- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-19-2022 07:49 PM - edited 09-19-2022 07:53 PM
Hello,
OS : 9.1.6
Currently, my customer is facing Issues where logs generated (TO_DNS policy) from a specific policy of more than 10,000 LPS are dropped without being forwarded to the syslog server.
The Traffic Log of the firewall is verifiable, but the Forwarding Stats Syslog Drop Count is constantly increasing, debug log-receiver statistics have been confirmed, and less than 1,000 Total LPS appear in addition to this policy.
There is no logs for that policy on the syslog server because it is dropped without being forwarded by the firewall.
The Log Setting/Log Forwarding Profile in the policy settings is set normally, so it seems to be no problem with the settings.
I will let you know, if you guys need additional info.
The Device Log Forwarding Limit of PA-3260 is written in 24,000/LPS as shown in the document below, so I wonder why it is dropped.
Thanks,
09-19-2022 09:38 PM
Hello @JoHyeonJae
your customer might be hitting an issue PAN-185616 addressed in 9.1.14:
Kind Regards
Pavel
09-19-2022 09:38 PM
Hello @JoHyeonJae
your customer might be hitting an issue PAN-185616 addressed in 9.1.14:
Kind Regards
Pavel
09-19-2022 09:44 PM
Thank you for your information.
Due to this bug can cause drop in a particular policy?
I am not sure this can match about this issue..
Thanks
09-19-2022 09:58 PM
Thank you for reply @JoHyeonJae
this fix is applied to sending queue which is processing all the logs irrespectively what policy has generated it.
Kind Regards
Pavel
09-19-2022 11:07 PM
@PavelK
I have one more question.
Since the send queue has become smaller due to the OS bug, is the issue caused when the LPS value increases?
Thanks,
09-20-2022 03:06 PM
Thank you for reply @JoHyeonJae
I can't answer this with certainty. In any case, I would recommend to upgrade PAN-OS to the version that has this fix or newer, then observe this issue again. The symptom of this bug is random log loss while sending logs to 3rd party system causing difference in logs between Firewall and 3rd party SIEM. If you are hitting serios syslog drop count after reaching certain log rate, then the issue might be something else. Opening a ticket to support might be appropriate in this case.
Kind Regards
Pavel
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!