02-13-2020 11:11 PM
so 5220 - 9.0.5
I have a syslog client and syslog server.
the path goes through my PA.
I have a rule basically says any internal ip is allowed to the syslog server if the app it syslog
that doesn't work, the packets are too short for the PA to distinguish them .. sigh so add in unknown - udp .
now they go through.
next problem tcp syslog on port 514 - default for centos and rhel when using tcp
pa don't think syslog goes on port 514.
okay application override
I say any internal ip going to syslog server on tcp 514 . make it syslog application.
doesn't work . my session are still marked as unkown ... again i am guessing causes it too small.
WTF do you do .
I can see packets on both side. client and server .. and the client is trying to send the pa is not letting through.
FFS 🙂 sigh
any suggestions. I am thinking of just setting any app as long as its port 514 hopefully that will fix it
02-15-2020 05:50 AM
Seeing 'session aged out' does not mean that firewall is actually dropping traffic. There are multiple reasons for that. It may be the case there are some changes at server end itself. Also if you are trying to access it on TCP port, have you tried to telnet syslog server from client on tcp port?
Are you able to do so?
02-15-2020 06:25 AM
Very true, but I had tcpdump on both side - client and server.
syn ack tick
syn ack ack tick
then I see the client trying to push and then flush the tcp connection they don't actually make it to the syslog server.
02-17-2020 02:43 PM
So the word i got from support you can't use app override to a preconfigure app and override the port number...
sigh ... tried that and its still not working 😞
02-17-2020 06:21 PM
Okay worked out the issue !
client -> external address
client -> fw -> syslog server via internal address -> loopback (external address !).
return packet was directly back to the client. the FW wasn't seeing all of the packets !'
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!