Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.
11-05-2010 10:54 AM
Our PAN is in an L3 config, and our syslog server is in a virtual-wire zone.
Basically, if I look at monitor/traffic or monitor/session browser, I'm simply swamped with syslog messages as everything is being syslogged once as the PAN management NIC goes from trust (LAN) to untrust, then again as it goes through the vwire-untrust to the vwire-dmz.
Is there any way to reduce this at all please?
Thanks in advance.
11-05-2010 11:09 AM
Hi There,
Perhaps youcould create a specific rule for the traffic that is being double counted in the VWire and set the option to not log (or not send to syslog - which ever you prefer).
Thanks
James
11-05-2010 11:09 AM
Hi There,
Perhaps youcould create a specific rule for the traffic that is being double counted in the VWire and set the option to not log (or not send to syslog - which ever you prefer).
Thanks
James
11-05-2010 11:17 AM
Thanks James, that's what I've done in the interim, I didn't know if there was a "smarter" way of tackling it was all?
We don't really need real-time logging, we just want some off box logging, and my limited experience of the FTP export found it a bit hit and miss as you have to look in several places to marry up all the data.
I have to say as an aside, this thing rocks, I setup a vwire today and it's saved me having to totally re-IP (is that a word?!) our websites and services on our DMZ hosts to be able to do application recognition and decryption and IPS.
11-05-2010 11:31 AM
This would be the only option - as we must log (as a security device) everything we see and where we see it. Unless the administrator configures the PA Appliance not to.
You are right that FTP export does not correllate the data for you - the two items to look at when cross referencing logs is the time and session ID. Session ID's do wrap, but within a time frame they are unique - Session ID is a "tag" PANOS puts on the logs for this purpose (and other purposes).
Good to hear the DMZ insertion worked well for - VWire is very handy. Also nice you can mix and match deployment modes in one box.
Thanks
James
11-05-2010 11:38 AM
Thanks James, and yes feeling quite peeved at not trying the vwire stuff sooner.
I'll go with the policy with no logging for now, if it becomes too much I can always look at running a syslog box on the LAN so the management NIC won't be traversing zones.
11-05-2010 11:45 AM
Aaah, OK - now I get you.
Try using the service route configuration under the Device tab - main setup screen. You'll need to scroll down to see it. You can then change the source of the syslog traffic to be an alternative L3 Interface - so you could plug another L3 interface into the DMZ and use it just for logging.
Thanks
James
11-05-2010 11:48 AM
Ah I never spotted that! Thank you.
Tbh right now it's not much better simply because even if I change the L3 interface it would have to cross zones to get to the syslog box on the vwire.
As it stands with the "no log" policy it looks like the logs are clear and the syslog stuff only shows up in the session browser, which of course it has to because it's active traffic.
11-05-2010 11:52 AM
You could put a dedicated L3 interface in the DMZ, which does nothing except send syslog - then it would not cross the VWire. Or leave it as is 
Thanks
James
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
