Don't see Threat and URL log in panorama

cancel
Showing results for 
Search instead for 
Did you mean: 

Don't see Threat and URL log in panorama

L3 Networker

Hi All,

I have a problem with Panorama and devices log.

Panorama information

model: Panorama

serial: xzy......

sw-version: 5.1.0

app-version: 445-2292

app-release-date: unknown

av-version: 1317-1787

av-release-date: unknown

threat-version: 445-2292

threat-release-date: unknown

logdb-version: 5.0.2

My Device information

model: PA-3020

sw-version: 5.0.8

global-protect-client-package-version: 1.2.5

app-version: 445-2292

app-release-date: 2014/07/08  14:43:28

av-version: 1317-1787

av-release-date: 2014/07/10  08:20:01

threat-version: 445-2292

threat-release-date: 2014/07/08  14:43:28

wildfire-version: 0

wildfire-release-date: unknown

url-filtering-version: 2014.07.11.240

global-protect-datafile-version: 0

global-protect-datafile-release-date: unknown

logdb-version: 5.0.2

platform-family: 3000

I confirute forward log from device to panorama.

On panorama, I saw all "traffic log" but I can't see any "URL or Threat log".

I don't know where I missed configuration.

Please help me

7 REPLIES 7

L6 Presenter

Hello Register_Security,

1. Is it a new setup and not working from beginning ?

2. If yes than check Log Forwarding Option on Firewall, make sure Threat/URL are being forwarded along with Traffic.

3. Also you may want to check your search queries.

Normally if Panorama received Traffic log than it receives URL/Threat logs as well. This is either a configuration mistake or search query issue.

Regards,

Hardik Shah

1. My device have working about 1 year.

2. Log Forarding Configuration.

Selection_074.png

I really don't know why ?

Does Traffic and URL filtering logs are generated locally on the Firewall ?

L7 Applicator

Try the steps outlined in this document to restart logging.

Palo Alto Networks Firewall not Forwarding Logs to Panorama (VM and M-100)

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Hi Hshah,

I see all of log locally device.

Hi Steven,

Please see my debug information below.

admin@Panorama> show logging-status device 001XXXXXXXXX

      Type            Last Log Rcvd        Last Seq Num Rcvd       Last Log Generated

    config      2014/07/14 10:19:10                     4918      2014/07/11 11:39:48

    system      2014/07/14 04:02:32                    49500      2014/07/14 04:02:05

    threat

   traffic      2014/07/14 10:19:10               2225666165      2014/07/14 10:19:10

  hipmatch

admin@Panorama> request log-fwd-ctrl device 001XXXXXXXXX action stop

scheduled a job with jobid 27.

27

admin@Panorama> show logging-status device 001XXXXXXXXX

      Type            Last Log Rcvd        Last Seq Num Rcvd       Last Log Generated

    config      2014/07/14 10:19:10                     4918      2014/07/11 11:39:48

    system      2014/07/14 04:02:32                    49500      2014/07/14 04:02:05

    threat

   traffic      2014/07/14 10:20:11               2225687615      2014/07/14 10:20:10

  hipmatch

admin@Panorama> request log-fwd-ctrl device 001XXXXXXXXX action start

scheduled a job with jobid 28. Converted log-fwd-ctrl action to 'start-from-lastack'

28

admin@Panorama> show logging-status device 001XXXXXXXXX

      Type            Last Log Rcvd        Last Seq Num Rcvd       Last Log Generated

    config      2014/07/14 10:20:46                     4918      2014/07/11 11:39:48

    system      2014/07/14 04:02:32                    49500      2014/07/14 04:02:05

    threat

   traffic      2014/07/14 10:20:46               2225699275      2014/07/14 10:20:46

  hipmatch

admin@Panorama> debug software restart management-server

Process 'mgmtsrvr' executing RESTART

admin@Panorama> show logging-status device 001XXXXXXXXX

      Type            Last Log Rcvd        Last Seq Num Rcvd       Last Log Generated

    config      2014/07/14 10:24:06                     4918      2014/07/11 11:39:48

    system      2014/07/14 10:24:06                    49530      2014/07/14 10:22:23

    threat

   traffic      2014/07/14 10:27:08               2225833365      2014/07/14 10:27:08

  hipmatch

On device I run debug

admin@PA-Internet-3020-HO(active)> debug software restart log-receiver

Process 'logrcvr' executing RESTART

and show logging status again, but I still see, and I think it does not work correctly

admin@Panorama> show logging-status device 001XXXXXXXXX

      Type            Last Log Rcvd        Last Seq Num Rcvd       Last Log Generated

    config      2014/07/14 10:24:06                     4918      2014/07/11 11:39:48

    system      2014/07/14 10:24:06                    49530      2014/07/14 10:22:23

    threat

   traffic      2014/07/14 10:29:10               2225877874      2014/07/14 10:29:05

  hipmatch

Hello,

Few steps as mentioned below, it might help you to debug the logging problem on your Panorama:

show panorama-status

Panorama Server 1 : 10.30.1.133

State : Unknown

To see the last log written:

>show log <traffic/threat> direction equal backward

If there is a problem: (commands may need to run 3 times)

>debug software trace log-receiver

>debug software trace management-server

>debug software restart log-receiver

if no change still;

>debug software restart management-server

From Panorama, run the following commands:

>show devices connected

Serial                   Hostname        IP              Connected

--------------------------------------------------------------------------

0001XXXXXXX              PA-2050         1.1.1.1           yes

  last commit all state:       none

show logging-status device <serial number>

Type       Last Log rcvd              Last SeqNo. rcvd           Last Log generated

config     2012/03/25 15:37:37        4093                       2012/03/25 15:36:58

system     2012/07/02 17:05:35        263027                     2012/07/02 16:56:55

threat     2012/07/02 16:56:35        1414220                    2012/07/02 16:56:17

traffic    2012/07/02 17:11:37        39634695                   2012/07/02 16:56:53

hipmatch

Note: The last configuration update is from 3/25.

If you see problems similar to above, try:

request log-fwd-ctrl device <serial number> action stop

request log-fwd-ctrl device <serial number> action live (leave in this state for about a minute)

request log-fwd-ctrl device <serial number> action start

live    start log forwarding with no buffering

start   start log forwarding with buffering

stop    stop log forwarding

Check if you now see normal logging.

>show logging-status device <serial number>

Also, you can verify the logs via the WebUI/Monitor Tab.

Hope this help.

Thanks

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!