System Log Message "WFRTSIG: Unknown error."

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

System Log Message "WFRTSIG: Unknown error."

L2 Linker

Hey Community,

 

we have a pair of PA-3220 in an active/passive Cluster with panos 10.0.7 and since about 4 weeks we see the following system log entry almost every night around 11pm: WFRTSIG: Unknown error.

We see this entries on both devices (active and passiv) but times are different.

 

What I´ve done so far was to rebboot both devices but the log entry showed up again.

I could not find any hint to the cause of this log entry. 

 

Does anyone have a hint or an idea what may cause this error?

 

Thank you in advance!

 

Greetings,

Alex.

1 accepted solution

Accepted Solutions

Community Team Member

Hi @Alex_Graser ,

 

It means that the real-time wildfire update wasn't able to happen at the time of the error.  I'm leaning towards connection issues to the update server. (WFRTSIG stands for WildFire Real-Time Signatures).

 

What does the command 'show wildfire statistics' tell you ?

 

You could give it a try and switch to every minute or every 15 minutes instead of real-time updates.

 

Also check out this document also for more information:

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/wildfire-features/wildfire-real-ti...

 

Hope it helps,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

5 REPLIES 5

Community Team Member

Hi @Alex_Graser ,

 

It means that the real-time wildfire update wasn't able to happen at the time of the error.  I'm leaning towards connection issues to the update server. (WFRTSIG stands for WildFire Real-Time Signatures).

 

What does the command 'show wildfire statistics' tell you ?

 

You could give it a try and switch to every minute or every 15 minutes instead of real-time updates.

 

Also check out this document also for more information:

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/wildfire-features/wildfire-real-ti...

 

Hope it helps,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L2 Linker

Hi Kiwi,

 

thank you for your explanation about WFRTSIG !!!

 

A 'show wildfire statistics' gives me the following output - but I don´t know how I should interpret it:

 

Packet based counters:
Total msg rcvd: 34995
Total bytes rcvd: 28025084
Total msg read: 25585
Total bytes read: 19754852
Total msg lost by read: 9410
Total DROP_NO_MATCH_FILE 9410

DP Files upload initiated: 60

DP Files upload succeeded: 50

Counters for file cancellation:
CANCEL_BY_DP 5
CANCEL_FILE_DUP 2
CANCEL_FILESIZE_LIMIT 3

Counters for file forwarding:

file type: apk
FWD_CNT_LOCAL_FILE_PUB 7
FWD_CNT_LOCAL_DUP_PUB 2
FWD_CNT_REMOTE_FILE_PUB 1
FWD_CNT_REMOTE_DUP_CLEAN_PUB 7
FWD_CNT_REMOTE_NO_SUPPORT_PUB 1

file type: pdf
FWD_CNT_LOCAL_FILE_PUB 9
FWD_CNT_REMOTE_FILE_PUB 8
FWD_CNT_REMOTE_DUP_CLEAN_PUB 1

file type: email-link
FWD_CNT_LOCAL_FILE_PUB 33
FWD_CNT_APPENDED_BATCH_PUB 33

file type: ms-office
FWD_CNT_LOCAL_FILE_PUB 1
FWD_CNT_REMOTE_DUP_CLEAN_PUB 1

file type: pe

file type: flash

file type: jar

file type: archive

file type: MacOSX

file type: linux

file type: unknown

file type: script

file type: pdns

Error counters:
LOG_ERR_REPORT_CACHE_NOMATCH_PUB 3

Reset counters:
DP receiver reset cnt: 1
File cache reset cnt: 1
Public Cloud:
Service connection reset cnt: 1
Log cache reset cnt: 1
Report cache reset cnt: 1
Private Cloud:

Resource meters:
data_buf_meter 0%
msg_buf_meter 0%
ctrl_msg_buf_meter 0%
wr_debug_log_buf_meter 0%

File forwarding queues:
priority: 1, size: 0 (PUB), 0 (PRIV)
priority: 2, size: 0 (PUB), 0 (PRIV)
priority: 3, size: 0 (PUB), 0 (PRIV)
priority: 4, size: 0 (PUB), 0 (PRIV)

 

I will set the interval to 1 minute and will check if the error in the system log will still appear.
I´ll post the result tomorrow!

Thanks again, Kiwi!

 

Greetings,

Alex

L2 Linker

Hi @kiwi,

yesterday I set the interval to 15 minutes (instead of real-time) and tonight I got no errors!

Thank you very much!

 

Greetings, Alex.

L0 Member

Bit of an older thread now, but still relevant as we are seeing the same error msgs on a new deployment.

 

My question is how impactful is this? What are the ramifications of moving away from Real-Time updates vs a time delineated schedule?

Cyber Elite
Cyber Elite

Hi @RichMauger ,

 

Setting the interval to real-time allows the NGFW to "access the signatures as soon as they are generated" by the WildFire cloud.  https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-whats-new/wildfire-features-in-panos-100/wil...  If you set the interval to 15 minutes, you can have up to a 15-minute window in which you are not protected from an unknown threat.  Of course, before the threat was detected in the sand box, you were unprotected.

 

How significant is that window?  I don't know, but the engineers at PANW changed the lowest interval from 5 minutes to real time for a reason.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 6547 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!