For details on cookie usage on our site, read our Privacy Policy
PA syslog app id - problems
- LIVEcommunity
- Discussions
- General Topics
- PA syslog app id - problems
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
PA syslog app id - problems
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-13-2020 11:11 PM
Hi
so 5220 - 9.0.5
I have a syslog client and syslog server.
the path goes through my PA.
I have a rule basically says any internal ip is allowed to the syslog server if the app it syslog
that doesn't work, the packets are too short for the PA to distinguish them .. sigh so add in unknown - udp .
now they go through.
next problem tcp syslog on port 514 - default for centos and rhel when using tcp
pa don't think syslog goes on port 514.
okay application override
I say any internal ip going to syslog server on tcp 514 . make it syslog application.
doesn't work . my session are still marked as unkown ... again i am guessing causes it too small.
WTF do you do .
I can see packets on both side. client and server .. and the client is trying to send the pa is not letting through.
FFS 🙂 sigh
any suggestions. I am thinking of just setting any app as long as its port 514 hopefully that will fix it
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-15-2020 05:50 AM
Hi @OtakarKlier,
Seeing 'session aged out' does not mean that firewall is actually dropping traffic. There are multiple reasons for that. It may be the case there are some changes at server end itself. Also if you are trying to access it on TCP port, have you tried to telnet syslog server from client on tcp port?
Are you able to do so?
Mayur
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-15-2020 06:25 AM
Hi
Very true, but I had tcpdump on both side - client and server.
syn tick
syn ack tick
syn ack ack tick
then I see the client trying to push and then flush the tcp connection they don't actually make it to the syslog server.
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-17-2020 02:43 PM
So the word i got from support you can't use app override to a preconfigure app and override the port number...
sigh ... tried that and its still not working 😞
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-17-2020 06:21 PM
Okay worked out the issue !
asym routing
client -> external address
client -> fw -> syslog server via internal address -> loopback (external address !).
return packet was directly back to the client. the FW wasn't seeing all of the packets !'
- XSOAR customer support problems in Cortex XSOAR Discussions
- After enabling Advanced Routing, all IPsec tunnels are down in Next-Generation Firewall Discussions
- Ingesting Syslog to Private/Internal Syslog in Cortex XDR Discussions
- Global Protect IOS, MACOS in GlobalProtect Discussions
- AIOps for NGFW free with existing Cortex Data Lake in AIOps for NGFW Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
