Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
Panorama threat log is not showing the name of threat signature - Knowledge Base - Palo Alto Networks

Panorama threat log is not showing the name of threat signature

27584
Created On 05/21/19 08:01 AM - Last Modified 08/23/24 06:07 AM


Symptom


Panorama threat logs don't show the name of threat signature. 

Environment


  • PAN-OS 8.1, 9.0 and 9.1
  • Any Panorama
  • Threat logs

Cause


There could be few possible reasons behind this:
  1. Connectivity issues to Threat Vault.
  • Starting PAN-OS 8.0, threat name is fetched online from api.threatvault.paloaltonetworks.com when a given threat ID is not found in the local Antivirus/Threat content packages.
  • If there is a connectivity issue to Threat Vault, then we will see the issue.
  1. Custom Vulnerability Signatures on Panorama
Panorama threat logs won't show the name of custom vulnerability signature, and this is expected behavior. Reasoning explained below:
  • UI resolves the threat-id with the "show threat id <id>" operational command. The command looks up either local db on the box or query from Threat Vault.
  • Device server on firewall generates file dlp_threats.xml, but on Panorama there is no device server process for the generation of this file.

Resolution


1. Connectivity issues to Threat Vault.
  • Check if Threat Vault access is enabled (select Device > Setup > ManagementLogging and Reporting Settings and click on Enable Threat Vault Access).
    Note: This is enabled by default.
When it is disabled, debug configd.log will show (status = disabled) as below: 
2021-04-21 14:30:21.638 +0800 debug: pan_cfg_execute_mgmtop(pan_ops_common.c:40291): OPCMD show_threat
2021-04-21 14:30:21.639 +0800 debug: pan_mgmtop_show_threat(pan_ops_common.c:4866): Did not find id 406401243 in DB
2021-04-21 14:30:21.639 +0800 debug: pan_mgmtop_show_threat(pan_ops_common.c:4897): Failed to send threatids 406401243 to threat Vault (status = disabled)
  • Test connectivity to the Threat Vault using: 
    > test threat-vault connection 
  • Fix your connection to Threat Vault if there is an issue.


2. Custom vulnerability.
  • It is expected that we won't see a threat name for custom signature in Panorama logs.

If you see an issue that doesn't fall under the above, please open a support ticket for further investigation.

Additional Information


Additional information can be found here.
Other users also viewed:
How to download GlobalProtect from the Customer Support Portal
Download and Install the GlobalProtect App for Windows
Resource List: GlobalProtect Configuring and Troubleshooting
PAN-OS Software Updates
Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)
Results 1-5 of 238,363
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PM0BCAW&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language