Log Forwarding to Panorama not working with Log forwarding agent showing as disconnected
92325
Created On 07/13/20 21:15 PM - Last Modified 10/07/20 21:54 PM
Symptom
- Logs are not forwarded from firewall to Panorama.
- A firewall is able to ping Panorama and all required ports are open but no logs forwarded.
- show logging-status on Firewall indicates, the log forwarding agent is active but not connected.
admin@awst-pavm100-01> show logging-status
-----------------------------------------------------------------------------------------------------------------------------
Type Last Log Created Last Log Fwded Last Seq Num Fwded Last Seq Num Acked Total Logs Fwded
-----------------------------------------------------------------------------------------------------------------------------
> CMS 0
Not Sending to CMS 0
> CMS 1
Not Sending to CMS 1
>Log Collector
'Log Collection log forwarding agent' is active but not connected >>>>>this should be connected
config Not Available Not Available 0 13 0
system Not Available Not Available 0 6882 0
threat Not Available Not Available 0 0 0
traffic Not Available Not Available 0 1578 0
hipmatch Not Available Not Available 0 0 0
gtp-tunnel Not Available Not Available 0 0 0
userid Not Available Not Available 0 0 0
iptag Not Available Not Available 0 0 0
auth Not Available Not Available 0 0 0
sctp Not Available Not Available 0 0 0
Environment
- PAN-OS 8.1 and above.
- Any Panorama.
- Any Palo Alto Firewall.
- Panorama with NATed public IP (Example: Panorama in AWS environment).
Cause
- Firewall should show connected to the agent in below command
admin@awst-pavm100-01> show logging-status
-----------------------------------------------------------------------------------------------------------------------------
Type Last Log Created Last Log Fwded Last Seq Num Fwded Last Seq Num Acked Total Logs Fwded
-----------------------------------------------------------------------------------------------------------------------------
> CMS 0
Not Sending to CMS 0
> CMS 1
Not Sending to CMS 1
>Log Collector
'Log Collection log forwarding agent' is active but not connected >>>>>this should be connected
config Not Available Not Available 0 13 0
system Not Available Not Available 0 6882 0
threat Not Available Not Available 0 0 0
traffic Not Available Not Available 0 1578 0
hipmatch Not Available Not Available 0 0 0
gtp-tunnel Not Available Not Available 0 0 0
userid Not Available Not Available 0 0 0
iptag Not Available Not Available 0 0 0
auth Not Available Not Available 0 0 0
sctp Not Available Not Available 0 0 0
- The firewall should show public IP in preference list if configured with NATed IP
admin@PW-Plant-1(active)> show log-collector preference-list
Log Collector Preference List
Forward to all: No
Serial Number: 000xxxxxxxxx IP Address: 68.xx.xx.xx IPV6 Address: unknown >>>public ip if Panorama in AWS with NAted Ips
Resolution
- Make sure all required ports are open between Panorama and firewall. Refer Panorama required ports.
- Do a Panorama local commit followed by a collector group push.
- If the "show logging-status" command still does not show the log forwarding agent as connected, Just do only a collector-group commit and check the status again after few minutes. This can be achieved through GUI: Panorama > Commit > Push to Device> Edit Selection > Deselect All for Device Groups and Templates > Collector Groups > select Collector Group and click OK and Push
- Once completed, the log forwarding agent will be seen as connected and the logs will be seen on Panorama.
admin@PW-Plant-1(active)> show logging-status
-----------------------------------------------------------------------------------------------------------------------------
Type Last Log Created Last Log Fwded Last Seq Num Fwded Last Seq Num Acked Total Logs Fwded
-----------------------------------------------------------------------------------------------------------------------------
> CMS 0
Not Sending to CMS 0
> CMS 1
Not Sending to CMS 1
>Log Collector
'Log Collection log forwarding agent' is active and connected to 68.xx.xx.xx
config Not Available Not Available 0 4356 0
system Not Available Not Available 0 17105965 0
threat Not Available Not Available 0 2789460711 0
traffic 2020/03/04 15:11:26 2020/03/05 07:44:31 146293907669 146288009536 33450
hipmatch Not Available Not Available 0 0 0
gtp-tunnelNot Available Not Available 0 0 0
userid Not Available Not Available 0 0 0
auth Not Available Not Available 0 0 0
sctp Not Available Not Available 0 0 0
-----------------------
Additional Information
Log forwarding agent not connected.