1. Most of the palo alto well known deamons have their own logs that can be reviewed:
2. It is interesting that in the higher end Palo Alto platforms like PA-5000 and PA-7050/PA-7080, where there are dedicated interfaces for HA if the issue is with the HA interface the logs Brdagent and Mprelay for those interfaces will be in the so called control plane. For issues with the managment interface look the Brdagent and Mprelay in the managment plane(for LACP issues check the Systems log in GUI as there is no separate log for it). On smaller palo alto platforms that don't have dedicated HA interfaces there is no seperate control plane with seperate CPU. On small platforms like 220 or virtual editions there is no seperate data plane and the data plane logs are in the managment plane.
You can check:
less dp0-log brdagent.log
less cp-log brdagent.log
less mp-log brdagent.log
3. It is good to note that the higher end platforms like 5000 and 7000 will have more than one data plane. With 5000 there will be 2 or 3 dataplanes as the number rows of ports on the device but with 7000 each blade will have its own 1 or 2 dataplanes (dp0 and dp1) as if the blade has two rows of ports there will be 2 dataplanes
To see the 0 data plane on Slot 1:
less s1dp0-log brdagent.log
4. Usefull logs for comimit failures are the managment plane file ms.log and Devsrvr log.
5. Always check the managment plane file masterd log as it will show you if some deamon or process went down and you then can open the log for the specific process that had issues and see what is written.
6. For authentication issues the managment plane file Authd log is the place to go. For High availabity (HA) issues check ha_agent.log.
7. For VPN and SSL decryption issues better check the System log (for newer versions after 9.1 there is seperate globalprotect log in the GUI) in the GUI as it is easier to read than the ikemgr.log file. In version 10 there is a seperate log in the GUI for SSL decryption issues.Good to note is that in the CLI you could enable a debug for a process and this can't be done in the GUI.
8. You can also gather a tech support file and open it as it will have the most logs for the managment plane as it is tar gz linux archive and sometimes it is easier to view the logs this way with text editors like Atos/Notepad ++ etc. and you can look into the Websrvr and Mgmtsrvr logs for GUI issues or even SSH and GUI and etc (you can still use the comand "less webserver-log xxx" to see the webserver or clientless vpn log). Read the article for "Commonly Used Processes/Daemons" that I provided from the start to get the idea. Also it is good to note that for decryption issues in the newer versions there is a seperate log in GUI. If you are a partner have access to the Palo Alto PANS or Auto Assistant tool you can better check the logs this way.
Example picture (it is from virtual edition so there will be no data plane or control plane log folders)
If the issue can't be discovered don't forget the ultimate solution for non hardware palo alto issues is saving the config to external storage then factory default reset of the firewall and again importing the the config (the TAC does this many times).
Just a note for 9.1.x it is great that the Globalprotect log is in seperate tab in the GUI and you can also see latency reports from it, so this helps with investigating bad network connections and that the issue is not with the VPN, also if the hourly HIP reports failed for some reason, it will be in those logs. For HIP issues other than failed HIP reports like failed checks there is a log from a long time in GUI called "HIP Match Logs":
Also for HIP checks failing to be send every hour check:
This is from my new article:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!