Palo Alto firewall does not display traffic log

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Palo Alto firewall does not display traffic log

L1 Bithead

I've just installed Palo Alto firewall VM version in virtual box.

I was able to access it via WEB (https) and SSH.

However, when I check traffic log it was empty.

 

PA traffic log.jpg

 

I generated a few traffic such as ping and nmap scan against firewall IP, but still no traffic log appear in it.

 

log-receiver statistics shows 0 traffic logs written meaning no traffic at all.

 

I've also restarted `log-receiver` as advised in https://live.paloaltonetworks.com/t5/Management-Articles/Traffic-Log-is-Not-Generated-and-Not-Displa... but didn't help.

 

 

admin@PA-VM> debug software restart log-receiver

Process 'logrcvr' executing RESTART

admin@PA-VM> 

 

What went wrong with this firewall and how to fix it?

 

admin@PA-VM> debug log-receiver statistics

Logging statistics
------------------------------ -----------
Log incoming rate:             0/sec
Log written rate:              0/sec
Corrupted packets:             0
Corrupted URL packets:         0
Corrupted HTTP HDR packets:    0
Logs discarded (queue full):   0
Traffic logs written:          0
URL logs written:              0
Wildfire logs written:         0
Anti-virus logs written:       0
Widfire Anti-virus logs written: 0
Spyware logs written:          0
Attack logs written:           0
Vulnerability logs written:    0
Fileext logs written:          0
URL cache age out count:       0
URL cache full count:          0
URL cache key exist count:     0
URL cache wrt incomplete http hdrs count: 0
URL cache rcv http hdr before url count: 0
URL cache full drop count(url log not received): 0
URL cache age out drop count(url log not received): 0
Traffic alarms dropped due to sysd write failures: 0
Traffic alarms dropped due to global rate limiting: 0
Traffic alarms dropped due to each source rate limiting: 0
Traffic alarms generated count:  0
Log Forward count:             0
Log Forward discarded (queue full) count: 0
Log Forward discarded (send error) count: 0

Summary Statistics:
Num current drop entries in trsum:0
Num cumulative drop entries in trsum:0
Num current drop entries in thsum:0
Num cumulative drop entries in thsum:0

External Forwarding stats:
      Type  Enqueue Count     Send Count     Drop Count    Queue Depth     Send Rate(last 1min)
    syslog              0              0              0              0                        0
      snmp              0              0              0              0                        0
     email              0              0              0              0                        0
       raw              0              0              0              0                        0

admin@PA-VM> 
7 REPLIES 7

L4 Transporter

Are your default rules actualy set to log??

 

Rob

L6 Presenter

You have only MGMT interface configured and pinging that? PA has out of band MGMT interface which is seperated from the FW functions.


@RobinClayton wrote:

Are your default rules actualy set to log??

 

Rob


Yes, here is the screenshot.

 

Security Policy Rule.jpg


@santonic wrote:

You have only MGMT interface configured and pinging that? PA has out of band MGMT interface which is seperated from the FW functions.


Thanks ... I do configure another interface, but still don't see any changes.

 

This time, I can't even ping internal ip of Palo Alto firewall from another Client.


Here is my topology. Has anyone successfully setup a lab of PA in VirtualBox before?

 

Client (10.1.1.110) --> PA (10.1.1.254)

 

VirtualBox Adapter setting

VirtualBox Adapter 1: Host-only (out of band MGMT interface)

VirtualBox Adapter 2: Internal Network

 

Palo Alto interface setting

 

Ethernet Interface.jpg

 

admin@PA-VM> show interface all

total configured hardware interfaces: 1

name                    id    speed/duplex/state        mac address       
--------------------------------------------------------------------------------
ethernet1/1             16    1000/full/up              bb:bb:bb:bb:bb:bb 

aggregation groups: 0


total configured logical interfaces: 1

name                id    vsys zone             forwarding               tag    address                          
               
------------------- ----- ---- ---------------- ------------------------ ------ ------------------
ethernet1/1         16    1                     N/A                      0      10.1.1.254/32     

admin@PA-VM>

 

Client Config

 

user@linux:~$ ifconfig | grep ad | grep -v 127
eth0      Link encap:Ethernet  HWaddr 00:00:00:AA:AA:A1  
          inet addr:192.168.56.110  Bcast:192.168.56.255  Mask:255.255.255.0
eth1      Link encap:Ethernet  HWaddr 00:00:00:AA:AA:A2  
          inet addr:10.1.1.110  Bcast:10.1.1.255  Mask:255.255.255.0
user@linux:~$ 

Ping test from Client to Palo Alto internal interface

 

user@linux:~$ ping 10.1.1.254 -c 5
PING 10.1.1.254 (10.1.1.254): 56 data bytes

--- 10.1.1.254 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
user@linux:~$ 

ARP Entry on client

user@linux:~$ arp
? (192.168.56.1) at 00:00:00:00:00:11 [ether]  on eth0
? (192.168.56.254) at aa:aa:aa:aa:aa:a1 [ether]  on eth0
? (10.1.1.254) at <incomplete>  on eth1
user@linux:~$ 

 

ARP Entry on PA fw

admin@PA-VM> show arp all

maximum of entries supported :      500
default timeout:                    1800 seconds
total ARP entries in table :        0
total ARP entries shown :           0
status: s - static, c - complete, e - expiring, i - incomplete

interface         ip address      hw address        port              status   ttl  
--------------------------------------------------------------------------------

admin@PA-VM> 

 

You will never see any traffic to MGMT interface in traffic log as that interface is not a part of firewall.

 

If you don't get MAC address of PA non-mgmt IP then you have issues at layers below level 3. So untill you get MAC address you won't be able to send any traffic to PA. So logs will remain empty till then. 

have you set a managemetn profile on the lan interface?


@santonic wrote:

You will never see any traffic to MGMT interface in traffic log as that interface is not a part of firewall.

 

If you don't get MAC address of PA non-mgmt IP then you have issues at layers below level 3. So untill you get MAC address you won't be able to send any traffic to PA. So logs will remain empty till then. 


Thanks @santonic, based on ARP and tcpdump output, I suspect this is Layer 1 issue between VirtualBox and PA-VM ethernet1/1 interface.

 

I've open seperate topic for this ... let me know if you need more info.

 

https://live.paloaltonetworks.com/t5/General-Topics/PA-VM-network-setting-in-VirtualBox/m-p/222701#M...

  • 4778 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!