Panorama threat logs is not showing the name of vulnerability signature
Created On 05/21/19 08:01 AM - Last Updated 06/12/20 19:46 PM
Panorama threat logs don't show the name of vulnerability signature.
- PAN-OS 8.1, 9.0 and 9.1
- Any Panorama
- Threat logs
There could be few possible reasons behind this:
- Connectivity Issues to Threat Vault.
- Starting PAN 8.0, threat name is fetched online from api.threatvault.paloaltonetworks.com and NOT from AV content as in previous releases.
- If there is a connectivity issue to threat vault, then we will see the issue.
- Custom vulnerability Signatures on Panorama
Panorama threat logs won't show the name of custom vulnerability signature, and this is expected behavior. Reasoning explained below:
- UI resolves the threat-id with the "show threat id <id> " operational command. The command looks up either local db on the box or query from threatvault.
- Device server on firewall generates file dlp_threats.xml, but on Panorama there is no device server process for the generation of this file.
1. Connectivity Issues to Threat Vault.
- Check if Threat Vault access is enabled (select Device > Setup > Management > Logging and Reporting setting and click on Enable Threat Vault Access).
Note: This is enabled by default.
- Test connectivity to the Threat Vault using:
> test threat-vault connection
- Fix your connection to threat vault if there is an issue.
- It is expected that we won't see a threat name for custom signature in Panorama logs.
- There is a feature request with FR ID: 10787. Please discuss with your account SE on more details if you would like to have this.
Addtional information can be found here.