12-01-2021 12:36 AM
Hey Community,
we have a pair of PA-3220 in an active/passive Cluster with panos 10.0.7 and since about 4 weeks we see the following system log entry almost every night around 11pm: WFRTSIG: Unknown error.
We see this entries on both devices (active and passiv) but times are different.
What I´ve done so far was to rebboot both devices but the log entry showed up again.
I could not find any hint to the cause of this log entry.
Does anyone have a hint or an idea what may cause this error?
Thank you in advance!
Greetings,
Alex.
12-02-2021 01:41 AM
Hi @Alex_Graser ,
It means that the real-time wildfire update wasn't able to happen at the time of the error. I'm leaning towards connection issues to the update server. (WFRTSIG stands for WildFire Real-Time Signatures).
What does the command 'show wildfire statistics' tell you ?
You could give it a try and switch to every minute or every 15 minutes instead of real-time updates.
Also check out this document also for more information:
Hope it helps,
-Kiwi.
12-02-2021 01:41 AM
Hi @Alex_Graser ,
It means that the real-time wildfire update wasn't able to happen at the time of the error. I'm leaning towards connection issues to the update server. (WFRTSIG stands for WildFire Real-Time Signatures).
What does the command 'show wildfire statistics' tell you ?
You could give it a try and switch to every minute or every 15 minutes instead of real-time updates.
Also check out this document also for more information:
Hope it helps,
-Kiwi.
12-02-2021 04:19 AM
Hi Kiwi,
thank you for your explanation about WFRTSIG !!!
A 'show wildfire statistics' gives me the following output - but I don´t know how I should interpret it:
Packet based counters:
Total msg rcvd: 34995
Total bytes rcvd: 28025084
Total msg read: 25585
Total bytes read: 19754852
Total msg lost by read: 9410
Total DROP_NO_MATCH_FILE 9410
DP Files upload initiated: 60
DP Files upload succeeded: 50
Counters for file cancellation:
CANCEL_BY_DP 5
CANCEL_FILE_DUP 2
CANCEL_FILESIZE_LIMIT 3
Counters for file forwarding:
file type: apk
FWD_CNT_LOCAL_FILE_PUB 7
FWD_CNT_LOCAL_DUP_PUB 2
FWD_CNT_REMOTE_FILE_PUB 1
FWD_CNT_REMOTE_DUP_CLEAN_PUB 7
FWD_CNT_REMOTE_NO_SUPPORT_PUB 1
file type: pdf
FWD_CNT_LOCAL_FILE_PUB 9
FWD_CNT_REMOTE_FILE_PUB 8
FWD_CNT_REMOTE_DUP_CLEAN_PUB 1
file type: email-link
FWD_CNT_LOCAL_FILE_PUB 33
FWD_CNT_APPENDED_BATCH_PUB 33
file type: ms-office
FWD_CNT_LOCAL_FILE_PUB 1
FWD_CNT_REMOTE_DUP_CLEAN_PUB 1
file type: pe
file type: flash
file type: jar
file type: archive
file type: MacOSX
file type: linux
file type: unknown
file type: script
file type: pdns
Error counters:
LOG_ERR_REPORT_CACHE_NOMATCH_PUB 3
Reset counters:
DP receiver reset cnt: 1
File cache reset cnt: 1
Public Cloud:
Service connection reset cnt: 1
Log cache reset cnt: 1
Report cache reset cnt: 1
Private Cloud:
Resource meters:
data_buf_meter 0%
msg_buf_meter 0%
ctrl_msg_buf_meter 0%
wr_debug_log_buf_meter 0%
File forwarding queues:
priority: 1, size: 0 (PUB), 0 (PRIV)
priority: 2, size: 0 (PUB), 0 (PRIV)
priority: 3, size: 0 (PUB), 0 (PRIV)
priority: 4, size: 0 (PUB), 0 (PRIV)
I will set the interval to 1 minute and will check if the error in the system log will still appear.
I´ll post the result tomorrow!
Thanks again, Kiwi!
Greetings,
Alex
12-02-2021 11:23 PM
Hi @kiwi,
yesterday I set the interval to 15 minutes (instead of real-time) and tonight I got no errors!
Thank you very much!
Greetings, Alex.
05-03-2023 02:04 PM
Bit of an older thread now, but still relevant as we are seeing the same error msgs on a new deployment.
My question is how impactful is this? What are the ramifications of moving away from Real-Time updates vs a time delineated schedule?
05-03-2023 06:32 PM
Hi @RichMauger ,
Setting the interval to real-time allows the NGFW to "access the signatures as soon as they are generated" by the WildFire cloud. https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-whats-new/wildfire-features-in-panos-100/wil... If you set the interval to 15 minutes, you can have up to a 15-minute window in which you are not protected from an unknown threat. Of course, before the threat was detected in the sand box, you were unprotected.
How significant is that window? I don't know, but the engineers at PANW changed the lowest interval from 5 minutes to real time for a reason.
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
