No entries in traffic logs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

No entries in traffic logs

L2 Linker

Hi folks,

I'm running a VM-100 on a VMWare Workstation 9, off Windows 7 (Not supported, I know - but it works. Sort of).

I imported the .ovf and added an extra NIC (.ovf only came with two NIC's, one of which goes to management as far as I can see).

eth1/1 layer3 - "Inside" security zone, internal VM network

eth1/2 layer3 - "Outside" security zone, bridged to "real" LAN.

As far as I can read, promiscious mode should be enabled by default (and non-configurable) on a VMWare Workstation, but to be sure, I also manually typed the VM-100 NIC MAC addresses on their VMware interfaces.

Configured the zones, a default-route in the Virtual Router, NAT from inside-to-outside and a security policy that allows everything. Policy is also set to log at both session start and end.

Installed two further VM's (standard non-domain Windows 8 machines) and gave them an IP on the "Inside" network and set the VM-100 as their default route.

The virtual machines can communicate with each other, and on the Monitor -> Sessions tab, I can see that traffic is flowing through the VM-100 and between the two hosts. I can also see that the sessions are matching the "allow-all" security policy.

But.. When I go to the Monitor -> Traffic tab, there's nothing.

What am I missing here?

1 accepted solution

Accepted Solutions

L2 Linker

Well - I gave up!

Installed a PAN-OS 5.0.6 with identical configuration - and traffic monitoring worked without any issues.

Reinstalled the PAN-OS 6.0.0 once again - still didn't work.

Finally managed to get access to a ESXi 5.x.something hypervisor, and the PAN-OS 6.0.0 worked without any issues.

Conclusion: VMWare Workstation 9 and PAN-OS 6.0.0 don't play nice.

@.ybommakanti - Just as I wrote above:

Just noticed that a "debug log-reciever statistics" shows 0 hits on anything, except "Traffic logs written: 134".

So yes, logs were written according to that debugger. And it was increasing.


Thanks for everyone's input Smiley Happy

View solution in original post

10 REPLIES 10

L7 Applicator

Do you have a logging option selected in the "action" tab of your policies?

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

L6 Presenter

you see sessions on session browser

no logs on Traffic...

try to restart logging

debug software restart log-receiver

Yep.. Both at start and end - just verified in the config.xml to make sure the GUI wasn't playing tricks

No luck I'm afraid

admin@PA-VM> debug software restart log-receiver

Process 'logrcvr' executing RESTART

admin@PA-VM> debug system process-info

Total num processes: 36

Name                   PID      CPU%  FDs Open   Virt Mem     Res Mem      State

all_task               5507     4     6          1579800      1515820      S

crypto                 1709     0     8          64644        6212         S

chasd                  1589     0     6          54924        4584         S

ikemgr                 2062     0     9          56120        6088         S

useridd                2028     0     10         148792       78048        S

l3svc                  2081     0     18         73216        11404        S

pppoe                  2072     2     7          52336        6324         S

dnsproxy               4126     0     13         52516        6812         S

varrcvr                2066     0     16         193712       6460         S

routed                 2073     0     15         121244       18520        S

mgmtsrvr               2057     0     28         348112       193784       S

rasmgr                 2064     0     8          77264        5292         S

dhcp                   2070     0     7          40000        6488         S

dagger                 1583     0     9          61180        19156        S

sysd                   1565     0     57         19128        3820         S

logrcvr                4661     0     61         459328       282920       S

sslvpn                 2059     0     20         76020        13036        S

comm                   2257     2     17         1662112      1543520      S

websrvr                2061     0     18         92276        30284        S

brdagent               1722     0     7          89828        7016         S

dha                    2345     0     7          1570808      1515644      S

masterd                1538     0     19         1699468      1530736      S

monitor-dp             2347     0     5          13344        7112         S

monitor                1584     0     5          13344        7120         S

ha-sshd                1973     0     5          4024         1604         S

satd                   2068     0     8          88236        8812         S

ha_agent               2067     0     4          39508        5148         S

mprelay                2320     0     7          1571012      1515788      S

snmpd                  2075     0     14         33736        5904         S

sysdagent              1587     0     7          97704        5296         S

keymgr                 2065     0     10         75516        4832         S

sshd                   1969     0     5          4028         1644         S

devsrvr                2056     0     10         150832       43740        S

ehmon                  1588     0     5          9544         2460         S

sslmgr                 2069     0     8          72920        5976         S

authd                  2074     0     9          80612        6552         S

syslogd                1359     0     7          1824         612          S

crond                  3237     0     5          2772         1004         S

Totals                         8     480        10851784     8435572

admin@PA-VM>

Have also booted the box several times.

Just noticed that a "debug log-reciever statistics" shows 0 hits on anything, except "Traffic logs written: 134".

what is the panos version ?

6.0.0

Hello Benjamin,

Try the following command:

debug log-receiver statistics

This will show you how many logs were actually generated and written by the log receiver process.

  

Logging statistics

------------------------------ -----------

Log incoming rate:             0/sec

Log written rate:              0/sec

Corrupted packets:             0

Corrupted URL packets:         0

Logs discarded (queue full):   0

Traffic logs written:          76946

URL logs written:              195

Anti-virus logs written:       7

This will give you an indication if log receiver is even generating logs.Usually if traffic is allowed by default rule that is traffic between same zones is allowed and sessions are created but no logs will be generated.Also try looking at show session id from command line and there is a field called "session to be logged at end". This will also give you an idea.Once you see that logs are being generated then it might be an issue with web interface not showing the logs try accessing them from ACC tab.If you see that logs are not being generated then it could most likely hitting the default rule.

Hope this helps.

Yashwanth

L2 Linker

Well - I gave up!

Installed a PAN-OS 5.0.6 with identical configuration - and traffic monitoring worked without any issues.

Reinstalled the PAN-OS 6.0.0 once again - still didn't work.

Finally managed to get access to a ESXi 5.x.something hypervisor, and the PAN-OS 6.0.0 worked without any issues.

Conclusion: VMWare Workstation 9 and PAN-OS 6.0.0 don't play nice.

@.ybommakanti - Just as I wrote above:

Just noticed that a "debug log-reciever statistics" shows 0 hits on anything, except "Traffic logs written: 134".

So yes, logs were written according to that debugger. And it was increasing.


Thanks for everyone's input Smiley Happy

I should have asked about workstation versus esxi.  I've seen that same issue with other appliances in vmware workstation.

Best solution is to virutalze esxi into workstation and install them there.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Thanks for update.Learned the behaviour on workstation with panos6

  • 1 accepted solution
  • 7190 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!