Issue
Traffic log entries show different times on their timestamps than what is observed on the system clock.
Details
In the Palo Alto Networks device, separate clocks are used for the data plane (DP) and management plane (MP). The system clock displays the time from the MP. However, the traffic logs are generated on the DP and their timestamps reflect the time on the DP clock. This means that it is possible that the timestamps on traffic log entries may be different from the management plane (MP) clock.
Use the following CLI commands to view the DP and MP clock values:
> show clock
Mon Dec 2 10:29:58 JST 2013
> show clock more
dataplane time: Mon Dec 02 10:29:59 JST 2013
To check the time difference between MP and DP, the dp-monitor.log within the tech support file (xxxx_techsupport\opt\var\log\pan\dp-monitor.log) can be checked.
For example:
Aug 13 07:41:00:
DP Time MP Time Diff (seconds)
Tue Aug 13 07:41:00 2013 Tue Aug 13 07:44:48 2013 228.0
Resolution
If the DP clock is wrong, the dataplane can be restarted to resynchronize with the NTP server. Run the following CLI command:
> request restart dataplane
Although restarting the system should not be necessary, the CLI command is provided below:
> request restart system
owner: kkondo