12-04-2024 03:54 PM
Hello Team,
I had the following scenario, 1 HA NGFW pair and a Panorama device on Panorama mode on the 10.2.8-h4 pan-os version, and on the Panorama device we don't see any logs from the active NGFW. I checked the Log Forwarding profiles, Permitted IPs on the MGT's interfaces and only with the show log-collector preference-list command on the CLI we get the following output on the active device:
user@NGFW(active)> show log-collector preference-list
Logging Service Preference List
Forward to all: Yes
Serial Number: PANW_LOG_RECEPTOR_SRV FQDN: -lc-prod-eu.gpcloudservice.com
We send logs to CDL (Cortex Data Lake) or Strata Logging Service and to Panorama as well, but on the previous command we just see the preference list with the CDL instance but no the Panorama device.
With the show logging-status command we have the following output on the active device:
user@NGFW(active)> show logging-status
-----------------------------------------------------------------------------------------------------------------------------
Type Last Log Created Last Log Fwded Last Seq Num Fwded Last Seq Num Acked Total Logs Fwded
-----------------------------------------------------------------------------------------------------------------------------
Log Collector :
Connection IP : lr-cms0
Conn Source IP : lr - def
High speed mode : Disabled
Connection Status : lr - Inactive
Rate : 0 logs/sec
traffic Not Available Not Available 0 0 0
threat Not Available Not Available 0 0 0
hipmatch Not Available Not Available 0 0 0
gtp-tunnel Not Available Not Available 0 0 0
auth Not Available Not Available 0 0 0
iptag Not Available Not Available 0 0 0
userid Not Available Not Available 0 0 0
sctp Not Available Not Available 0 0 0
decryption Not Available Not Available 0 0 0
config Not Available Not Available 0 0 0
system Not Available Not Available 0 0 0
globalprotect Not Available Not Available 0 0 0
Do you have any idea about how to fix this issue with the log forwarding?
Regards,
12-04-2024 08:51 PM
Hello @DanielS.Romero
thanks for post!
Are you trying to send logs from Firewall to SLS and Panorama at the same time? If yes, then you will have to select: "Enable duplicate logging" check box. Could you scroll down to point No.4 in this link: https://docs.paloaltonetworks.com/strata-logging-service/activation-and-onboarding/onboard-overview
Kind Regards
Pavel
12-04-2024 04:17 PM
I attached an additional validation command on the Panorama's CLI, probing that the Panorama doesn't received any logs from the active NGFW with serial 1233324233640:
user@Panorama> show logging-status device 1233324233640
Type Last Log Rcvd Last Seq Num Rcvd Last Log Generated
Source IP : Default
Destination IP : Default
Source Daemon : unknown
Connection Id : 1233324233640
Log rate: 0
config N/A N/A N/A
system N/A N/A N/A
threat N/A N/A N/A
traffic N/A N/A N/A
hipmatch N/A N/A N/A
gtp-tunnel N/A N/A N/A
userid N/A N/A N/A
iptag N/A N/A N/A
auth N/A N/A N/A
sctp N/A N/A N/A
decryption N/A N/A N/A
globalprotect N/A N/A N/A
12-04-2024 08:51 PM
Hello @DanielS.Romero
thanks for post!
Are you trying to send logs from Firewall to SLS and Panorama at the same time? If yes, then you will have to select: "Enable duplicate logging" check box. Could you scroll down to point No.4 in this link: https://docs.paloaltonetworks.com/strata-logging-service/activation-and-onboarding/onboard-overview
Kind Regards
Pavel
12-05-2024 02:57 PM
Hello @PavelK
Thanks a lot for your answer, I try checking that check con the NGFWs and then the NGFWs starting send logs traffic to the Panorama device, thanks again!
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
