Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-29-2017 09:41 AM
Hi PA Experts!
Another issue I stumped upon yesterday 😞
We replaced one of our PA firewall 5050 to PA 5220 couple of days ago, and when I am trying to find the
traffic logs corresponding to that PA 5220 device on Panorama, it shows nothing.
I duoble checked the configuration on Panorama and the device PA to see everything is setup correctly for forwarding logs.
Also, the device is setup to send the threat logs to a log aggregation system, and we see the syslogs successfully getting logged to the aggregator. Hence the device fw is able to send the syslogs to another system, but Panorama.
Some more specifics:
The device PA 5220 is running s/w version: 8.0.4
The Panorama is a VM and running: 8.0.4
Ran 'show logging-status device <device-ID>' on Panorama, outputs nothing 😞
Ran 'show logging-status' on the device PA, shows isn't forwarding.
Is there any tweaks that need to be done additionally for the device PA to send the logs to Panorama?
Any help appreciated 🙂
Thanks,
Fatema.
08-29-2017 09:50 AM
Did you add the 5220's serial # to the "Managed Devices" tab of Panorama?
08-29-2017 10:02 AM
Yes, I can see the device fw 5220 in the "Managed Devices" tab of Panorama, with all the columns
displaying correct information.
08-29-2017 10:17 AM
A couple of other things to verify:
1.) Is Panorama running the same (or newer) PAN-OS version as the 5220?
2.) Did you edit your collector group and configure log forwarding preferences for the new 5220?
08-29-2017 10:29 AM
Thanks for the comments. Here are the answers:
1. Yes the Panorama and the device are running same PANOS version (8.0.4)
2. We do not have entries for Managed Collectors or the Collector Group, but we have configured the log forwarding to Panorama by adding a Log forwarding Profile in Objects > Log Forwarding, and have the 'Shared' check-box cecked, to apply the log Frwding settings to all managed devices. We have the traffic logs from other devices logged to Panorama, it's just this current new fw device that is not logging to Panorama...
08-29-2017 11:22 AM
Can you take a screenshot of your log forwarding profile and post it here?
Is this same log forwarding profile referenced in the firewall's security policy?
08-29-2017 12:52 PM
Ah finally got it working, by referning to this doc:
Not sure what made it work, but was trying the steps 1-6 multiple time, w/o any change in the console output of 'show logging-status', but when I took a look at the Panorama, the logs were getting displayed for that device fw. (Not sure why the status commands still show nothing on the console though. hmm)
Thanks for all the help! 🙂
Fatema.
02-06-2019 02:19 PM
Hi,
did you run the command on Panorama or the firewalls?
02-06-2019 02:30 PM
Hi @jvalentine
As per the link https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFCCA0
where do we need to run the commands? On Panorama or on the firewalls?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
