has anyone experienced any issue with high amount of traffic sent to a Syslog server by PAN device, when updating from 3.0.8 to 3.1?
It seems to be a bug (or a very strange beahvior) introduced in 3.1 release that cause many logs generated by sessions.
We are in trouble with some customers that disabled syslog log forwarding to preserve the syslog server (flooded by pan device).
We already opened a case (22118) in October but we are waiting for a response by PAN support.
Thanks in advance
I checked your referenced case and it was updated today with the following explanation:
Engineering has informed us that this is expected behavior on 3.1.x and was due to a change in behavior in how syslog sessions are generated from PanOS 3.0.x to 3.1.x. In PanOS 3.0.x syslog sessions used the same source port, whereas syslog sessions in PanOS 3.1.x use different source ports.
The result of using the same source port (PanOS 3.0.x) in the syslog session could result in the downstream firewall resuing the same session for the syslog messages. The result of using a different source port (PanOS 3.1.x) will result in the downstream firewall having to create a new session for each new syslog message, which is why you were seeing a higher number of syslog sessions originating from the PAN firewall.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!