Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

MGMNT Slow and Serching logs slow and Syslog server issue.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

MGMNT Slow and Serching logs slow and Syslog server issue.

L4 Transporter

Device Model: PA-5220 HA Mode Active-standby

PAN-OS 10.0.0

The questions below as I couldn't find anything on Palo Alto website.

 

Recently we have upgraded Palo Alto to v10.0.0.

 

1. Web management interface became very slow and searching logs takes very long time to load.

Kindly advise if there’s any solution for that. Can we disable services of some added unused features, like SDWAN or IoT? Or is there any work-around to make it faster?

 

2. Integration with ArcSight Syslog server is not working well as logs are not parsed correctly.

Seems the raw data format sent from Palo Alto changed in this version. Kindly advise how to fix this.

Can we change the format to be similar to 9.0.x or 9.1.x format?

26 REPLIES 26

Cyber Elite
Cyber Elite

@Mohammed_Yasin,

Is this on production equipment, because I really wouldn't be running PAN-OS 10.0 in a production environment. How long ago did you upgrade to 10.0, the background process can take a bit to settle down and things get stable again.

 

As for the second question, there was additional information put into the syslog messages that could be interfering with how you are extracting the data. You'll really need to look at how you have built the extractors and fields you are using to fix that one. 

Thank you for the comment.

 

Yes Its production, the firewall was upgraded 5 days ago.

its only very slow in wildfire logs appearing in the monitor section rest of the logs are performing usually average.

 

I have checked the following links for the CEF for Arcsight. but doesn't help me with PAN 10.

 

https://docs.paloaltonetworks.com/resources/cef.html

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/monitoring/use-syslog-for-monitoring/syslo...

https://community.microfocus.com/t5/ArcSight-User-Discussions/Palo-Alto-Global-Protect-logs-CEF-form...

https://community.microfocus.com/t5/ArcSight-User-Discussions/bd-p/arcsight-discussions

@Mohammed_Yasin,

I would open a TAC ticket and see if they can see what's going on. PAN-OS 10.0 is a brand-new release, so you'll likely run into things like this until it has more time to bake in the wild and bugs get worked through. I absolutely wouldn't be running 10.0 in a production environment unless you need a feature that has been added into PAN-OS 10.0. 

As for the guides you referenced, none of them have been updated for 10.0 yet from a quick glance. Since you have additional fields you may very well have to manually build extractors that function correctly with the new fields for PAN-OS 10.0. This is one of the downsides of upgrading to a new release early. 

We are having similar issues trying to pull anything under the monitor tab with the new 10.1 PAN.   All the logs take forever to pull.  Was way better on 9.   

Cyber Elite
Cyber Elite

Hello,

I have also seen this slow logs loading/timing out issue. I have found that it loads faster/properly if I use a date filter such as ( receive_time geq '2021/12/15 00:00:00' ) . I suspect a bug in the code but havent searched the release notes to verify.

 

Also I hope you are not running the base 10.0.0 code as there are issues and you should upgrade to a recommended code version: 

https://live.paloaltonetworks.com/t5/customer-resources/support-pan-os-software-release-guidance/ta-...

 

Regards,

L2 Linker

We're running 10.0.8 release and also seeing this slowness in traffic log filtering which was not present in previous releases.  Very frustrating to have to wait up to 5 minutes for filtering results to complete.  

L0 Member

We are running 10.1.3 and facing same issue. Does anyone know how to get rid of this issue?? 

 

Thanks you

L0 Member

We have also had this issue ever since upgrading to 10.1.2 - really annoing

L0 Member

Side note: management CPU is aprox 8% and data CPU is less than 3%. So I don't think its a CPU issue. it seems they are missing a searcch index og the DB layout is made in a way that makes this slow. comming from a Checkpoint world makes me wish back to CP.

 

L1 Bithead

Same issue on multiple firewall. Did anyone opened TAC case? I do do not have good luck working with TAC on these kind of issues.

Santosh Patel
www.qnatech.com

L0 Member

Same here. On 10.1.3 currently. Almost unusable slow at times after upgrading to v10. 

L1 Bithead

Yeah, we have the same issue. Since moving to PAN OS 10.1 the monitor tab has been unbearably slow. This is on a pair of PA 5250's. Did not see anything on the new release notes for PAN 10.2 to suggest an improvement but I was told that Palo Alto changed the way they log on PAN OS 10.1, so not entirely sure. Some aspects are snappy, but most times its the "cog of death" staring at me on the top right corner! Its really hard to be certain how reliable the data is due to the duration it takes to load data. Page size 20 does not make much of a different either. Can only hope that Palo Alto is aware of the issue and is being tracked. Hope to be back at PAN OS 8.1/9.1 search speed again!

L1 Bithead

Commenting to see if someone does find a fix for this. I have panorama 10 point something and it is really difficult to pull anything out of the traffic logs. What i found works is to keep refining your query, the inital vague query takes forever to render but as i add terms to narrow the log down it seems to get a bit faster each time. I have read the opposite as well, that says the more terms the slower it runs, but that doesn't make sense to me why that would be the case. The VM has 8 cores and 48gb of ram so i am not sure its a hardware issue either.

 

Still this is basically searching text files? on linux? i mean come on, it shouldn't take 10 minutes for me to run a filter like 

 

(receive_time geq '2022/03/28 00:00:00') and (receive_time leq '2022/03/28 23:59:59') and (port.dst eq 25)

 

but currently it does.

L1 Bithead

I have been monitoring this for my multiple customers, no update yet. I do not even think they are working in this direction as 10.0.0 is almost end of life already. 

I have still kept all my customers below this version. I will test future versions on small customers and if the performance fixed than recommend to others. 

Santosh Patel
www.qnatech.com
  • 14499 Views
  • 26 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!