Issue that specific policy traffic logs fail to forward to syslog server and drop from firewall

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Issue that specific policy traffic logs fail to forward to syslog server and drop from firewall

L3 Networker

Hello,

OS : 9.1.6

Currently, my customer is facing Issues where logs generated (TO_DNS policy) from a specific policy of more than 10,000 LPS are dropped without being forwarded to the syslog server.

 

The Traffic Log of the firewall is verifiable, but the Forwarding Stats Syslog Drop Count is constantly increasing, debug log-receiver statistics have been confirmed, and less than 1,000 Total LPS appear in addition to this policy.

There is no logs for that policy on the syslog server because it is dropped without being forwarded by the firewall.

The Log Setting/Log Forwarding Profile in the policy settings is set normally, so it seems to be no problem with the settings.

I will let you know, if you guys need additional info.

The Device Log Forwarding Limit of PA-3260 is written in 24,000/LPS as shown in the document below, so I wonder why it is dropped.

스크린샷 2022-09-20 오전 11.52.58.png


Thanks,

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hello @JoHyeonJae

 

your customer might be hitting an issue PAN-185616 addressed in 9.1.14:

 

PavelK_0-1663648642166.png

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

Hello @JoHyeonJae

 

your customer might be hitting an issue PAN-185616 addressed in 9.1.14:

 

PavelK_0-1663648642166.png

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Thank you for your information.

Due to this bug can cause drop in a particular policy?

I am not sure this can match about this issue..

Thanks

Cyber Elite
Cyber Elite

Thank you for reply @JoHyeonJae

 

this fix is applied to sending queue which is processing all the logs irrespectively what policy has generated it.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

@PavelK 

I have one more question.

Since the send queue has become smaller due to the OS bug, is the issue caused when the LPS value increases?

Thanks,

Cyber Elite
Cyber Elite

Thank you for reply @JoHyeonJae

 

I can't answer this with certainty. In any case, I would recommend to upgrade PAN-OS to the version that has this fix or newer, then observe this issue again. The symptom of this bug is random log loss while sending logs to 3rd party system causing difference in logs between Firewall and 3rd party SIEM. If you are hitting serios syslog drop count after reaching certain log rate, then the issue might be something else. Opening a ticket to support might be appropriate in this case.

 

Kind Regards

Pavel  

Help the community: Like helpful comments and mark solutions.

Thanks!

  • 1 accepted solution
  • 3958 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!