This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How to proactively monitor which firewalls stopped sending logs to panorama.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to proactively monitor which firewalls stopped sending logs to panorama.

SivakumarNarala
L0 Member

‎02-22-2023 02:58 AM

Panorama is our log collector and all firewalls reporting to panorama forward the logs to panorama too.

However at times these logs stopped reaching panorama ( break due to several reasons ) and we end up finding them after a long time. This is causing anyone to loose important logs in Panorama.

 

So how can we proactively monitor this setup. So that if any firewall stops / breaks sending logs to panorama for a certain period of time, we get notified.

0 Likes Likes
1 REPLY 1

PavelK
Cyber Elite
Cyber Elite

‎02-22-2023 11:50 PM

Hello @SivakumarNarala

 

thank you for post.

 

I would separate this issue into 2 scenarios:

- Firewalls does not send logs to Panorama.

- Firewall is sending logs to Panorama, but logs are not available/searchable in GUI.

 

Personally, I came across both issues and with some regret I do not think I have a good solution, rather sharing some of the ideas.

 

For the first issue, I can think of two options:

- Use built-in log collector connectivity checker under: Panorama > Managed Devices > Troubleshooting >  Log Collector Connectivity, then select all Firewalls and press Execute. If the status is returned as a "Failure" for particular Firewall, then this is an indication of an issue. Depending on your organization, if you have dedicated NOC/SOC, you can let them to execute this regularly (For example once a week) to catch Firewalls not sending logs.

 

- If Firewall disconnects from log collector, there will be a system log event: ( eventid eq tls-session-disconnected ) with description ( description contains 'Device <Serial Number>-log-collection disconnected from the server' ). You can setup email alert under: Panorama > Log Settings > System > Add, then under Filter, you can build a filter based on for example event id or description to get an email alert. This can however get noisy.

 

For the scenario that logs are being sent to Panorama, but not displayed, it is harder to detect as this can be caused by a bug, reaching limit of active shards,... One way I can think of is to create a custom scheduled traffic report and add under: Selected Columns "Device Name" and set Time Frame to 24 Hours. If logs from certain Firewall are no longer available, the Firewall will be missing from report. This solution is far from ideal as someone still has to open report and spot missing Firewall.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
0 Likes Likes
(1)
  • 1151 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks