05-18-2016 05:32 AM
Hello, we've got a bunch of virtual palo alto firewalls running 7.0.1. One set are running fine, largely configured with no issues. The other set are in a different environment, all the infrastructure is the same (same type of hypervisor, same version, all that) The only significant difference is that in the second environment, each PA is part of a HA pair.
Now, we're having all sorts of network issues here, could be related to a whole bunch of things other than the PA, but the thing that I'm trying to get working right now is traffic monitoring on the PA, this should help me debug everything else.
I've got traffic monitoring working in environment 1, but not in environment 2 with the clusters. I'm pretty sure I've done the same things in both, with the easiest way to get monitoring being to create an "allow any" and tell that to log. But even with that I get absolutely nothing on the PA log, not even when I run a continuous ping from the device.
Does anyone have any suggestions for debugging steps for this?
05-18-2016 06:12 AM
Hi,
Are you sure your traffic is going through the firewall or even reaching it ?
Is your ping being sourced from a DP interface ? By default your ping will go out the management interface.
Try a PCAP on the firewall to see how traffic is handled (if you're seeing any).
Verify the global counters to see if there's any weird counters that could explain this.
These might be useful :
https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Packet-Capture/ta-p/72069
Cheers !
-KiWi.
05-18-2016 06:22 AM
Did you make sure to register and license the VM ? When a VM is first installed it will be able to provide basic functionality but will not log anything untill it is properly initialized
05-19-2016 02:24 AM
Yep, correct. Only VM 5.0.6 will be able to log session without the licenses installed. All higher version of the PA VM will NOT be able to "show " traffic log in the monitoring tab without serial number installed.
05-19-2016 05:10 AM
Ah, that would explain it. Does being unlicensed also restrict traffic in any way? That could explain some of the other problems we're seeing
05-19-2016 05:36 AM
For the simple traffic processing no. But without the licenses/serial number firewall only can have 200 active sessions at the time.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
