Panorama threat logs is not showing the name of vulnerability signature

Panorama threat logs is not showing the name of vulnerability signature

1970
Created On 05/21/19 08:01 AM - Last Updated 06/12/20 19:46 PM


Symptom
Panorama threat logs don't show the name of vulnerability signature. 

Environment
  • PAN-OS 8.1, 9.0 and 9.1
  • Any Panorama
  • Threat logs


Cause
There could be few possible reasons behind this:
  1. Connectivity Issues to Threat Vault.
  • Starting PAN 8.0, threat name is fetched online from api.threatvault.paloaltonetworks.com and NOT from AV content as in previous releases.
  • If there is a connectivity issue to threat vault, then we will see the issue.
  1. Custom vulnerability Signatures on Panorama
Panorama threat logs won't show the name of custom vulnerability signature, and this is expected behavior. Reasoning explained below:
  • UI resolves the threat-id with the "show threat id <id> " operational command. The command looks up either local db on the box or query from threatvault.
  • Device server on firewall generates file dlp_threats.xml, but on Panorama there is no device server process for the generation of this file.


Resolution
1. Connectivity Issues to Threat Vault.
  • Check if Threat Vault access is enabled (select Device > Setup > Management > Logging and Reporting setting and click on Enable Threat Vault Access).
    Note: This is enabled by default.
  • Test connectivity to the Threat Vault using:
    > test threat-vault connection 
  • Fix your connection to threat vault if there is an issue.
2. Custom vulnerability.
  • It is expected that we won't see a threat name for custom signature in Panorama logs.
  • There is a feature request with FR ID: 10787. Please discuss with your account SE on more details if you would like to have this.
If you see an issue that doesn't fall under the above, please open a support ticket for further investigation.


Additional Information
Addtional information can be found here.

Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PM0BCAW&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments