PA-VM-100 No traffic logging

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PA-VM-100 No traffic logging

L1 Bithead

Hi,

I have just installed VM Series and configured it. Traffic goes through, rules are working but there is no logs in the monitor page.

I haven't installed the license yet because I want to be sure that I want to keep it as I configured and without errors.

I will try to provide more details;

PA Version: 6.0.0

VM version: ESXi: 5.1 vSphere:5.1 vCenter:5.1
4 vCPU 4096MB Memory

10 Network Adapters, all VMXNET3 driver

Promiscuous Mode enabled on all of the Port Groups and Distributed Switches.

When I use the command

show counter global filer

It gives the below output:

Global counters:

Elapsed time since last sampling: 9.110 seconds

name                                   value     rate severity  category  aspect    description

--------------------------------------------------------------------------------

pkt_recv                              281852       39 info      packet    pktproc   Packets received

pkt_sent                               27086        0 info      packet    pktproc   Packets transmitted

session_allocated                       2105        0 info      session   resource  Sessions allocated

session_freed                           2091        0 info      session   resource  Sessions freed

session_installed                       2035        0 info      session   resource  Sessions installed

session_discard                          548        0 info      session   resource  Session set to discard by security policy check

flow_rcv_err                              47        0 drop      flow      parse     Packets dropped: flow stage receive error

flow_rcv_dot1q_tag_err                 15170        1 drop      flow      parse     Packets dropped: 802.1q tag not configured

flow_no_interface                      15170        1 drop      flow      parse     Packets dropped: invalid interface

flow_ipv6_disabled                         3        0 drop      flow      parse     Packets dropped: IPv6 disabled on interface

flow_policy_nat_land                      38        0 drop      flow      session   Session setup: source NAT IP allocation result i

n LAND attack

flow_tcp_non_syn                         169        0 info      flow      session   Non-SYN TCP packets without session match

flow_tcp_non_syn_drop                    169        0 drop      flow      session   Packets dropped: non-SYN TCP without session mat

ch

flow_fwd_l3_noarp                        670        0 drop      flow      forward   Packets dropped: no ARP

flow_action_predict                       32        0 info      flow      pktproc   Predict sessions created

flow_action_close                        512        0 drop      flow      pktproc   TCP sessions closed via injecting RST

flow_arp_pkt_rcv                      239780       37 info      flow      arp       ARP packets received

flow_arp_pkt_xmt                         672        0 info      flow      arp       ARP packets transmitted

flow_arp_pkt_replied                      57        0 info      flow      arp       ARP requests replied

flow_arp_pkt_learned                       3        0 info      flow      arp       ARP entry learned

flow_arp_rcv_gratuitous                    2        0 info      flow      arp       Gratuitous ARP packets received

flow_arp_rcv_err                           2        0 drop      flow      arp       ARP receive error

flow_arp_resolve_xmt                     672        0 info      flow      arp       ARP resolution packets transmitted

flow_host_pkt_rcv                        134        0 info      flow      mgmt      Packets received from control plane

flow_host_pkt_xmt                       2134        0 info      flow      mgmt      Packets transmitted to control plane

flow_host_decap_err                       42        0 drop      flow      mgmt      Packets dropped: decapsulation error from contro

l plane

flow_host_service_allow                   70        0 info      flow      mgmt      Device management session allowed

flow_host_service_deny                     7        0 drop      flow      mgmt      Device management session denied

flow_host_service_unknown                 27        0 drop      flow      mgmt      Session discarded: unknown application to contro

l plane

flow_host_vardata_rate_limit_ok           41        0 info      flow      mgmt      Host vardata not sent: rate limit ok

appid_ident_by_icmp                       15        0 info      appid     pktproc   Application identified by icmp type

appid_ident_by_heuristics                  1        0 info      appid     pktproc   Application identified by heuristics

appid_post_pkt_queued                      9        0 info      appid     resource  The total trailing packets queued in AIE

appid_ident_by_dport_first               477        0 info      appid     pktproc   Application identified by L4 dport first

appid_proc                              1178        0 info      appid     pktproc   The number of packets processed by Application i

dentification

appid_use_dfa_1                          275        0 info      appid     pktproc   The number of packets using the second DFA table

appid_unknown_max_pkts                     9        0 info      appid     pktproc   The number of unknown applications caused by max

. packets reached

appid_unknown_udp                         26        0 info      appid     pktproc   The number of unknown UDP applications after app

engine

appid_unknown_fini                        18        0 info      appid     pktproc   The number of unknown applications

appid_unknown_fini_empty                 364        0 info      appid     pktproc   The number of unknown applications because of no

data

appid_skip_terminal                       79        0 info      appid     pktproc   The dfa result is terminal

nat_dynamic_port_xlat                   2022        0 info      nat       resource  The total number of dynamic_ip_port NAT translat

e called

nat_dynamic_port_release                2047        0 info      nat       resource  The total number of dynamic_ip_port NAT release

called

dfa_sw                                  8126        0 info      dfa       pktproc   The total number of dfa match using software

tcp_drop_packet                            4        0 warn      tcp       pktproc   packets dropped because of failure in tcp reasse

mbly

tcp_case_1                                 1        0 info      tcp       pktproc   tcp reassembly case 1

tcp_case_2                               226        0 info      tcp       pktproc   tcp reassembly case 2

ctd_sml_exit_detector_i                  268        0 info      ctd       pktproc   The number of sessions with sml exit in detector

i

appid_bypass_no_ctd                       37        0 info      appid     pktproc   appid bypass due to no ctd

ctd_handle_reset_and_url_exit             39        0 info      ctd       pktproc   Handle reset and url exit

ctd_stop_proc                             27        0 info      ctd       pktproc   ctd stop proc

ctd_err_bypass                           268        0 info      ctd       pktproc   ctd error bypass

ctd_run_pattern_match_failure            807        0 info      ctd       pktproc   Run pattern match failure

ctd_run_detector_i                         8        0 info      ctd       pktproc   run detector_i

ctd_do_pattern_match                     287        0 info      ctd       pktproc   do pattern match

ctd_sml_vm_run_impl_opcodeexit           268        0 info      ctd       pktproc   SML VM opcode exit

ctd_sml_vm_run_impl_immed8000             29        0 info      ctd       pktproc   SML VM immed8000

ctd_sml_opcode_set_file_type              51        0 info      ctd       pktproc   sml opcode set file type

ctd_sml_cache_conflict                     3        0 info      ctd       pktproc   The number of sml cache conflict

aho_too_many_matches                       1        0 info      aho       pktproc   too many signature matches within one packet

aho_sw                                  5403        0 info      aho       pktproc   The total usage of software for AHO

ctd_appid_reassign                       697        0 info      ctd       pktproc   appid was changed

ctd_decoder_reassign                      27        0 info      ctd       pktproc   decoder was changed

ctd_url_block                            492        0 info      ctd       pktproc   sessions blocked by url filtering

ctd_pkt_slowpath                        6584        0 info      ctd       pktproc   Packets processed by slowpath

log_uid_req_cnt                            1        0 info      log       system    Number of uid request logs

log_traffic_cnt                         2322        0 info      log       system    Number of traffic logs

log_pkt_diag_us                           47        0 info      log       system    Time (us) spend on writing packet-diag logs

zip_process_sw                             2        0 info      zip       pktproc   The total number of zip software decompress proc

ess

ssl_hsm_up_down_event_rcv                  1        0 info      ssl       pktproc   The number of HSM up/down events received

pkt_send_out                           24952        0 info      packet    resource  Packets entered module send stage out

--------------------------------------------------------------------------------

Total counters shown: 71

--------------------------------------------------------------------------------

After when I use the command:

show counter global filter delta yes

It gives me the below output:

Global counters:

Elapsed time since last sampling: 132.101 seconds

name                                   value     rate severity  category  aspect    description

--------------------------------------------------------------------------------

pkt_recv                                5953       45 info      packet    pktproc   Packets received

pkt_sent                                  42        0 info      packet    pktproc   Packets transmitted

session_allocated                          1        0 info      session   resource  Sessions allocated

session_freed                              2        0 info      session   resource  Sessions freed

session_installed                          1        0 info      session   resource  Sessions installed

session_discard                            1        0 info      session   resource  Session set to discard by security policy check

flow_rcv_dot1q_tag_err                   491        3 drop      flow      parse     Packets dropped: 802.1q tag not configured

flow_no_interface                        491        3 drop      flow      parse     Packets dropped: invalid interface

flow_tcp_non_syn                           3        0 info      flow      session   Non-SYN TCP packets without session match

flow_tcp_non_syn_drop                      3        0 drop      flow      session   Packets dropped: non-SYN TCP without session mat

ch

flow_action_close                          1        0 drop      flow      pktproc   TCP sessions closed via injecting RST

flow_arp_pkt_rcv                        5418       41 info      flow      arp       ARP packets received

flow_host_pkt_xmt                         32        0 info      flow      mgmt      Packets transmitted to control plane

appid_proc                                 1        0 info      appid     pktproc   The number of packets processed by Application i

dentification

appid_unknown_fini_empty                   1        0 info      appid     pktproc   The number of unknown applications because of no

data

nat_dynamic_port_xlat                      1        0 info      nat       resource  The total number of dynamic_ip_port NAT translat

e called

nat_dynamic_port_release                   1        0 info      nat       resource  The total number of dynamic_ip_port NAT release

called

dfa_sw                                     5        0 info      dfa       pktproc   The total number of dfa match using software

ctd_run_pattern_match_failure              1        0 info      ctd       pktproc   Run pattern match failure

aho_sw                                     4        0 info      aho       pktproc   The total usage of software for AHO

ctd_appid_reassign                         1        0 info      ctd       pktproc   appid was changed

ctd_url_block                              1        0 info      ctd       pktproc   sessions blocked by url filtering

ctd_pkt_slowpath                           4        0 info      ctd       pktproc   Packets processed by slowpath

log_traffic_cnt                            2        0 info      log       system    Number of traffic logs

pkt_send_out                              10        0 info      packet    resource  Packets entered module send stage out

--------------------------------------------------------------------------------

Total counters shown: 25

--------------------------------------------------------------------------------

All ideas are appreciated.

1 accepted solution

Accepted Solutions

L6 Presenter

I had the same problem

I tried many things to solve

at last I used a trial 1 month license and registered the Vm

now log comes !!! very strange

View solution in original post

6 REPLIES 6

L3 Networker

Do a show session all and see which rule its hitting. by  doing a show session id <idnumber>

Once you have the rule it is hitting then check if you have logging enabled on that rule, if it says rule: default then it wont be logged.

And if you still don't see the traffic, do debug log-receiver statistics and see if any traffic logs are written.

HTH

Deepak

L6 Presenter

I had the same problem

I tried many things to solve

at last I used a trial 1 month license and registered the Vm

now log comes !!! very strange

Thank you for the input. I have checked the session. rule was something I wrote and it have logging enabled. Actually I tried session start, end and both of them together.

Then I tried "debug log-receiver statistics" and you can see the results below;

Logging statistics

------------------------------ -----------

Log incoming rate:             1/sec

Log written rate:              1/sec

Corrupted packets:             0

Corrupted URL packets:         0

Logs discarded (queue full):   0

Traffic logs written:          79950

URL logs written:              0

Wildfire logs written:         0

Anti-virus logs written:       0

Spyware logs written:          0

Attack logs written:           0

Vulnerability logs written:    0

Fileext logs written:          0

URL cache age out count:       0

URL cache full count:          0

URL cache key exist count:     0

Traffic alarms dropped due to sysd write failures: 0

Traffic alarms dropped due to global rate limiting: 0

Traffic alarms dropped due to each source rate limiting: 0

Traffic alarms generated count:  0

Log Forward count:             0

Log Forward discarded (queue full) count: 0

Log Forward discarded (send error) count: 0

Summary Statistics:

Num current drop entries in trsum:0

Num cumulative drop entries in trsum:0

Num current drop entries in thsum:0

Num cumulative drop entries in thsum:0

External Forwarding stats:

      Type  Enqueue Count     Send Count     Drop Count    Queue Depth     Send Rate(last 1min)

    syslog              0              0              0              0                        0

      snmp              0              0              0              0                        0

     email              0              0              0              0                        0

       raw              0              0              0              0                        0

Where should I go from here?

I was afraid someone would said that

I couldn't find any documents that says I should register it before I see the logs and would love to hear from PA that it is a requirement if it is. I am keeping that solution as a last resort. Thanks.

I installed the license and wait for a day but I can see the logs now. Thank you panos

As you already discovered this is per design. I believe not only Palo Alto but any registered partner can issue 30days VM-100 licenses.

It is a well-known limitation documented in the admin guides and KB here - No Logging in Unlicensed VM-Series Firewall

  • 1 accepted solution
  • 5769 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!