07-19-2017 02:12 PM
I was following a tutorial online to do this but I must have missed a step somewhere.
My deployment is a single Panoram VM with a default local log collector and two 5060 firewalls in HA active/active.
I created a Collector Log Forwarding rule for Traffic on the default collector attempt to identify and tag IP addresses associated with a particular list of applications. I do not have any forwarders set as I don't actually need to forward the logs anywhere, I just need to tag them. I have a line in Built-in Actions to add a tag with the appropriate tag I created in the shared space and I have it set to Local User-ID registration (not sure if this is where I've screwed up.. Panorama is getting userid info from user agents installed on two Windows servers). Since I've read that you can't tag Source IP for some reason on Traffic logs, I've set the target to destination address and made sure I added source security zone filters so that the destination address should always be remote devices.
I then created a Dynamic Address Group to match to the tag I specified and pushed everything to the firewalls. When testing the filter in the Filter buiding tool inside the Log Collector config I see plenty of traffic, and when I added an email profile it sent me plenty of emails with matches. The problem is I don't ever see anything added to the Dynamic Address Group in Panorama or on the firewalls.
Anyone know where I might have gone wrong?