04-06-2026 10:25 AM
Hi Team,
I am currently managing multiple firewalls through Panorama; however, one of the HA firewalls is not forwarding logs to Panorama.
Please find the CLI output below for your reference.
show logging-status
-----------------------------------------------------------------------------------------------------------------------------
Type Last Log Created Last Log Fwded Last Seq Num Fwded Last Seq Num Acked Total Logs Fwded
-----------------------------------------------------------------------------------------------------------------------------
Log Collector :
Connection IP : lr-cms0
Conn Source IP : lr - def
High speed mode : Disabled
Connection Status : lr - Inactive
Rate : 0 logs/sec
traffic Not Available Not Available 0 0 0
threat Not Available Not Available 0 0 0
hipmatch Not Available Not Available 0 0 0
gtp-tunnel Not Available Not Available 0 0 0
auth Not Available Not Available 0 0 0
iptag Not Available Not Available 0 0 0
userid Not Available Not Available 0 0 0
sctp Not Available Not Available 0 0 0
decryption Not Available Not Available 0 0 0
config Not Available Not Available 0 0 0
system Not Available Not Available 0 0 0
globalprotect Not Available Not Available 0 0 0
show panorama-status
Panorama Server 1 : 172.30.0.6
Connected : yes
HA state : Unknown
It appears that the firewall is unable to connect to the Panorama log collector. Could you please assist in investigating and resolving this issue?
04-06-2026 02:17 PM
Hi @RoneyRajan123 ,
Id verify the Collector Group is properly configured on Panorama first and see that the firewall is assigned to it. The Collector Group config needs to be committed and pushed to Panorama and the Collector Group itself. Also, make sure you have the log forwarding profile configured and associated with all your security policies on the firewall for the logs to get sent over.
Next, Id rule out any connectivity issues.
Verify the log collector the firewall is trying to use:
show log-collector preference-list
Now, how is your firewall trying to communicate with this log collector? Verify your service routes: Device > Setup > Services > Service Route Configuration. The goal here is to confirm which interface the firewall is using to reach the Log Collector.
If service routes have not been customized, it will use the management interface by default. In that case, test with:
ping host <collector ip>
If you have a custom service route and are using a different interface:
ping source <interface_ip> host <log_collector_ip>
You can also confirm whether the firewall is actually building a tcp session to the Log Collector on port 3978. Run this in your CLI:
show netstat numeric-host yes numeric-port yes all yes | match 3978
If you don't see an established session there, I'd focus on the path between the firewall and the Log Collector. Maybe you aren't getting there due to a layer 3 or layer 4 issue.
04-06-2026 04:26 PM
Hello @RoneyRajan123
only to add to Jay's excellent answer from the output you provided, your Firewall is successfully registered in Panorama, however connection to log collector is inactive. If the output from: "show log-collector preference-list" returns correct list of log collectors, then I would restart Firewall's management server process: "debug software restart process management-server".
Kind Regards
Pavel
04-07-2026 06:58 AM
Hi Team,
Thank you for your response.
I would like to provide some additional details regarding the issue. In this environment, we manage multiple firewalls; however, the log forwarding issue is currently observed only on specific firewalls. Recently, these firewalls were onboarded to the Strata Logging Service (SLS) as part of the Cortex XDR implementation, and the issue has been consistently noticed since then.
For your reference, please find the additional CLI outputs below to assist with further analysis.
show logging-status
-----------------------------------------------------------------------------------------------------------------------------
Type Last Log Created Last Log Fwded Last Seq Num Fwded Last Seq Num Acked Total Logs Fwded
-----------------------------------------------------------------------------------------------------------------------------
Log Collector :
Connection IP : lr-cms0
Conn Source IP : lr - def
High speed mode : Disabled
Connection Status : lr - Inactive
Rate : 0 logs/sec
traffic Not Available Not Available 0 0 0
threat Not Available Not Available 0 0 0
hipmatch Not Available Not Available 0 0 0
gtp-tunnel Not Available Not Available 0 0 0
auth Not Available Not Available 0 0 0
iptag Not Available Not Available 0 0 0
userid Not Available Not Available 0 0 0
sctp Not Available Not Available 0 0 0
decryption Not Available Not Available 0 0 0
config Not Available Not Available 0 0 0
system Not Available Not Available 0 0 0
globalprotect Not Available Not Available 0 0 0
Log Collector : PANW_LOG_RECEPTOR_SRV
Connection IP : lr-34.90.253.226
Conn Source IP : lr - def
High speed mode : Disabled
Connection Status : lr - Inactive
Rate : 0 logs/sec
traffic Not Available Not Available 0 0 0
threat Not Available Not Available 0 0 0
hipmatch Not Available Not Available 0 0 0
gtp-tunnel Not Available Not Available 0 0 0
auth Not Available Not Available 0 0 0
iptag Not Available Not Available 0 0 0
userid Not Available Not Available 0 0 0
sctp Not Available Not Available 0 0 0
decryption Not Available Not Available 0 0 0
config Not Available Not Available 0 0 0
system Not Available Not Available 0 0 0
globalprotect Not Available Not Available 0 0 0
Log Collector :
Connection IP : lr-cms1
Conn Source IP : lr - def
High speed mode : Disabled
Connection Status : lr - Inactive
Rate : 0 logs/sec
traffic Not Available Not Available 0 0 0
threat Not Available Not Available 0 0 0
hipmatch Not Available Not Available 0 0 0
gtp-tunnel Not Available Not Available 0 0 0
auth Not Available Not Available 0 0 0
iptag Not Available Not Available 0 0 0
userid Not Available Not Available 0 0 0
sctp Not Available Not Available 0 0 0
decryption Not Available Not Available 0 0 0
config Not Available Not Available 0 0 0
system Not Available Not Available 0 0 0
globalprotect Not Available Not Available 0 0 0
orward to all: Yes
Serial Number: PANW_LOG_RECEPTOR_SRV FQDN: d352cdc8-a71d-4ea3-8298-e35d14d9e3ed.in2-lc-prod-eu.gpcloudservice.com
-----------------------------------------------------------------------------------------------------------------------------
Type Last Log Created Last Log Fwded Last Seq Num Fwded Last Seq Num Acked Total Logs Fwded
-----------------------------------------------------------------------------------------------------------------------------
Log Collector : PANW_LOG_RECEPTOR_SRV
Conn ID : lr-34.90.253.226
Connection IP : 34.90.253.226
Conn Source IP : lr - def
High speed mode : Disabled
Connection Status : lr - Inactive
DNS :
msg : Successfully resolved FQDN for connid (lr-34.90.253.226-def), IP (34.90.253.226)
status : success
timestamp : 2026/04/05 10:37:24
Registration :
msg :
status :
timestamp :
SSL :
msg : ssl channel established
status : success
timestamp : 2026/04/05 10:37:24
TCP :
msg : tcp connection established
status : success
timestamp : 2026/04/05 10:37:24
Conn Uptime : 0
Re-conn Count : 0
Rate : 0 logs/sec
traffic Not Available Not Available 0 0 0
threat Not Available Not Available 0 0 0
hipmatch Not Available Not Available 0 0 0
gtp-tunnel Not Available Not Available 0 0 0
auth Not Available Not Available 0 0 0
iptag Not Available Not Available 0 0 0
userid Not Available Not Available 0 0 0
sctp Not Available Not Available 0 0 0
decryption Not Available Not Available 0 0 0
config Not Available Not Available 0 0 0
system Not Available Not Available 0 0 0
globalprotect Not Available Not Available 0 0 0
Log Collector : PANW_LOG_RECEPTOR_SRV
Conn ID : lr-34.90.253.226-4
Connection IP : 34.90.253.226
Conn Source IP : lr - def
High speed mode : Disabled
Connection Status : lr - Inactive
DNS :
msg : Successfully resolved FQDN for connid (lr-34.90.253.226-4-def), IP (34.90.253.226)
status : success
timestamp : 2026/04/05 10:37:24
Registration :
msg :
status :
timestamp :
SSL :
msg : SSL connect retry. sslerr=2
status : failure
timestamp : 2026/04/05 10:37:24
TCP :
msg : tcp connection established
status : success
timestamp : 2026/04/05 10:37:24
Conn Uptime : 0
Re-conn Count : 0
Rate : 0 logs/sec
traffic Not Available Not Available 0 0 0
threat Not Available Not Available 0 0 0
hipmatch Not Available Not Available 0 0 0
gtp-tunnel Not Available Not Available 0 0 0
auth Not Available Not Available 0 0 0
iptag Not Available Not Available 0 0 0
userid Not Available Not Available 0 0 0
sctp Not Available Not Available 0 0 0
decryption Not Available Not Available 0 0 0
config Not Available Not Available 0 0 0
system Not Available Not Available 0 0 0
globalprotect Not Available Not Available 0 0 0
Log Collector : PANW_LOG_RECEPTOR_SRV
Conn ID : lr-34.90.253.226-3
Connection IP : 34.90.253.226
Conn Source IP : lr - def
High speed mode : Disabled
Connection Status : lr - Inactive
DNS :
msg : Successfully resolved FQDN for connid (lr-34.90.253.111-3-def), IP (34.90.253.111)
status : success
timestamp : 2026/04/05 10:37:23
Registration :
msg :
status :
timestamp :
SSL :
msg : SSL connect retry. sslerr=2
status : failure
timestamp : 2026/04/05 10:37:23
TCP :
msg : tcp connection established
status : success
timestamp : 2026/04/05 10:37:23
Conn Uptime : 0
Re-conn Count : 0
Rate : 0 logs/sec
traffic Not Available Not Available 0 0 0
threat Not Available Not Available 0 0 0
hipmatch Not Available Not Available 0 0 0
gtp-tunnel Not Available Not Available 0 0 0
auth Not Available Not Available 0 0 0
iptag Not Available Not Available 0 0 0
userid Not Available Not Available 0 0 0
sctp Not Available Not Available 0 0 0
decryption Not Available Not Available 0 0 0
config Not Available Not Available 0 0 0
system Not Available Not Available 0 0 0
globalprotect Not Available Not Available 0 0 0
Log Collector : PANW_LOG_RECEPTOR_SRV
Conn ID : lr-34.90.253.226-2
Connection IP : 34.90.253.226
Conn Source IP : lr - def
High speed mode : Disabled
Connection Status : lr - Inactive
DNS :
msg : Successfully resolved FQDN for connid (lr-34.90.253.111-2-def), IP (35.90.253.111)
status : success
timestamp : 2026/04/05 10:37:23
Registration :
msg :
status :
timestamp :
SSL :
msg : SSL connect retry. sslerr=2
status : failure
timestamp : 2026/04/05 10:37:23
TCP :
msg : tcp connection established
status : success
timestamp : 2026/04/05 10:37:23
Conn Uptime : 0
Re-conn Count : 0
Rate : 0 logs/sec
traffic Not Available Not Available 0 0 0
threat Not Available Not Available 0 0 0
hipmatch Not Available Not Available 0 0 0
gtp-tunnel Not Available Not Available 0 0 0
auth Not Available Not Available 0 0 0
iptag Not Available Not Available 0 0 0
userid Not Available Not Available 0 0 0
sctp Not Available Not Available 0 0 0
decryption Not Available Not Available 0 0 0
config Not Available Not Available 0 0 0
system Not Available Not Available 0 0 0
globalprotect Not Available Not Available 0 0 0
Log Collector : PANW_LOG_RECEPTOR_SRV
Conn ID : lr-34.90.253.226-1
Connection IP : 34.90.253.226
Conn Source IP : lr - def
High speed mode : Disabled
Connection Status : lr - Inactive
DNS :
msg : Successfully resolved FQDN for connid (lr-34.90.253.226-1-def), IP (34.90.253.226)
status : success
timestamp : 2026/04/05 10:37:23
Registration :
msg :
status :
timestamp :
SSL :
msg : ssl channel established
status : success
timestamp : 2026/04/05 10:37:24
TCP :
msg : tcp connection established
status : success
timestamp : 2026/04/05 10:37:23
Conn Uptime : 0
Re-conn Count : 0
Rate : 0 logs/sec
traffic Not Available Not Available 0 0 0
threat Not Available Not Available 0 0 0
hipmatch Not Available Not Available 0 0 0
gtp-tunnel Not Available Not Available 0 0 0
auth Not Available Not Available 0 0 0
iptag Not Available Not Available 0 0 0
userid Not Available Not Available 0 0 0
sctp Not Available Not Available 0 0 0
decryption Not Available Not Available 0 0 0
config Not Available Not Available 0 0 0
system Not Available Not Available 0 0 0
globalprotect Not Available Not Available 0 0 0
log info is not available
Enhanced Log Details:
log info is not available
04-07-2026 07:01 AM
Logging Service Preference List
Forward to all: Yes
Serial Number: PANW_LOG_RECEPTOR_SRV FQDN: d352cdc8-a71d-4ea3-8298-e35d14d9e3ed.in2-lc-prod-eu.gpcloudservice.com
04-07-2026 07:03 AM
It seems like in the log Panorama log collector is not connecting. Is there any way I can reconnect it?
I also restart in the management plane of the firewall
04-07-2026 07:07 AM
show log-collector preference-list
Logging Service Preference List
Forward to all: Yes
Serial Number: PANW_LOG_RECEPTOR_SRV FQDN: d352cdc8-a71d-4ea3-8298-e35d14d9e3ed.in2-lc-prod-eu.gpcloudservice.com
04-08-2026 05:35 AM
Hey @RoneyRajan123 ,
Can you run the following commands and share the output? We will want to verify the Strata Logging Service status and config as well as that your fw has a valid device cert (this is needed to establish a secure connection to SLS)
request logging-service-forwarding status
request logging-service-forwarding customerinfo show
request logging-service-forwarding certificate info
show system state | match cfg.lcaas-region
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
