I've just installed Palo Alto firewall VM version in virtual box.
I was able to access it via WEB (https) and SSH.
However, when I check traffic log it was empty.
I generated a few traffic such as ping and nmap scan against firewall IP, but still no traffic log appear in it.
log-receiver statistics shows 0 traffic logs written meaning no traffic at all.
I've also restarted `log-receiver` as advised in https://live.paloaltonetworks.com/t5/Management-Articles/Traffic-Log-is-Not-Generated-and-Not-Displa... but didn't help.
admin@PA-VM> debug software restart log-receiver Process 'logrcvr' executing RESTART admin@PA-VM>
What went wrong with this firewall and how to fix it?
admin@PA-VM> debug log-receiver statistics
Logging statistics
------------------------------ -----------
Log incoming rate: 0/sec
Log written rate: 0/sec
Corrupted packets: 0
Corrupted URL packets: 0
Corrupted HTTP HDR packets: 0
Logs discarded (queue full): 0
Traffic logs written: 0
URL logs written: 0
Wildfire logs written: 0
Anti-virus logs written: 0
Widfire Anti-virus logs written: 0
Spyware logs written: 0
Attack logs written: 0
Vulnerability logs written: 0
Fileext logs written: 0
URL cache age out count: 0
URL cache full count: 0
URL cache key exist count: 0
URL cache wrt incomplete http hdrs count: 0
URL cache rcv http hdr before url count: 0
URL cache full drop count(url log not received): 0
URL cache age out drop count(url log not received): 0
Traffic alarms dropped due to sysd write failures: 0
Traffic alarms dropped due to global rate limiting: 0
Traffic alarms dropped due to each source rate limiting: 0
Traffic alarms generated count: 0
Log Forward count: 0
Log Forward discarded (queue full) count: 0
Log Forward discarded (send error) count: 0
Summary Statistics:
Num current drop entries in trsum:0
Num cumulative drop entries in trsum:0
Num current drop entries in thsum:0
Num cumulative drop entries in thsum:0
External Forwarding stats:
Type Enqueue Count Send Count Drop Count Queue Depth Send Rate(last 1min)
syslog 0 0 0 0 0
snmp 0 0 0 0 0
email 0 0 0 0 0
raw 0 0 0 0 0
admin@PA-VM>
@santonic wrote:You have only MGMT interface configured and pinging that? PA has out of band MGMT interface which is seperated from the FW functions.
Thanks ... I do configure another interface, but still don't see any changes.
This time, I can't even ping internal ip of Palo Alto firewall from another Client.
Here is my topology. Has anyone successfully setup a lab of PA in VirtualBox before?
Client (10.1.1.110) --> PA (10.1.1.254)
VirtualBox Adapter setting
VirtualBox Adapter 1: Host-only (out of band MGMT interface)
VirtualBox Adapter 2: Internal Network
Palo Alto interface setting
admin@PA-VM> show interface all
total configured hardware interfaces: 1
name id speed/duplex/state mac address
--------------------------------------------------------------------------------
ethernet1/1 16 1000/full/up bb:bb:bb:bb:bb:bb
aggregation groups: 0
total configured logical interfaces: 1
name id vsys zone forwarding tag address
------------------- ----- ---- ---------------- ------------------------ ------ ------------------
ethernet1/1 16 1 N/A 0 10.1.1.254/32
admin@PA-VM>
Client Config
user@linux:~$ ifconfig | grep ad | grep -v 127
eth0 Link encap:Ethernet HWaddr 00:00:00:AA:AA:A1
inet addr:192.168.56.110 Bcast:192.168.56.255 Mask:255.255.255.0
eth1 Link encap:Ethernet HWaddr 00:00:00:AA:AA:A2
inet addr:10.1.1.110 Bcast:10.1.1.255 Mask:255.255.255.0
user@linux:~$ Ping test from Client to Palo Alto internal interface
user@linux:~$ ping 10.1.1.254 -c 5 PING 10.1.1.254 (10.1.1.254): 56 data bytes --- 10.1.1.254 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss user@linux:~$
ARP Entry on client
user@linux:~$ arp ? (192.168.56.1) at 00:00:00:00:00:11 [ether] on eth0 ? (192.168.56.254) at aa:aa:aa:aa:aa:a1 [ether] on eth0 ? (10.1.1.254) at <incomplete> on eth1 user@linux:~$
ARP Entry on PA fw
admin@PA-VM> show arp all maximum of entries supported : 500 default timeout: 1800 seconds total ARP entries in table : 0 total ARP entries shown : 0 status: s - static, c - complete, e - expiring, i - incomplete interface ip address hw address port status ttl -------------------------------------------------------------------------------- admin@PA-VM>
