VM series firewalls not sending logs to Panorama

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

VM series firewalls not sending logs to Panorama

L1 Bithead

Hello again all,

 

 

My next hurdle is figuring out why my VM-Series firewalls aren't getting their logs to the panorama server.

 

I've checked the following soo far:

  1. Network path between the firewalls and panorama look good. it's allowing ICMP and all TCP.
  2. Managed collectors (local to this panorama an an HA panorama) show green, in sync, green health status.
  3. There's just one collector group with with both of those collectors in it
  4. I've added the VM-series firewalls into the Device log forwarding section on the collector group
  5. In the firewall policies, there is traffic hitting them and the action is set to log and forward to a log forwarding profile
  6. log forwarding profile has objects to forward all traffic and threat logs to panorama.

I'm unaware if I'm issuing any configuration points in the above.

If I go to the firewall and run a "debug management-server log-collector-agent-status" there are no agents listed. If I run a "show logging-status", I see a variety of collectors but they are all in a "lr - Inactive" state under connection status.

 

Any idea what I'm missing?

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hello @Verac22

 

thanks for the post!

 

Could you run on the Firewall side this command: "show log-collector preference-list"? If it does not return the IP addresses of Log Collectors, I would restart management process of the Firewall. Here is reference KB.

 

When you assigned the Firewalls to log collectors did you push the configuration to log collectors after you committed the change in Panorama? Without this step, the configuration will not be applied and logs will not come. Reference Step No.12, point No.8 in the Doc. 

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

Hello @Verac22

 

thanks for the post!

 

Could you run on the Firewall side this command: "show log-collector preference-list"? If it does not return the IP addresses of Log Collectors, I would restart management process of the Firewall. Here is reference KB.

 

When you assigned the Firewalls to log collectors did you push the configuration to log collectors after you committed the change in Panorama? Without this step, the configuration will not be applied and logs will not come. Reference Step No.12, point No.8 in the Doc. 

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Restarting the management process did the trick. I BELIEVE I had done a push to device, though I could be wrong.

 

Bonus question: Do you know if there is a way to automate adding a firewall to collector groups's device log forwarding section? These firewalls can be stood up or down so right now I think I'll have to add/remove them manually if there is a teardown event.

Cyber Elite
Cyber Elite

Thank you for reply @Verac22

 

unfortunately, I am not aware of anything outside of steps for regular firewall onboarding in Step No.3, point No.6: Doc. If I come across something that addresses this, I will re-visit this post.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 2037 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!