Knowledge sharing: Palo Alto General Logs and Log files that are in the managment, data and control planes overview/review

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Knowledge sharing: Palo Alto General Logs and Log files that are in the managment, data and control planes overview/review

L6 Presenter

1. Most of the palo alto well known deamons have their own logs that can be reviewed:

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLUeCAO

 

 

 

 

 

2. It is interesting that in the higher end Palo Alto platforms like PA-5000 and PA-7050/PA-7080, where there are dedicated interfaces for HA if the issue is with the HA  interface the logs Brdagent and Mprelay for those interfaces will be in the so called control plane. For issues with the managment interface look the Brdagent and Mprelay in the managment plane(for LACP issues check the Systems log in GUI as there is no separate log for it). On smaller palo alto platforms that don't have dedicated HA interfaces there is no seperate control plane with seperate CPU. On small platforms like 220 or virtual editions there is no seperate data plane and the data plane logs are in the managment plane.

 

You can check:

 

https://live.paloaltonetworks.com/t5/general-topics/control-plane-vs-management-plane/td-p/240335

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PN8fCAG

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLRBCA4

 

 

 

less dp0-log brdagent.log

 

less cp-log brdagent.log

 

less mp-log brdagent.log

 

 

 

 

3. It is good to note that the higher end platforms like 5000 and 7000 will have more than one data plane. With 5000 there will be 2 or 3 dataplanes as the number rows of ports on the device but with 7000 each blade will have its own 1 or 2 dataplanes (dp0 and dp1) as if the blade has two rows of ports there will be 2 dataplanes

 

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWlCAK

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U6nCAE&lang=en_US%E2%80%A...

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClLsCAK

 

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boHqCAI

 

 

 

 

To see the 0 data plane on Slot 1:

 

less s1dp0-log brdagent.log

 

 

 

 

 

4. Usefull logs for comimit failures are the managment plane file  ms.log and Devsrvr log.

 

 

 

 

5. Always check the managment plane file masterd log as it will show you if some deamon or process went down and you then can open the log for the specific process that had issues and see what is written.

 

 

 

 

6. For authentication issues the managment plane file Authd log is the place to go. For High availabity (HA) issues  check ha_agent.log.

 

 

 

 

7. For VPN and SSL decryption issues better check the System log (for newer versions after 9.1 there is seperate globalprotect log in the GUI) in the GUI as it is easier to read than the ikemgr.log file. In version 10 there is a seperate log in the GUI for SSL decryption issues.Good to note is that in the CLI you could enable a debug for a process and this can't be done in the GUI.

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC

 

 

 

 

 

8. You can also gather a tech support file and open it as it will have the most logs for the managment plane as it is tar gz linux archive and sometimes it is easier to view the logs this way with text editors like Atos/Notepad ++ etc. and you can look into the Websrvr and Mgmtsrvr logs for GUI issues or even SSH and GUI and etc (you can still use the comand "less webserver-log xxx" to see the webserver or clientless vpn log). Read the article for "Commonly Used Processes/Daemons" that I provided from the start to get the idea. Also it is good to note that for decryption issues in the newer versions there is a seperate log in GUI. If you are a partner have access to the Palo Alto PANS or Auto Assistant tool you can better check the logs this way.

 

 

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/troubleshoot-and-monitor-decry...

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRlCAK

 

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device-support.html

 

 

 

 

Example picture (it is from virtual edition so there will be no data plane or control plane log folders)

 

 

NikolayDimitrov_1-1623698858200.png

 

 

 

 

 

 

If the issue can't be discovered don't forget the ultimate solution for non hardware palo alto issues is saving the config to external storage then factory default reset of the firewall and again importing the the config (the TAC does this many times).

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldXCAS

 

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/reset-the-firewall...

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRcCAK

 

 

4 REPLIES 4

Community Team Member

Great job putting everything together like this ! I'm sure it will be useful for many Palo Alto Networks users !

 

Cheers !

-Kiwi

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L3 Networker

Just a note for  9.1.x it is great that the Globalprotect log is in seperate tab in the GUI and you can also see latency reports from it, so this helps with investigating bad network connections and that the issue is not with the VPN, also if the hourly HIP reports failed for some reason, it will be in those logs. For HIP issues other than failed HIP reports like failed checks there is a log from  a long time in GUI called "HIP Match Logs":

 

https://docs.paloaltonetworks.com/globalprotect/5-1/globalprotect-app-new-features/new-features-rele...

 

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/view-and-manage-logs/log-types-...

 

Also for HIP checks failing to be send every hour check:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLXiCAO

 

 

 

This is from my new article:

 

 

https://live.paloaltonetworks.com/t5/general-topics/knowledge-sharing-globalprotect-split-tunnel-and...

 

 

L1 Bithead

Dear all,

 

I'm having problem with  PA-820,  its only showing old log which is almost 7 months ago, there is no new logs monitor. Does have any idea or how to resolve this issue.

 

 

Thanks.

  • 11906 Views
  • 4 replies
  • 4 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!