Palo Alto Networks Knowledgebase: Palo Alto Networks Firewall not Forwarding Logs to Panorama (VM and M-100)
Palo Alto Networks Firewall not Forwarding Logs to Panorama (VM and M-100)
Created On 09/25/18 17:27 PM - Last Updated 08/05/19 20:36 PM
Cortex Data Lake
Panorama, deployed as either the Palo Alto Networks M-100 device or as a virtual appliance, stops receiving logs from Palo Alto Networks firewalls. The traffic and threat logs can be viewed when looking directly on the firewalls, but are not visible on Panorama.
The Palo Alto Networks firewall keeps track of the logs forwarded to Panorama with a sequence number. When the logs are received, Panorama acknowledges the sequence number. If the firewall is connected to a different Panorama (for example, to an HA peer of a Panorama), these sequence numbers can become out of sync causing the firewall not to forward any logs. The log upload process can also become stuck by a large volume of logs being sent to Panorama.
Panorama 6.1, 7.0, 7.1, 8.0
Check current logging status > show logging-status device <serial number>
Start log forwarding with buffering, starting from last ack'ed log ID > request log-fwd-ctrl device <serial number> action start-from-lastack
Verify if logs are being forwarded > show logging-status device <serial number>
If logs are not being forwarded, do the following:
Make sure that log forwarding is stopped > request log-fwd-ctrl device <serial number> action stop
Start log forwarding with no buffering (leave in this state for about a minute) > request log-fwd-ctrl device <serial number> action live