"No matching record" in ACC after initialy using the PA-device

Hi Mkiand,

Thx for your suggestions !

Yes indeed:

- NTP has been configured, even before the (data) interfaces were connected. So, onboard time sync was and is now also still in sync.

- For data we want to see, there's an LOG AT START enabled. Should both (start/end) be enabled preferably to have correct and relevant data in ACC ?

I already informed our Palo Alto engineer about this issue. He asked to open a support case in order to have a closer look.

Just 1 remark: I don't know whether there's a link between both, but after creating a CUSTOM REPORT which forced to get data from the threat database for the past +/- 24hours, drilling down into the "Threat monitor" reveals fine grained information about sources/destations/etc.

So, I tried to build a similar custom build report that forced to fetch data from "traffic" database, though the result was not successful: "no matching record" after drill down in the "Traffic monitor"

I'll keep this thread up to date once a solution is provided from the support case. 

The assigned system support engineer provide exactly the same information as described by you.

Concerning the 'awkward' phenomenon about starting fined grained information after having build that custom report, that must have been a coincidence/mix up.

Now, all information is available while drilling down into menus of the Application Command Center.

Thanks again for your valuable feedback.

Does this also mean that if you completely turn logging off on a rule, no information for that rule will ever show up in ACC? So ACC relies completely on logging information? Silly question, I know, but I want to make sure I understand.

Thats how I understands this...

If you disable logging for a particular security rule then this traffic wont show up in traffic/threat logs and by that not show up in ACC either.

If you turn off logging for a rule, the Palo Alto Networks firewall will still show some basic information in the ACC, but you won't get any detailed information.  I just tried this on my lab firewall with a very basic setup.  2 security policy rules (permit all from lan1 to lan2, and permit all from lan2 to lan1) - no logging on either rule. 

I fired up ping and let it run for ~30 minutes.  I also fired up FTP and sent some files through as well.  I waited for the logindexer process to churn through the data (I think it happens every 10 minutes or so).  And when I come check out the ACC, here's what I see:

So the answer is "No", you don't need any logging turned on in order to get _some_ ACC data.  That being said, you won't have any "drill-down" capability.  For example, if I click on "Ping", here's what I see:

So, all of the fields that show "No matching record" require logging to be enabled for those security policy rules - and those are written to the Traffic Log.  I believe the top-level ACC data is held in a different database (Application Statistics).  There are additional databases on the firewall as well (URL / Threat / Config logs, etc.)  If you go to the Custom Reporting section of the firewall, create a new report, and then use the "Database" dropdown list, you'll see the options (Application Statistics or Traffic, for example).

Hope that helps.

Thanks , that helps!

Will these results still be true if you in the bottom of your lab-PA puts a any, any, deny, no log?

Im thinking if the builtin default log somehow would add this stuff to the ACC (similar to how QoS is connected to internal statistics graphs).