PA-220 - Missing Log for Traffic, Threat, URL, Data Filtering, Wildfire

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PA-220 - Missing Log for Traffic, Threat, URL, Data Filtering, Wildfire

L2 Linker

Hi Brother,

 

Our PA-220 happen the GUI stopped the LOG records after the 21-AUG-2020 08:00.

Impact the Traffic Log, Threat Log, URL Filtering Log, Data Filtering Log, Wildfire Submission Log.

 

Do you have any experience on this issue?

 

Thanks & Regards,

JC

1 accepted solution

Accepted Solutions

Try then Clearing the logs if you do not need them.
are you sure Firewall passing traffic?

View solution in original post

11 REPLIES 11

Cyber Elite
Cyber Elite

@JamesChim,

 

I can suggest to check below few points -

 

 

1. Check if the logging is enabled on the security polices where your traffic will hit. If someone have unchecked it and post that logs are not coming.

2. If it is enabled, run below commands under cli on the gateway.

 

show log traffic direction equal backward

show log threat direction equal backward

show log url direction equal backward

 

This will confirm you if logs are getting written on the firewall. If you are able to see logs under cli then you may need to restart management-server process on the gateway as it may be issue related to logs display on web interface.

 

Also check license on the gateway.

 

M

L2 Linker

admin@PA-220> tail follow yes mp-log logrcvr.log
2020-09-10 14:46:29.980 +0800 debug: pan_sigdb_update_categoryhash(pan_sigdb.c:1232): after reading xml:1599720389
2020-09-10 14:46:29.985 +0800 debug: pan_sigdb_update_categoryhash_from_xml(pan_sigdb.c:1209): after converting to hash:1599720389
2020-09-10 14:46:30.906 +0800 debug: pan_logdb_writer_handle_overflow(pan_logdb_writer.c:3870): getting log num..
2020-09-10 14:46:30.907 +0800 Error: pan_logdb_get_nrecs(pan_logdb_utils.c:605): Invalid loghdr version(0x3) in /opt/pancfg/mgmt/logdb/traffic/1/20200910/pan.log
2020-09-10 14:46:30.907 +0800 Error: _get_log_num(pan_logdb_writer.c:3259): Failed to get nrecs for pan.0000000000.log
2020-09-10 14:46:30.907 +0800 Error: pan_logdb_writer_handle_overflow(pan_logdb_writer.c:3872): Error getting the last log num in dir:/opt/pancfg/mgmt/logdb/traffic/1/20200910
2020-09-10 14:46:30.907 +0800 Error: _write_task_disk_flush_process(pan_logdb_writer.c:2206): Error handling overflow.. will try for the next buffer again
2020-09-10 14:46:30.907 +0800 Error: _taskq_worker(pan_taskq.c:622): Error executing tasks process fn
2020-09-10 14:46:31.177 +0800 Error: _init_cache_handles(pan_sigdb.c:1614): Error getting dbfilename for db_type:3
2020-09-10 14:46:31.177 +0800 Error: pan_sigdb_enable_cache_handles(pan_sigdb.c:4081): Error initializing cache handles for db_type:WPC
2020-09-10 14:46:33.755 +0800 debug: pan_url_category_reset_defaults(pan_url_category.c:351): Revert to original BrightCloud categories
2020-09-10 14:46:33.755 +0800 debug: pan_url_category_reset_defaults(pan_url_category.c:356): Revert to original PAN categories
2020-09-10 14:46:33.845 +0800 debug: pan_log_convert_from_firewall_log(pan_log_receiver.c:2785): pan_log_convert_from_firewall_log, receive rule name WiFi to Internet, rule_uuid 742aea59-dca1-4728-9bac-9f0869a0c12a,
convert to rule_uuid_id 0x74 0x2a 0xea 0x59 0xdc 0xa1 0x47 0x28 0x9b 0xac 0x9f 0x8 0x69 0xa0 0xc1 0x2a
2020-09-10 14:46:33.845 +0800 debug: pan_log_convert_from_firewall_log(pan_log_receiver.c:2785): pan_log_convert_from_firewall_log, receive rule name WiFi to Internet, rule_uuid 742aea59-dca1-4728-9bac-9f0869a0c12a,
convert to rule_uuid_id 0x74 0x2a 0xea 0x59 0xdc 0xa1 0x47 0x28 0x9b 0xac 0x9f 0x8 0x69 0xa0 0xc1 0x2a
2020-09-10 14:46:33.846 +0800 debug: pan_log_convert_from_firewall_log(pan_log_receiver.c:2785): pan_log_convert_from_firewall_log, receive rule name WiFi to Internet, rule_uuid 742aea59-dca1-4728-9bac-9f0869a0c12a,
convert to rule_uuid_id 0x74 0x2a 0xea 0x59 0xdc 0xa1 0x47 0x28 0x9b 0xac 0x9f 0x8 0x69 0xa0 0xc1 0x2a
2020-09-10 14:46:33.846 +0800 debug: pan_log_convert_from_firewall_log(pan_log_receiver.c:2785): pan_log_convert_from_firewall_log, receive rule name WiFi to Internet, rule_uuid 742aea59-dca1-4728-9bac-9f0869a0c12a,
convert to rule_uuid_id 0x74 0x2a 0xea 0x59 0xdc 0xa1 0x47 0x28 0x9b 0xac 0x9f 0x8 0x69 0xa0 0xc1 0x2a
2020-09-10 14:46:33.846 +0800 debug: pan_log_convert_from_firewall_log(pan_log_receiver.c:2785): pan_log_convert_from_firewall_log, receive rule name WiFi to Internet, rule_uuid 742aea59-dca1-4728-9bac-9f0869a0c12a,
convert to rule_uuid_id 0x74 0x2a 0xea 0x59 0xdc 0xa1 0x47 0x28 0x9b 0xac 0x9f 0x8 0x69 0xa0 0xc1 0x2a
2020-09-10 14:46:33.847 +0800 handling logdb overflow..
2020-09-10 14:46:33.847 +0800 Checking to purge traffic logtype
2020-09-10 14:46:34.719 +0800 debug: pan_log_convert_from_firewall_log(pan_log_receiver.c:2785): pan_log_convert_from_firewall_log, receive rule name BLOCK-LIST_ByIn, rule_uuid 6ceeb8db-96dc-472c-8e14-915d8392d02b,
convert to rule_uuid_id 0x6c 0xee 0xb8 0xdb 0x96 0xdc 0x47 0x2c 0x8e 0x14 0x91 0x5d 0x83 0x92 0xd0 0x2b
2020-09-10 14:46:35.837 +0800 debug: pan_logdb_writer_handle_overflow(pan_logdb_writer.c:3870): getting log num..
2020-09-10 14:46:35.837 +0800 Error: pan_logdb_get_nrecs(pan_logdb_utils.c:605): Invalid loghdr version(0x3) in /opt/pancfg/mgmt/logdb/traffic/1/20200910/pan.log
2020-09-10 14:46:35.837 +0800 Error: _get_log_num(pan_logdb_writer.c:3259): Failed to get nrecs for pan.0000000000.log
2020-09-10 14:46:35.837 +0800 Error: pan_logdb_writer_handle_overflow(pan_logdb_writer.c:3872): Error getting the last log num in dir:/opt/pancfg/mgmt/logdb/traffic/1/20200910
2020-09-10 14:46:35.837 +0800 Error: _write_task_disk_flush_process(pan_logdb_writer.c:2206): Error handling overflow.. will try for the next buffer again
2020-09-10 14:46:35.837 +0800 Error: _taskq_worker(pan_taskq.c:622): Error executing tasks process fn
2020-09-10 14:46:38.552 +0800 handling logdb overflow..

Plus to what @SutareMayursaid.

ِAt the end try rebooting the firewall

show log traffic direction equal backward

admin@PA-220> show log traffic direction equal backward
Time App From Src Port Source
Rule Action To Dst Port Destination
Src User Dst User End Reason
Rule_UUid
====================================================================================================
2020/08/21 07:59:59 wechat-base SecurityZone_WiFi 54012 172.16.7.111
WiFi to Internet allow SecurityZone_Internet 80 203.205.255.143
tcp-fin
2020/08/21 07:59:49 dns SecurityZone_WiFi 49852 172.16.7.111
WiFi to Internet allow SecurityZone_Internet 53 210.0.128.251
aged-out
2020/08/21 07:59:49 dns SecurityZone_WiFi 43631 172.16.7.111
WiFi to Internet allow SecurityZone_Internet 53 210.0.128.251
aged-out
2020/08/21 07:59:42 incomplete SecurityZone_WiFi 33492 172.16.7.111
WiFi to Internet allow SecurityZone_Internet 80 47.246.16.233
tcp-rst-from-server

 

show log threat direction equal backward

admin@PA-220> show log threat direction equal backward
Time App From Src Port Source
Rule Action To Dst Port Destination
Severity Src User Dst User Threat Pcap_id
Rule_UUid
==========================================================================================
2020/08/21 07:47:00 ssl SecurityZone_WiFi 39332 172.16.7.111
WiFi to Internet alert SecurityZone_Internet 443 203.119.216.50
info Non-RFC Compliant SSL Traffic on Port 443(56112) 0
2020/08/21 07:45:18 ssl SecurityZone_WiFi 39264 172.16.7.111
WiFi to Internet alert SecurityZone_Internet 443 203.119.216.50
info Non-RFC Compliant SSL Traffic on Port 443(56112) 0
2020/08/21 07:31:35 ssl SecurityZone_WiFi 54948 172.16.7.111
WiFi to Internet alert SecurityZone_Internet 443 203.119.217.112
info Non-RFC Compliant SSL Traffic on Port 443(56112) 0

show log url direction equal backward

admin@PA-220> show log url direction equal backward
Time App From Src Port Source
Rule Action To Dst Port Destination
Severity Src User Dst User Threat Pcap_id
Rule_UUid
==========================================================================================
2020/08/21 07:59:49 paloalto-wildfi SecurityZone_WiFi 60405 172.16.0.254
PA-220 to PAN-UPDAT alert SecurityZone_Internet 443 35.247.145.234
info (9999) 0
2020/08/21 07:57:49 paloalto-wildfi SecurityZone_WiFi 59305 172.16.0.254
PA-220 to PAN-UPDAT alert SecurityZone_Internet 443 35.247.145.234
info (9999) 0
2020/08/21 07:57:05 taobao SecurityZone_WiFi 46660 172.16.7.111
WiFi to Internet alert SecurityZone_Internet 443 140.205.252.4
info (9999) 0
2020/08/21 07:56:51 paloalto-update SecurityZone_WiFi 56117 172.16.0.254
PA-220 to PAN-UPDAT alert SecurityZone_Internet 443 199.167.52.141
info (9999) 0

debug software restart process management-server

debug software restart process management-server

 

I tried to restart the device via the GUI Reboot/Physical Power Off and Power On

 

The problem still in >...<

@Abdul-Fattah 

I tried to restart the device via the GUI Reboot/Physical Power Off and Power On

 

The problem still in >...<

@JamesChim try restart the Log-reciever proccess 

debug software restart process log-receiver

 

@Abdul-Fattah 

 

The problem still in via below comment >...<

show log traffic direction equal backward
show log url direction equal backward
show log threat direction equal backward
debug log-receiver statistics
debug log-receiver on debug
tail follow yes mp-log logrcvr.log
debug software restart process log-receiver
debug software restart process management-server

 

Try then Clearing the logs if you do not need them.
are you sure Firewall passing traffic?

@Abdul-Fattah 

 

Thanks for your help.

 

Finally, need clear all log include the traffic, threat, URL and etc, and then the latest traffic logs are coming.

 

but don't know what happens....... haha

 

are you sure Firewall passing traffic?

-> I think yes, no user report cannot access the internet.
 
 
 

you are welcome.
Make sure the option " Stop Traffic when LogDB full" is disabled you can find it in (Device > Management > Logging Settings > Log Export and Reporting", because by defualt the firewall overwrite old traffic when Storage is full.

  • 1 accepted solution
  • 7509 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!