Panorama traffic invisible

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L4 Transporter

Panorama traffic invisible

PAN(VM) and PA1 management interfaces are both Zone A.

 

PA1 connects to PA2(remote site) on IPSEC tunnel. Traffic from PA2 on PA1 is considered in Zone A and viceversa on PA2 for traffic from PA1. 

 

If i do packet capture on either PA, I can see there is bidirectional traffic between PA2 and PAN. But traffic logs don't show anything, I may select any PAN/PA as source or destination. 


Accepted Solutions
Highlighted
L7 Applicator

Is the session visible in the session table?

The connection from a firewall back to panorama is a permanent ssl session

Because it is permanently up, it will not show up in the logs until it is terminated (it is 1 connection for an 'unlinited' amount of time, rather than a bunch of ssl sessions oer time) because logs are generated when a session ends (log at end)

Tom Piens - PANgurus.com
New to PAN-OS or getting ready to take the PCNSE? check out amazon.com/dp/1789956374

View solution in original post


All Replies
Highlighted
L6 Presenter

Not sure if l fully understood your question, but for the traffic visibility on VM you must have an active licenses, otherwise no traffic will be shown in the monitor tab.

Highlighted
L4 Transporter

We have License for that. We manage both firewalls through Panorama and also push logs to it.

As both the management interface for PA1 and PAN are in same zone, I do not see traffic for it as it doesnot has to cross firewall. But for the remote site PA2 which is also managed by Panorama (location same as PA1), traffic has to pass though tunnel to PA2's management interface. This traffic should be vissible at both PA1 and PA2, which is not.

 

 image.png

 

Highlighted
L7 Applicator

Traffic inside same zone will match to intrazone-default rule that does not log traffic by default.

Choose intrazone-default rule and click override.

Then you can edit rule settings to enable log at session end.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
Highlighted
L7 Applicator

Is the session visible in the session table?

The connection from a firewall back to panorama is a permanent ssl session

Because it is permanently up, it will not show up in the logs until it is terminated (it is 1 connection for an 'unlinited' amount of time, rather than a bunch of ssl sessions oer time) because logs are generated when a session ends (log at end)

Tom Piens - PANgurus.com
New to PAN-OS or getting ready to take the PCNSE? check out amazon.com/dp/1789956374

View solution in original post

Highlighted
L4 Transporter

So what is the recomended log setting. As malacious traffic session if is able to stay up for long we would not see it.

Highlighted
L7 Applicator

No need to change anything
This is only a unique issue with panorama 'call home' connections, this does not normally apply to regular traffic
If a threat is detected the threat will be logged and if the session is terminated becauer of the threat (in case threat action is reset or drop for example) that will be logged too
Tom Piens - PANgurus.com
New to PAN-OS or getting ready to take the PCNSE? check out amazon.com/dp/1789956374
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!