I have a question about Vlan. In the different logs you cant find "source vlan" anywhere. I belive this is cause Palo Alto is a zone based firewall and you should use zones to separate different network types rather than interfaces and vlans.
When doing troubleshooting, vlan information would be really good in the traffic and threat logs. And when you connect a Palo Alto using a tap port you cannot even create different zones for different vlans cause the TAP interfaces can't be assigned to vlans.
The reason i'm asking is because of this scenario:
1 Palo Alto hooked up using 1 TAP port. This TAP port contains several vlans. When i examine the logs afterward it all shows up as the security zone connected to the tap interface. I want to be able to tell which alarms triggered on what vlannumber.
currently there is nothing in our Monitor logs that allow you to filter by a vlan number.
Howerver if you click on the green button for the "add filtering expression" you will see varying filtering options that may help.
Perhaps you could filter on source/destingation ip, port, or interface.
Thank you for your reply.
Unfortunately the point of checking the vlan field in the monitoring logs its to feed another system with information. This system wants vlan information in order to sort logs into separate containers. And since all traffic are coming in on a TAP port with multiple vlans interface filtering is rellly not applicable.
Since we get the logs either by syslog or scp/cli access is there a way to see the vlan information in the cli with the "show logs" or something?
And also, do you have any plans on implementing vlan information in the monitoring logs in the future?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!