06-03-2024 10:38 AM
Hi All,
We recently encountered an issue where our firewalls got disconnected from Palo DB cloud database, the was due to a known issue in Palo OS we are running. I am looking for a way to monitor Palo DB cloud connectivity. We do not have solarwinds otherwise I would have used an OID to monitor that specific service.
Is there a way to still monitor Palo DB connectivity like forwarding the logs to Splunk and then generating an email from there to all the stakeholders
Thanks for any recommendations
06-03-2024 12:18 PM
Generally speaking this would be wrapped up in monitoring system events and either having the firewall send an email/http alert itself or forwarding the events to something like Splunk/Graylog and setting up desired alerts there.
The majority of cloud connection issues are going to be in system logs if you utilize this filter:
(severity eq medium) and (eventid eq 'general')Fair warning that this doesn't limit things to cloud connection issues and you might have events you want to exclude, but you would just adjust the query. This will cover download failures, upgrade failures, and stuff like that.
PAN has a special subtype named 'dyanmic-updates' but note that this isn't utilized for anything other then messages that they deem worth sending out. I would personally think you likely want those as well, but I would also say you should be receiving an email notification for anything with a severity of high or greater for your firewall (severity geq high).
06-03-2024 12:18 PM
Generally speaking this would be wrapped up in monitoring system events and either having the firewall send an email/http alert itself or forwarding the events to something like Splunk/Graylog and setting up desired alerts there.
The majority of cloud connection issues are going to be in system logs if you utilize this filter:
(severity eq medium) and (eventid eq 'general')Fair warning that this doesn't limit things to cloud connection issues and you might have events you want to exclude, but you would just adjust the query. This will cover download failures, upgrade failures, and stuff like that.
PAN has a special subtype named 'dyanmic-updates' but note that this isn't utilized for anything other then messages that they deem worth sending out. I would personally think you likely want those as well, but I would also say you should be receiving an email notification for anything with a severity of high or greater for your firewall (severity geq high).
06-05-2024 10:05 AM
Thanks that helped, i was able to filter out specific eventid's with below filter
( eventid eq cloud-election ) or ( eventid eq url-cloud-connection-failure)
There are certain informational logs that are not being forwarded to Splunk, but i see it in Palo Alto, I am still figuring that part out.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
