Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Palo Alto Networks Firewall not Forwarding Logs to Panorama (VM and M-100)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Palo Alto Networks Firewall not Forwarding Logs to Panorama (VM and M-100)

L2 Linker

Hi PA Experts!

 

Another issue I stumped upon yesterday 😞

We replaced one of our PA firewall 5050 to PA 5220 couple of days ago, and when I am trying to find the

traffic logs corresponding to that PA 5220 device on Panorama, it shows nothing.

I duoble checked the configuration on Panorama and the device PA to see everything is setup correctly for forwarding logs.

 

Also, the device is setup to send the threat logs to a log aggregation system, and we see the syslogs successfully getting logged to the aggregator.  Hence the device fw is able to send the syslogs to another system, but Panorama.

 

Some more specifics:

The device PA 5220 is running s/w version: 8.0.4

The Panorama is a VM and running: 8.0.4

Ran 'show logging-status device <device-ID>' on Panorama, outputs nothing 😞

Ran 'show logging-status' on the device PA, shows isn't forwarding.

 

Is there any tweaks that need to be done additionally for the device PA to send the logs to Panorama?

 

Any help appreciated 🙂

 

Thanks,

Fatema.

 

 

10 REPLIES 10

L7 Applicator

Did you add the 5220's serial # to the "Managed Devices" tab of Panorama?  

Yes, I can see the device fw 5220 in the "Managed Devices" tab of Panorama, with all the columns

displaying correct information.

A couple of other things to verify:

 

1.) Is Panorama running the same (or newer) PAN-OS version as the 5220?  

 

2.) Did you edit your collector group and configure log forwarding preferences for the new 5220?

 

 

Thanks for the comments. Here are the answers:

1. Yes the Panorama and the device are running same PANOS version (8.0.4)

2. We do not have entries for Managed Collectors or the Collector Group, but we have configured the log forwarding to Panorama by adding  a Log forwarding Profile in Objects > Log Forwarding, and have the 'Shared' check-box cecked, to apply the log Frwding settings to all managed devices. We have the traffic logs from other devices logged to Panorama, it's just this current new fw device that is not logging to Panorama... 

Can you take a screenshot of your log forwarding profile and post it here?  

 

Is this same log forwarding profile referenced in the firewall's security policy?  

Capture.PNG

Ah finally got it working, by referning to this doc:

https://live.paloaltonetworks.com/t5/Configuration-Articles/Palo-Alto-Networks-Firewall-not-Forwardi...

 

Not sure what made it work, but was trying the steps 1-6 multiple time, w/o any change in the console output of 'show logging-status', but when I took a look at the Panorama, the logs were getting displayed for that device fw. (Not sure why the status commands still show nothing on the console though. hmm)

 

Thanks for all the help! 🙂

 

Fatema.

Hi,

 

did you run the command on Panorama or the firewalls?

Hi @jvalentine

 

As per the link https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFCCA0

 

where do we need to run the commands? On Panorama or on the firewalls?

On Panorama

  • 8398 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!