PA syslog app id - problems

Showing results for 
Show  only  | Search instead for 
Did you mean: 

PA syslog app id - problems

L4 Transporter



so 5220 - 9.0.5


I have a syslog client and syslog server.

the path goes through my PA.

I have a rule basically says any internal ip is allowed to the syslog server if the app it syslog 


that doesn't work, the packets are too short for the PA to distinguish them .. sigh so add in unknown - udp .


now they go through.


next problem tcp syslog on port 514 - default for centos and rhel when using tcp 


pa don't think syslog goes on port 514.


okay application override 

I say any internal ip going to syslog server on tcp 514 . make it syslog application.


doesn't work . my session are still marked as unkown ... again i am guessing causes it too small.


WTF do you do .


I can see packets on both side. client and server .. and the client is trying to send the pa is not letting through.


FFS 🙂 sigh


any suggestions. I am thinking of just setting any app as long as its port 514 hopefully that will fix it 




Hi @OtakarKlier,


Seeing 'session aged out' does not mean that firewall is actually dropping traffic. There are multiple reasons for that. It may be the case there are some changes at server end itself. Also if you are trying to access it on TCP port, have you tried to telnet syslog server from client on tcp port?

Are you able to do so?






Very true, but I had tcpdump on both side - client and server.


syn tick

syn ack tick

syn ack ack tick


then I see the client trying to push and then flush the tcp connection they don't actually make it to the syslog server.



So the word i got from support you can't use app override to a preconfigure app and override the port number... 


sigh ... tried that and its still not working 😞

Okay worked out the issue !


asym routing 




client -> external address


client -> fw -> syslog server via internal address -> loopback (external address !).


return packet was directly back to the client. the FW wasn't seeing all of the packets !'

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!