:46
hipmatch
admin@Panorama> debug software restart management-server
Process 'mgmtsrvr' executing RESTART
admin@Panorama> show logging-status device 001XXXXXXXXX
Type Last Log Rcvd Last Seq Num Rcvd Last Log Generated
config 2014/07/14 10:24:06 4918 2014/07/11 11:39:48
system 2014/07/14 10:24:06 49530 2014/07/14 10:22:23
threat
traffic 2014/07/14 10:27:08 2225833365 2014/07/14 10:27:08
hipmatch
On device I run debug
admin@PA-Internet-3020-HO(active)> debug software restart log-receiver
Process 'logrcvr' executing RESTART
and show logging status again, but I still see, and I think it does not work correctly
admin@Panorama> show logging-status device 001XXXXXXXXX
Type Last Log Rcvd Last Seq Num Rcvd Last Log Generated
config 2014/07/14 10:24:06 4918 2014/07/11 11:39:48
system 2014/07/14 10:24:06 49530 2014/07/14 10:22:23
threat
traffic 2014/07/14 10:29:10 2225877874 2014/07/14 10:29:05
hipmatch
07-13-2014 09:47 PM
Hello,
Few steps as mentioned below, it might help you to debug the logging problem on your Panorama:
show panorama-status
Panorama Server 1 : 10.30.1.133
State : Unknown
To see the last log written:
>show log <traffic/threat> direction equal backward
If there is a problem: (commands may need to run 3 times)
>debug software trace log-receiver
>debug software trace management-server
>debug software restart log-receiver
if no change still;
>debug software restart management-server
From Panorama, run the following commands:
>show devices connected
Serial Hostname IP Connected
--------------------------------------------------------------------------
0001XXXXXXX PA-2050 1.1.1.1 yes
last commit all state: none
show logging-status device <serial number>
Type Last Log rcvd Last SeqNo. rcvd Last Log generated
config 2012/03/25 15:37:37 4093 2012/03/25 15:36:58
system 2012/07/02 17:05:35 263027 2012/07/02 16:56:55
threat 2012/07/02 16:56:35 1414220 2012/07/02 16:56:17
traffic 2012/07/02 17:11:37 39634695 2012/07/02 16:56:53
hipmatch
Note: The last configuration update is from 3/25.
If you see problems similar to above, try:
request log-fwd-ctrl device <serial number> action stop
request log-fwd-ctrl device <serial number> action live (leave in this state for about a minute)
request log-fwd-ctrl device <serial number> action start
live start log forwarding with no buffering
start start log forwarding with buffering
stop stop log forwarding
Check if you now see normal logging.
>show logging-status device <serial number>
Also, you can verify the logs via the WebUI/Monitor Tab.
Hope this help.
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!