Panorama threat logs is not showing the name of threat signature
Created On 05/21/19 08:01 AM - Last Modified 04/29/21 03:33 AM
Panorama threat logs don't show the name of threat signature.
- PAN-OS 8.1, 9.0 and 9.1
- Any Panorama
- Threat logs
There could be few possible reasons behind this:
- Connectivity Issues to Threat Vault.
- Starting PAN 8.0, threat name is fetched online from api.threatvault.paloaltonetworks.com when a given threat ID is not found in the local AV/Threat content packages.
- If there is a connectivity issue to threat vault, then we will see the issue.
- Custom vulnerability Signatures on Panorama
Panorama threat logs won't show the name of custom vulnerability signature, and this is expected behavior. Reasoning explained below:
- UI resolves the threat-id with the "show threat id <id> " operational command. The command looks up either local db on the box or query from threatvault.
- Device server on firewall generates file dlp_threats.xml, but on Panorama there is no device server process for the generation of this file.
1. Connectivity Issues to Threat Vault.
- Check if Threat Vault access is enabled (select Device > Setup > Management > Logging and Reporting setting and click on Enable Threat Vault Access).
Note: This is enabled by default.
When it is disabled, debug configd.log will show (status = disabled) as below:
2021-04-21 14:30:21.638 +0800 debug: pan_cfg_execute_mgmtop(pan_ops_common.c:40291): OPCMD show_threat 2021-04-21 14:30:21.639 +0800 debug: pan_mgmtop_show_threat(pan_ops_common.c:4866): Did not find id 406401243 in DB 2021-04-21 14:30:21.639 +0800 debug: pan_mgmtop_show_threat(pan_ops_common.c:4897): Failed to send threatids 406401243 to threat Vault (status = disabled)
- Test connectivity to the Threat Vault using:
> test threat-vault connection
- Fix your connection to threat vault if there is an issue.
- It is expected that we won't see a threat name for custom signature in Panorama logs.
- There is a feature request with FR ID: 10787. Please discuss with your account SE on more details if you would like to have this.
Additional information can be found here.