No entries in traffic logs

BLH · ‎02-20-2014

Hi folks,

I'm running a VM-100 on a VMWare Workstation 9, off Windows 7 (Not supported, I know - but it works. Sort of).

I imported the .ovf and added an extra NIC (.ovf only came with two NIC's, one of which goes to management as far as I can see).

eth1/1 layer3 - "Inside" security zone, internal VM network

eth1/2 layer3 - "Outside" security zone, bridged to "real" LAN.

As far as I can read, promiscious mode should be enabled by default (and non-configurable) on a VMWare Workstation, but to be sure, I also manually typed the VM-100 NIC MAC addresses on their VMware interfaces.

Configured the zones, a default-route in the Virtual Router, NAT from inside-to-outside and a security policy that allows everything. Policy is also set to log at both session start and end.

Installed two further VM's (standard non-domain Windows 8 machines) and gave them an IP on the "Inside" network and set the VM-100 as their default route.

The virtual machines can communicate with each other, and on the Monitor -> Sessions tab, I can see that traffic is flowing through the VM-100 and between the two hosts. I can also see that the sessions are matching the "allow-all" security policy.

But.. When I go to the Monitor -> Traffic tab, there's nothing.

What am I missing here?

BLH · ‎03-07-2014

Well - I gave up!

Installed a PAN-OS 5.0.6 with identical configuration - and traffic monitoring worked without any issues.

Reinstalled the PAN-OS 6.0.0 once again - still didn't work.

Finally managed to get access to a ESXi 5.x.something hypervisor, and the PAN-OS 6.0.0 worked without any issues.

Conclusion: VMWare Workstation 9 and PAN-OS 6.0.0 don't play nice.

@.ybommakanti - Just as I wrote above:

Just noticed that a "debug log-reciever statistics" shows 0 hits on anything, except "Traffic logs written: 134".

So yes, logs were written according to that debugger. And it was increasing.

Thanks for everyone's input

View solution in original post

pulukas · ‎02-22-2014

Do you have a logging option selected in the "action" tab of your policies?

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

panos · ‎02-22-2014

you see sessions on session browser

no logs on Traffic...

try to restart logging

debug software restart log-receiver

BLH · ‎02-22-2014

Yep.. Both at start and end - just verified in the config.xml to make sure the GUI wasn't playing tricks

BLH · ‎02-22-2014

No luck I'm afraid

admin@PA-VM> debug software restart log-receiver

Process 'logrcvr' executing RESTART

admin@PA-VM> debug system process-info

Total num processes: 36

Name PID CPU% FDs Open Virt Mem Res Mem State

all_task 5507 4 6 1579800 1515820 S

crypto 1709 0 8 64644 6212 S

chasd 1589 0 6 54924 4584 S

ikemgr 2062 0 9 56120 6088 S

useridd 2028 0 10 148792 78048 S

l3svc 2081 0 18 73216 11404 S

pppoe 2072 2 7 52336 6324 S

dnsproxy 4126 0 13 52516 6812 S

varrcvr 2066 0 16 193712 6460 S

routed 2073 0 15 121244 18520 S

mgmtsrvr 2057 0 28 348112 193784 S

rasmgr 2064 0 8 77264 5292 S

dhcp 2070 0 7 40000 6488 S

dagger 1583 0 9 61180 19156 S

sysd 1565 0 57 19128 3820 S

logrcvr 4661 0 61 459328 282920 S

sslvpn 2059 0 20 76020 13036 S

comm 2257 2 17 1662112 1543520 S

websrvr 2061 0 18 92276 30284 S

brdagent 1722 0 7 89828 7016 S

dha 2345 0 7 1570808 1515644 S

masterd 1538 0 19 1699468 1530736 S

monitor-dp 2347 0 5 13344 7112 S

monitor 1584 0 5 13344 7120 S

ha-sshd 1973 0 5 4024 1604 S

satd 2068 0 8 88236 8812 S

ha_agent 2067 0 4 39508 5148 S

mprelay 2320 0 7 1571012 1515788 S

snmpd 2075 0 14 33736 5904 S

sysdagent 1587 0 7 97704 5296 S

keymgr 2065 0 10 75516 4832 S

sshd 1969 0 5 4028 1644 S

devsrvr 2056 0 10 150832 43740 S

ehmon 1588 0 5 9544 2460 S

sslmgr 2069 0 8 72920 5976 S

authd 2074 0 9 80612 6552 S

syslogd 1359 0 7 1824 612 S

crond 3237 0 5 2772 1004 S

Totals 8 480 10851784 8435572

admin@PA-VM>

Have also booted the box several times.

Just noticed that a "debug log-reciever statistics" shows 0 hits on anything, except "Traffic logs written: 134".

panos · ‎02-22-2014

what is the panos version ?

BLH · ‎02-23-2014

6.0.0

ybommakanti · ‎02-25-2014

Hello Benjamin,

Try the following command:

debug log-receiver statistics

This will show you how many logs were actually generated and written by the log receiver process.

Logging statistics

------------------------------ -----------

Log incoming rate: 0/sec

Log written rate: 0/sec

Corrupted packets: 0

Corrupted URL packets: 0

Logs discarded (queue full): 0

Traffic logs written: 76946

URL logs written: 195

Anti-virus logs written: 7

This will give you an indication if log receiver is even generating logs.Usually if traffic is allowed by default rule that is traffic between same zones is allowed and sessions are created but no logs will be generated.Also try looking at show session id from command line and there is a field called "session to be logged at end". This will also give you an idea.Once you see that logs are being generated then it might be an issue with web interface not showing the logs try accessing them from ACC tab.If you see that logs are not being generated then it could most likely hitting the default rule.

Hope this helps.

Yashwanth

BLH · ‎03-07-2014

Well - I gave up!

Installed a PAN-OS 5.0.6 with identical configuration - and traffic monitoring worked without any issues.

Reinstalled the PAN-OS 6.0.0 once again - still didn't work.

Finally managed to get access to a ESXi 5.x.something hypervisor, and the PAN-OS 6.0.0 worked without any issues.

Conclusion: VMWare Workstation 9 and PAN-OS 6.0.0 don't play nice.

@.ybommakanti - Just as I wrote above:

Just noticed that a "debug log-reciever statistics" shows 0 hits on anything, except "Traffic logs written: 134".

So yes, logs were written according to that debugger. And it was increasing.

Thanks for everyone's input

pulukas · ‎03-07-2014

I should have asked about workstation versus esxi. I've seen that same issue with other appliances in vmware workstation.

Best solution is to virutalze esxi into workstation and install them there.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

panos · ‎03-08-2014

Thanks for update.Learned the behaviour on workstation with panos6

Unlock your full community experience!

No entries in traffic logs

No entries in traffic logs

Show your appreciation!