ACC report broke after upgrading Panorama to 10.0

15601

Created On 04/07/21 03:39 AM - Last Modified 06/03/25 03:00 AM

ACC

Reporting and Logging

10.0

PAN-OS

Panorama

Symptom

CASE 1:

Panorama management is upgraded to PAN-OS 10.0.x version while log collector is still running on Older PAN-OS ( <10.0.x )version.
ACC report shows "No data to display" under any widget available for eg: Application Usage, User Activity, Source IP Activity etc. although some graphs are displayed.

User-added image

CASE 2:

Panorama is upgrade to 10.0.x version while PanOS firewalls are running on <10.0.x version AND
Data Source selected under ACC tab on Panorama is "Remote Device Data"

In both cases, WebUI debugs shows that when Panorama on 10.0.x is polling ACC report from Log Collector or Firewall on <10.0.x, it uses a new report field: No of Source Profile

<entry name="custom-dynamic-report">
    <start-time>2021/04/06 19:45:00</start-time>
    <end-time>2021/04/06 19:45:00</end-time>
    <no-resolve>yes</no-resolve>
    <widgetName>ACC_Application_Usage</widgetName>
    <widgetType>graph_ext-comp-5460</widgetType>
    <topn>500</topn>
    <type>
      <trsum>
        <aggregate-by>
          <member>category-of-app</member>
          <member>subcategory-of-app</member>
          <member>app</member>
          <member>risk-of-app</member>
        </aggregate-by>
        <values>
          <member>bytes</member>
          <member>sessions</member>
          <member>nthreats</member>
          <member>ncontent</member>
          <member>nurlcount</member>
          <member>nunique-of-users</member>
          <member>nunique-of-src_profile</member>   <<<<<<<<<<<<<<
        </values>
        <sortby>bytes</sortby>
      </trsum>
    </type>
  </entry>

Firewall ms.log shows:

2021-04-06 19:45:00.418 -0800 report job mgr: spawning report thread for 725...2021-04-06 19:45:00.418 -0800 debug: pan_report_handle_generate
(pan_report_handler.c:1490): buffer returned is:
<result>
    <msg>
      <line>Report job enqueued with jobid 725</line>
    </msg>
    <job>725</job>
  </result>
2021-04-06 19:45:00.418 -0800 Report 725 is processed by thread 3240417024
2021-04-06 19:45:00.418 -0800 Report 725 timeout(725) added for 86400 sec
2021-04-06 19:45:00.418 -0800 debug: pan_reportjobmgr_process_reportjob(pan_report_mgr.c:5842): 2021-04-06 19:45:00.418 -0800 debug: pan_reportjobmgr_thread
                         (pan_report_mgr.c:7474): Reportjob manager processing a request from cms
Consumer:list is empty, waiting for reportjobs
2021-04-06 19:45:00.418 -0800 report generation started for 'custom-dynamic-report'
2021-04-06 19:45:00.418 -0800 debug: pan_report_engine_ctxt_destruct(pan_report_mgr.c:11836): pan_report_engine_ctxt_destruct: [In thread: 8510] - The nrefs
                         of rectxt: 0x7fb3eda9e800 is 1
2021-04-06 19:45:00.418 -0800 Error:  _pan_report_results_construct(pan_reports.c:5496): Invalid field name nunique-of-src_profile for aggregation value        
2021-04-06 19:45:00.419 -0800 Error:  __pan_report_query(pan_reports.c:9516): Unable to construct a report result structure
2021-04-06 19:45:00.419 -0800 Error:  pan_reportjobmgr_process_cms_request_on_device(pan_report_mgr.c:1403): failed to compute results
2021-04-06 19:45:00.419 -0800 debug: pan_reportmgr_send_jobid_to_cms(pan_report_mgr.c:1542): Sending report jobid 725 to cms
2021-04-06 19:45:00.419 -0800 BATCH: killing non-batch job 725
2021-04-06 19:45:00.419 -0800 BATCH: received request to kill a report 725
2021-04-06 19:45:00.419 -0800 BATCH: schedule to kill report 725, current result_state 0

Environment

Any Panorama with PAN-OS 10.0.X version
Managed Firewalls or Log Collectors with PAN-OS versions <10.0.X

Cause

Starting from 10.0.x, ACC reports have a lot of new field for ex: "No. of Source Profile", "No. of Destination Profile" etc.

GUI: Monitor > manage> Custom reports

Since these fields are not available on 9.1.x and lower versions, the ACC report breaks if any of the new field is used in polling report.

Resolution

For Case 1: Either upgrade log collector to same major version as Panorama management server or downgrade Panorama management server to same major version as log collector.
For Case 2: Either avoid using "Remote Device Data" as the data source for ACC report or upgrade firewalls to 10.0.x versions. See below.

ACC report broke after upgrading Panorama to 10.0

Symptom

Environment

Cause

Resolution

Other users also viewed: