04-14-2014 10:49 AM
Hi,
I have just installed VM Series and configured it. Traffic goes through, rules are working but there is no logs in the monitor page.
I haven't installed the license yet because I want to be sure that I want to keep it as I configured and without errors.
I will try to provide more details;
PA Version: 6.0.0
VM version: ESXi: 5.1 vSphere:5.1 vCenter:5.1
4 vCPU 4096MB Memory
10 Network Adapters, all VMXNET3 driver
Promiscuous Mode enabled on all of the Port Groups and Distributed Switches.
When I use the command
show counter global filer
It gives the below output:
Global counters:
Elapsed time since last sampling: 9.110 seconds
name value rate severity category aspect description
--------------------------------------------------------------------------------
pkt_recv 281852 39 info packet pktproc Packets received
pkt_sent 27086 0 info packet pktproc Packets transmitted
session_allocated 2105 0 info session resource Sessions allocated
session_freed 2091 0 info session resource Sessions freed
session_installed 2035 0 info session resource Sessions installed
session_discard 548 0 info session resource Session set to discard by security policy check
flow_rcv_err 47 0 drop flow parse Packets dropped: flow stage receive error
flow_rcv_dot1q_tag_err 15170 1 drop flow parse Packets dropped: 802.1q tag not configured
flow_no_interface 15170 1 drop flow parse Packets dropped: invalid interface
flow_ipv6_disabled 3 0 drop flow parse Packets dropped: IPv6 disabled on interface
flow_policy_nat_land 38 0 drop flow session Session setup: source NAT IP allocation result i
n LAND attack
flow_tcp_non_syn 169 0 info flow session Non-SYN TCP packets without session match
flow_tcp_non_syn_drop 169 0 drop flow session Packets dropped: non-SYN TCP without session mat
ch
flow_fwd_l3_noarp 670 0 drop flow forward Packets dropped: no ARP
flow_action_predict 32 0 info flow pktproc Predict sessions created
flow_action_close 512 0 drop flow pktproc TCP sessions closed via injecting RST
flow_arp_pkt_rcv 239780 37 info flow arp ARP packets received
flow_arp_pkt_xmt 672 0 info flow arp ARP packets transmitted
flow_arp_pkt_replied 57 0 info flow arp ARP requests replied
flow_arp_pkt_learned 3 0 info flow arp ARP entry learned
flow_arp_rcv_gratuitous 2 0 info flow arp Gratuitous ARP packets received
flow_arp_rcv_err 2 0 drop flow arp ARP receive error
flow_arp_resolve_xmt 672 0 info flow arp ARP resolution packets transmitted
flow_host_pkt_rcv 134 0 info flow mgmt Packets received from control plane
flow_host_pkt_xmt 2134 0 info flow mgmt Packets transmitted to control plane
flow_host_decap_err 42 0 drop flow mgmt Packets dropped: decapsulation error from contro
l plane
flow_host_service_allow 70 0 info flow mgmt Device management session allowed
flow_host_service_deny 7 0 drop flow mgmt Device management session denied
flow_host_service_unknown 27 0 drop flow mgmt Session discarded: unknown application to contro
l plane
flow_host_vardata_rate_limit_ok 41 0 info flow mgmt Host vardata not sent: rate limit ok
appid_ident_by_icmp 15 0 info appid pktproc Application identified by icmp type
appid_ident_by_heuristics 1 0 info appid pktproc Application identified by heuristics
appid_post_pkt_queued 9 0 info appid resource The total trailing packets queued in AIE
appid_ident_by_dport_first 477 0 info appid pktproc Application identified by L4 dport first
appid_proc 1178 0 info appid pktproc The number of packets processed by Application i
dentification
appid_use_dfa_1 275 0 info appid pktproc The number of packets using the second DFA table
appid_unknown_max_pkts 9 0 info appid pktproc The number of unknown applications caused by max
. packets reached
appid_unknown_udp 26 0 info appid pktproc The number of unknown UDP applications after app
engine
appid_unknown_fini 18 0 info appid pktproc The number of unknown applications
appid_unknown_fini_empty 364 0 info appid pktproc The number of unknown applications because of no
data
appid_skip_terminal 79 0 info appid pktproc The dfa result is terminal
nat_dynamic_port_xlat 2022 0 info nat resource The total number of dynamic_ip_port NAT translat
e called
nat_dynamic_port_release 2047 0 info nat resource The total number of dynamic_ip_port NAT release
called
dfa_sw 8126 0 info dfa pktproc The total number of dfa match using software
tcp_drop_packet 4 0 warn tcp pktproc packets dropped because of failure in tcp reasse
mbly
tcp_case_1 1 0 info tcp pktproc tcp reassembly case 1
tcp_case_2 226 0 info tcp pktproc tcp reassembly case 2
ctd_sml_exit_detector_i 268 0 info ctd pktproc The number of sessions with sml exit in detector
i
appid_bypass_no_ctd 37 0 info appid pktproc appid bypass due to no ctd
ctd_handle_reset_and_url_exit 39 0 info ctd pktproc Handle reset and url exit
ctd_stop_proc 27 0 info ctd pktproc ctd stop proc
ctd_err_bypass 268 0 info ctd pktproc ctd error bypass
ctd_run_pattern_match_failure 807 0 info ctd pktproc Run pattern match failure
ctd_run_detector_i 8 0 info ctd pktproc run detector_i
ctd_do_pattern_match 287 0 info ctd pktproc do pattern match
ctd_sml_vm_run_impl_opcodeexit 268 0 info ctd pktproc SML VM opcode exit
ctd_sml_vm_run_impl_immed8000 29 0 info ctd pktproc SML VM immed8000
ctd_sml_opcode_set_file_type 51 0 info ctd pktproc sml opcode set file type
ctd_sml_cache_conflict 3 0 info ctd pktproc The number of sml cache conflict
aho_too_many_matches 1 0 info aho pktproc too many signature matches within one packet
aho_sw 5403 0 info aho pktproc The total usage of software for AHO
ctd_appid_reassign 697 0 info ctd pktproc appid was changed
ctd_decoder_reassign 27 0 info ctd pktproc decoder was changed
ctd_url_block 492 0 info ctd pktproc sessions blocked by url filtering
ctd_pkt_slowpath 6584 0 info ctd pktproc Packets processed by slowpath
log_uid_req_cnt 1 0 info log system Number of uid request logs
log_traffic_cnt 2322 0 info log system Number of traffic logs
log_pkt_diag_us 47 0 info log system Time (us) spend on writing packet-diag logs
zip_process_sw 2 0 info zip pktproc The total number of zip software decompress proc
ess
ssl_hsm_up_down_event_rcv 1 0 info ssl pktproc The number of HSM up/down events received
pkt_send_out 24952 0 info packet resource Packets entered module send stage out
--------------------------------------------------------------------------------
Total counters shown: 71
--------------------------------------------------------------------------------
After when I use the command:
show counter global filter delta yes
It gives me the below output:
Global counters:
Elapsed time since last sampling: 132.101 seconds
name value rate severity category aspect description
--------------------------------------------------------------------------------
pkt_recv 5953 45 info packet pktproc Packets received
pkt_sent 42 0 info packet pktproc Packets transmitted
session_allocated 1 0 info session resource Sessions allocated
session_freed 2 0 info session resource Sessions freed
session_installed 1 0 info session resource Sessions installed
session_discard 1 0 info session resource Session set to discard by security policy check
flow_rcv_dot1q_tag_err 491 3 drop flow parse Packets dropped: 802.1q tag not configured
flow_no_interface 491 3 drop flow parse Packets dropped: invalid interface
flow_tcp_non_syn 3 0 info flow session Non-SYN TCP packets without session match
flow_tcp_non_syn_drop 3 0 drop flow session Packets dropped: non-SYN TCP without session mat
ch
flow_action_close 1 0 drop flow pktproc TCP sessions closed via injecting RST
flow_arp_pkt_rcv 5418 41 info flow arp ARP packets received
flow_host_pkt_xmt 32 0 info flow mgmt Packets transmitted to control plane
appid_proc 1 0 info appid pktproc The number of packets processed by Application i
dentification
appid_unknown_fini_empty 1 0 info appid pktproc The number of unknown applications because of no
data
nat_dynamic_port_xlat 1 0 info nat resource The total number of dynamic_ip_port NAT translat
e called
nat_dynamic_port_release 1 0 info nat resource The total number of dynamic_ip_port NAT release
called
dfa_sw 5 0 info dfa pktproc The total number of dfa match using software
ctd_run_pattern_match_failure 1 0 info ctd pktproc Run pattern match failure
aho_sw 4 0 info aho pktproc The total usage of software for AHO
ctd_appid_reassign 1 0 info ctd pktproc appid was changed
ctd_url_block 1 0 info ctd pktproc sessions blocked by url filtering
ctd_pkt_slowpath 4 0 info ctd pktproc Packets processed by slowpath
log_traffic_cnt 2 0 info log system Number of traffic logs
pkt_send_out 10 0 info packet resource Packets entered module send stage out
--------------------------------------------------------------------------------
Total counters shown: 25
--------------------------------------------------------------------------------
All ideas are appreciated.
04-15-2014 10:23 AM
I had the same problem
I tried many things to solve
at last I used a trial 1 month license and registered the Vm
now log comes !!! very strange
04-15-2014 08:42 AM
Do a show session all and see which rule its hitting. by doing a show session id <idnumber>
Once you have the rule it is hitting then check if you have logging enabled on that rule, if it says rule: default then it wont be logged.
And if you still don't see the traffic, do debug log-receiver statistics and see if any traffic logs are written.
HTH
Deepak
04-15-2014 10:23 AM
I had the same problem
I tried many things to solve
at last I used a trial 1 month license and registered the Vm
now log comes !!! very strange
04-15-2014 01:18 PM
Thank you for the input. I have checked the session. rule was something I wrote and it have logging enabled. Actually I tried session start, end and both of them together.
Then I tried "debug log-receiver statistics" and you can see the results below;
Logging statistics
------------------------------ -----------
Log incoming rate: 1/sec
Log written rate: 1/sec
Corrupted packets: 0
Corrupted URL packets: 0
Logs discarded (queue full): 0
Traffic logs written: 79950
URL logs written: 0
Wildfire logs written: 0
Anti-virus logs written: 0
Spyware logs written: 0
Attack logs written: 0
Vulnerability logs written: 0
Fileext logs written: 0
URL cache age out count: 0
URL cache full count: 0
URL cache key exist count: 0
Traffic alarms dropped due to sysd write failures: 0
Traffic alarms dropped due to global rate limiting: 0
Traffic alarms dropped due to each source rate limiting: 0
Traffic alarms generated count: 0
Log Forward count: 0
Log Forward discarded (queue full) count: 0
Log Forward discarded (send error) count: 0
Summary Statistics:
Num current drop entries in trsum:0
Num cumulative drop entries in trsum:0
Num current drop entries in thsum:0
Num cumulative drop entries in thsum:0
External Forwarding stats:
Type Enqueue Count Send Count Drop Count Queue Depth Send Rate(last 1min)
syslog 0 0 0 0 0
snmp 0 0 0 0 0
email 0 0 0 0 0
raw 0 0 0 0 0
Where should I go from here?
04-15-2014 01:20 PM
I was afraid someone would said that
I couldn't find any documents that says I should register it before I see the logs and would love to hear from PA that it is a requirement if it is. I am keeping that solution as a last resort. Thanks.
04-27-2014 03:42 AM
I installed the license and wait for a day but I can see the logs now. Thank you panos
09-11-2020 05:31 AM
As you already discovered this is per design. I believe not only Palo Alto but any registered partner can issue 30days VM-100 licenses.
It is a well-known limitation documented in the admin guides and KB here - No Logging in Unlicensed VM-Series Firewall
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
