Searching for missing logs in Next Gen Firewall monitor log.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Searching for missing logs in Next Gen Firewall monitor log.

L1 Bithead

I am trying to firgure out two things. 

 

background

 

I have a Cisco ASA VPN concentrator that comes to my PA-5220 then goes to an application server. 

 

I am having issues where i see logs in the ASA of traffic coming from the far end point of the tunnel on a constant basis, then going to the application server. I am not constantly seeing any logs in the Monitor. The application vendor acknowlegdes the traffic as well. 

 

The logs I see is about 20 -30 minutes most of the time. 

 

More interestingly is I have many customers coming in the ASA to the same Policy going to same application server on the same port. Those other IPs are showing constant logging. 

 

Second issue is we see latency traffic between the two sides.. The application should have constant traffic every second or quicker.. What see is sometimes on a constant basis there is delays from 5 to 45 seconds.. again no logs in the PA

 

First how can I check for the traffic in CLI ? 

In addition How Can I check to traffic to see if the PA is possibly causing the latency.?

 

 

thanks 

2 REPLIES 2

L6 Presenter

So the Palo Alto sees clean traffic without any VPN as the VPN concentrator is the ASA? Do you have split tunnel configured on the ASA that can cause asymmetrical routing and not all traffic going to the Palo Alto when reachig the app servers?

 

 

Another thing to look for is the application shift on the Palo Alto firewall as when for example the traffic is ssl it will pass the security policy rule selection and after the decryption on Palo Alto and it is seen that the traffic google, facebook etc. it will again pass the security rule match from top to bottom as this is called application shift. Maybe you have application shift that after that matches a rule that is without "Log at the session end enabled".

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWZCA0

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1aCAC

 

 

For the latency it is the best to check the global counters by filter by source and destination for something that can cause issues and to do pcap capture at receive and transmit stage for the traffic in the two directions from the client to server and server to client to see if the firewall causes the  latency issues. Also you may enable flow basic and flow log option "appid" to see the application shift if you need it. Before months I have made article for such issues:

 

 

https://live.paloaltonetworks.com/t5/general-topics/palo-alto-checking-for-drops-rejects-discards-sl...

L1 Bithead

Hey Eric,

 

Q.How can I check for the traffic in CLI ? 

A. #show session all (I recommend using the filter command to only match the sessions your after). Alternatively you can go to the session browser on the GUI.

 

Q. How Can I check to traffic to see if the PA is possibly causing the latency?

A. I find the best way in determining this is to complete a packet capture and look at the timestamps between packets. There's a great article you can find here on how to do it on a NGFW --> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTJCA0

 

Hope this helps!

  • 3160 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!