I'm looking for the possibility to be notified (trap/snmp/Panorama event) in the situation that a particular FW which is assigned to LogCollector for some reason stopped sending traffic to it. Let's assume that if there is a 1h gap I want to be notified.
For some reason, I'm not considering implementing Syslog here.
When such a situation has occurred FW is logging:
( description contains 'Failed to connect to address: X.X.X.X port: 3978, conn id: lr-X.X.X.X-def' )
( description contains 'Number of hints on disk has exceeded 5000 due to log forward failures.' )
I know that I can set up under Device>LogSettings new entry like the below:
But this solution will generate an event on Panorama with severity informational (as the original event "'Failed to connect to address" was") when I'd like to have it marked as critical. Moreover, such config must be deployed to all FW, when we have just one LogCollector per dozens of FW. That's why I'm looking for something more clever 😉
Currently, this is my idea, its not tested but I'm pretty sure that guys here had the same problem and maybe someone will share the working solution here.
Hi @S_Owoc ,
Only approach I can think of right now is forwarding that logs to Email relay.
- Create log system log forwarding profile, similar to your screenshot
- Select Email for forwarding method and create email profile with email relay that will accept email from the firewall.
- Configure all of this with separate template, that you can assign to any template stack that you want and have it pushed to all firewalls that you manage. You can use template variables to use different IP addresses for the mail relay if the firewalls are in different locations/regions and cannot reach same relay.
I don't have practical experience with dedicated log collectors, but I am wondering wouldn't the log collector/panorama generate similar log if it loss connectivity with firewall? If so you can again have log forwarding to email, but from log collector perspective.
This link seems to be a good starting point:
log forwarding status from individual firewalls to Panorama and external servers.
Unfortunately, there is no OID listed for these values, has anyone idea where to find them?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!