Panorama threat logs is not showing the name of threat signature

Panorama threat logs is not showing the name of threat signature

6895
Created On 05/21/19 08:01 AM - Last Modified 04/29/21 03:33 AM


Symptom
Panorama threat logs don't show the name of threat signature. 

Environment
  • PAN-OS 8.1, 9.0 and 9.1
  • Any Panorama
  • Threat logs


Cause
There could be few possible reasons behind this:
  1. Connectivity Issues to Threat Vault.
  • Starting PAN 8.0, threat name is fetched online from api.threatvault.paloaltonetworks.com when a given threat ID is not found in the local AV/Threat content packages.
  • If there is a connectivity issue to threat vault, then we will see the issue.
  1. Custom vulnerability Signatures on Panorama
Panorama threat logs won't show the name of custom vulnerability signature, and this is expected behavior. Reasoning explained below:
  • UI resolves the threat-id with the "show threat id <id> " operational command. The command looks up either local db on the box or query from threatvault.
  • Device server on firewall generates file dlp_threats.xml, but on Panorama there is no device server process for the generation of this file.


Resolution
1. Connectivity Issues to Threat Vault.
  • Check if Threat Vault access is enabled (select Device > Setup > Management > Logging and Reporting setting and click on Enable Threat Vault Access).
    Note: This is enabled by default.
When it is disabled, debug configd.log will show (status = disabled) as below:
2021-04-21 14:30:21.638 +0800 debug: pan_cfg_execute_mgmtop(pan_ops_common.c:40291): OPCMD show_threat
2021-04-21 14:30:21.639 +0800 debug: pan_mgmtop_show_threat(pan_ops_common.c:4866): Did not find id 406401243 in DB
2021-04-21 14:30:21.639 +0800 debug: pan_mgmtop_show_threat(pan_ops_common.c:4897): Failed to send threatids 406401243 to threat Vault (status = disabled)
  • Test connectivity to the Threat Vault using:
    > test threat-vault connection 
  • Fix your connection to threat vault if there is an issue.
2. Custom vulnerability.
  • It is expected that we won't see a threat name for custom signature in Panorama logs.
  • There is a feature request with FR ID: 10787. Please discuss with your account SE on more details if you would like to have this.
If you see an issue that doesn't fall under the above, please open a support ticket for further investigation.


Additional Information
Additional information can be found here.

Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PM0BCAW&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language