Monitoring Palo DB cloud service

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Monitoring Palo DB cloud service

L1 Bithead

Hi All, 

          We recently encountered an issue where our firewalls got disconnected from Palo DB cloud database, the was due to a known issue in Palo OS we are running. I am looking for a way to monitor Palo DB cloud connectivity. We do not have solarwinds otherwise I would have used an OID to monitor that specific service. 

 

Is there a way to still monitor Palo DB connectivity like forwarding the logs to Splunk and then generating an email from there to all the stakeholders 

 

Thanks for any recommendations 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@Ironsecurity,

Generally speaking this would be wrapped up in monitoring system events and either having the firewall send an email/http alert itself or forwarding the events to something like Splunk/Graylog and setting up desired alerts there.

 

The majority of cloud connection issues are going to be in system logs if you utilize this filter:

(severity eq medium) and (eventid eq 'general')

Fair warning that this doesn't limit things to cloud connection issues and you might have events you want to exclude, but you would just adjust the query. This will cover download failures, upgrade failures, and stuff like that.

 

PAN has a special subtype named 'dyanmic-updates' but note that this isn't utilized for anything other then messages that they deem worth sending out. I would personally think you likely want those as well, but I would also say you should be receiving an email notification for anything with a severity of high or greater for your firewall (severity geq high).

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

@Ironsecurity,

Generally speaking this would be wrapped up in monitoring system events and either having the firewall send an email/http alert itself or forwarding the events to something like Splunk/Graylog and setting up desired alerts there.

 

The majority of cloud connection issues are going to be in system logs if you utilize this filter:

(severity eq medium) and (eventid eq 'general')

Fair warning that this doesn't limit things to cloud connection issues and you might have events you want to exclude, but you would just adjust the query. This will cover download failures, upgrade failures, and stuff like that.

 

PAN has a special subtype named 'dyanmic-updates' but note that this isn't utilized for anything other then messages that they deem worth sending out. I would personally think you likely want those as well, but I would also say you should be receiving an email notification for anything with a severity of high or greater for your firewall (severity geq high).

Thanks that helped, i was able to filter out specific eventid's with below filter

 

( eventid eq cloud-election ) or ( eventid eq url-cloud-connection-failure)  

 

There are certain informational logs that are not being forwarded to Splunk, but i see it in Palo Alto, I am still figuring that part out. 

  • 1 accepted solution
  • 1377 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!