This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

High Logging Rate

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

High Logging Rate

RobertShawver
L4 Transporter

‎11-11-2021 04:54 AM

As seen on Panorama > Managed Devices > Health I have a few firewalls that are always in the red with a 15-Day average over 15000.  What is the easiest way/best way to bring that down?  Is it even an issue?  Should the fix be on the Panorama side or FW side?

0 Likes Likes
2 REPLIES 2

aleksandar.astardzhiev
Cyber Elite
Cyber Elite

‎11-11-2021 05:58 AM

Hi @RobertShawver ,

- The value will be red, if it is deviating, not because it is too high.

- If such logging rate is a problem or not - I would say really depends on your environment. What Panorama model are you using, how many firewalls are you managing with it and how many of those have high logging rate. If you use physical M-series appliance you can check supporte logging rate here - M-Series Appliance Interfaces (paloaltonetworks.com)

Here is also some table for supproted log rate - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clc8CAC for FW and Panorama.

 

- From my point of view 15 000log/sec average is alot...But again this really depends on your environment. And unfortunately the only "fix" would be to disable traffic logs for some of the rules. Usually guides and documentations suggest to disable traffic log for trusted infrastrcuture rules, like allow traffic to DNS, SNMP, ping. Check you have rules that log at start and end (which is really usefull for troubleshooting, but will create two log entries for single connection (probably even more, if application shift hit different rules)

Consider changing trusted URL categories from alert to allow.

Basically there are lots of ways to lower the log rate, but as you may guess involves of disabling somekind of logging.

 

 

 

RobertShawver
L4 Transporter
In response to aleksandar.astardzhiev

‎11-11-2021 08:23 AM

I guess maybe that is where some of my lack of understanding comes from, what causes it to be say 10,000 logs/sec not deviating to 10,000 logs/sec deviating?  Sometime it shows the same or higher rate but is not "red".

0 Likes Likes
  • 2487 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks