Panorama traffic invisible

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Panorama traffic invisible

L4 Transporter

PAN(VM) and PA1 management interfaces are both Zone A.

 

PA1 connects to PA2(remote site) on IPSEC tunnel. Traffic from PA2 on PA1 is considered in Zone A and viceversa on PA2 for traffic from PA1. 

 

If i do packet capture on either PA, I can see there is bidirectional traffic between PA2 and PAN. But traffic logs don't show anything, I may select any PAN/PA as source or destination. 

1 accepted solution

Accepted Solutions

Is the session visible in the session table?

The connection from a firewall back to panorama is a permanent ssl session

Because it is permanently up, it will not show up in the logs until it is terminated (it is 1 connection for an 'unlinited' amount of time, rather than a bunch of ssl sessions oer time) because logs are generated when a session ends (log at end)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

6 REPLIES 6

L6 Presenter

Not sure if l fully understood your question, but for the traffic visibility on VM you must have an active licenses, otherwise no traffic will be shown in the monitor tab.

We have License for that. We manage both firewalls through Panorama and also push logs to it.

As both the management interface for PA1 and PAN are in same zone, I do not see traffic for it as it doesnot has to cross firewall. But for the remote site PA2 which is also managed by Panorama (location same as PA1), traffic has to pass though tunnel to PA2's management interface. This traffic should be vissible at both PA1 and PA2, which is not.

 

 image.png

 

Traffic inside same zone will match to intrazone-default rule that does not log traffic by default.

Choose intrazone-default rule and click override.

Then you can edit rule settings to enable log at session end.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Is the session visible in the session table?

The connection from a firewall back to panorama is a permanent ssl session

Because it is permanently up, it will not show up in the logs until it is terminated (it is 1 connection for an 'unlinited' amount of time, rather than a bunch of ssl sessions oer time) because logs are generated when a session ends (log at end)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

So what is the recomended log setting. As malacious traffic session if is able to stay up for long we would not see it.

No need to change anything
This is only a unique issue with panorama 'call home' connections, this does not normally apply to regular traffic
If a threat is detected the threat will be logged and if the session is terminated becauer of the threat (in case threat action is reset or drop for example) that will be logged too
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 1 accepted solution
  • 4080 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!