06-13-2022 02:36 AM
I have a PA410. After upgrading the software recently, I found that the original monitoring log has reduced a lot of functions, and even the ACC function has been lost.
I checked the website information and found that this function was cancelled after 10.1.2.
These are the ones I use the most and I can't even find any replacements or anything about the settings?
I emailed paloalto support with no response at all and I am very disappointed.
I desperately need a complete solution.
06-13-2022 03:31 AM
Hi @Sailor_Chen ,
This is expected behaviour. For PAN-OS 10.1.2 and later the PA-410 does not write session logs locally.
As a result, the PAN-OS Web Interface does not display any logs in the Monitor
Source:
Related discussion:
You'll need Panorama or Cortex Data Lake for logs if you stick with the PA-410. Customers might chose the PA-440 instead if the logging poses an issue.
Cheers,
-Kiwi.
06-13-2022 06:07 AM
Hi @kiwi
thanks for your reply
This is unacceptable.
Before I bought the PA-410, no one told me about this problem at all.
And no one told me that I need to pay a huge extra to buy Panorama or Cortex Data Lake for this basic Log function.
And I can't even find any alternatives.
Now, I am completely unable to use the PA-410 in my company.
This time I have a very bad feeling about purchasing and looking for support.
10-25-2024 10:22 AM
I just found this out as well. We bought 3 x PA410(s) and now I have to try and figure out how to monitor/troubleshoot issues individually at different sites, without a central logging solution. For small businesses (that seems the market for this series) this is just mindboggling. Everyone who has used a Palo knows that traffic logs are the only way to really trouble-shoot initial install issues. So, I'm guessing I'm going to have to install the free Splunk license on a laptop and put it at every site so that I can even just do an initial install with logs. This is just nonsense.
10-26-2024 07:47 PM
I've said this pretty often, but at this point if you're buying a PA-410 expecting local logging that's a failure on you and the reseller for not doing the necessary research about the hardware solution that you have selected. Logically I see where people kind of don't think to look to validate that local logging is a functionality of the platform, but that's where your VAR comes in that should have been pointing out the lack of local logging.
Back when the PA-410 was released like in this initial thread from a couple years ago, local logging being removed actually was a thing. You would have needed to be a very early customer of the platform to run into the issue, but it was more unexpected and not as well documented.
What I would recommend doing is spinning up a centralized syslog server of some sort, whether that would be Splunk or something actually free for unlimited ingest like Graylog. That will allow you to have the logs as you would normally without spending any additional money outside of some donor hardware and disk space.
10-28-2024 07:54 AM
I very much did do research and have worked with Palo Alto firewalls for 10 years or more, managing hundreds of them in Enterprise environments. I did not see anything at the time, that specifically highlighted a lack of local logging. At least in the spec sheets and hardware comparisons. I do agree with you that both my Reseller and Palo Alto Representative should have helped highlight any known limitations. They did not mention anything about this when I bought several PA-410(s) with PA-440(s) and that is disappointing. I am also a Splunk Architect, so I get that is a technical solution but in a small company, I'm not interested in making this more complex than it should be. The fact that you have to deploy a log collection solution just to install and trouble-shoot a firewall is a ridiculous setup. I'm not aware of any other firewall company doing something like this. I understand it is what it is, just frustrating that it's not highlighted in some way. From the research I did, the only place I could find this information was buried in "Known Issues' in the code releases starting in 10.1.2 and moving forward. Also, this appears to be the only firewall platform that I saw where this happened.
10-28-2024 08:06 AM
You are correct that it's the only platform without local logging capability. You would either step-up to the PA-415 or the PA-440 if you needed local storage. Unfortunately I think some SE/AM and VARs, rather than verifying that you meant to order something without local storage, will assume that you are aware of the limitation. It's a bad thing to assume from a sales aspect considering you're not saving enough money to justify the savings between models unless operating at a large scale (which is where the 410 shines).
Depending on when you took delivery the only advise that can really be offered is asking to return the PA-410s and replace them with either 415s or additional 440s and paying the difference in hardware and subscriptions if viable from a budget aspect.
Whether they'll be willing to work with you is dependent on a number of factors, because they do technically have the out that this is a known limitation with the platform that you ordered. The PA-410 is an amazing platform and a very cheap deployment option for anyone that has centralized logging. Whether that's through Panorama, planned use of CDL, or through a solution like Graylog or Splunk.
10-28-2024 08:39 AM
I did put in a call to our Rep on Friday. I hope to hear something back. We'll see. For a small business this was not an inexpensive purchase and just trying to work through the emotions of it. Again, I've been managing firewalls for 25 years. The concept of trying to install and troubleshoot issues to get everything working without any local logs, is a completely foreign concept to me. Even in Enterprise environments where I've worked on the 5000(s) and we have a massive Splunk instance, we still used the local logs to get the firewalls up and connected, then brought everything in to Splunk/Panorama.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
