Palo Alto Networks Firewall not Forwarding Logs to Panorama (VM and M-100)
327251
Created On 09/25/18 17:27 PM - Last Modified 05/20/20 21:29 PM
Symptom
Panorama, deployed as either the Palo Alto Networks M-100 device or as a virtual appliance, stops receiving logs from Palo Alto Networks firewalls. The traffic and threat logs can be viewed when looking directly on the firewalls, but are not visible on Panorama.
Environment
- Any Panorama
- PAN-OS 6.1, 7.0, 7.1, 8.0, 8.1 and 9.0
Cause
The Palo Alto Networks firewall keeps track of the logs forwarded to Panorama with a sequence number. When the logs are received, Panorama acknowledges the sequence number. If the firewall is connected to a different Panorama (for example, to an HA peer of a Panorama), these sequence numbers can become out of sync causing the firewall not to forward any logs. The log upload process can also become stuck by a large volume of logs being sent to Panorama.
Resolution
Additional Information
Important Notes:
The alphabet characters in the serial number must be all upper case. For example:
> request log-fwd-ctrl device 0000C123456 action live scheduled a job with jobid 12
If lower case characters are used, then the following error message is returned:
> request log-fwd-ctrl device 0011c123456 action live Server error : failed to schedule a job to do log fwd ctrl from panorama to device 0000c123456
Confirm that the device policies are set with log action forward to Panorama.
If the logging gets stuck, restart the log-receiver service with the following command:
> debug software restart log-receiver
Alternatively, restart the management server (which also restarts the log-receiver service) with the following command:
> debug software restart management-server
On PAN-OS 7.0, 7.1 and 8.0, 8.1 and above , please use the following command to restart the management server process:
> debug software restart process management-server