Log Forwarding to Panorama not working with Log forwarding agent showing as disconnected

Log Forwarding to Panorama not working with Log forwarding agent showing as disconnected

90368
Created On 07/13/20 21:15 PM - Last Modified 10/07/20 21:54 PM


Symptom


  • Logs are not forwarded from firewall to Panorama.
  • A firewall is able to ping Panorama and all required ports are open but no logs forwarded.
  • show logging-status on Firewall indicates, the log forwarding agent is active but not connected.
admin@awst-pavm100-01> show logging-status
-----------------------------------------------------------------------------------------------------------------------------
Type Last Log Created Last Log Fwded Last Seq Num Fwded Last Seq Num Acked Total Logs Fwded
-----------------------------------------------------------------------------------------------------------------------------
> CMS 0
Not Sending to CMS 0
> CMS 1
Not Sending to CMS 1

>Log Collector
'Log Collection log forwarding agent' is active but not connected   >>>>>this should be connected

config Not Available Not Available 0 13 0
system Not Available Not Available 0 6882 0
threat Not Available Not Available 0 0 0
traffic Not Available Not Available 0 1578 0
hipmatch Not Available Not Available 0 0 0
gtp-tunnel Not Available Not Available 0 0 0
userid Not Available Not Available 0 0 0
iptag Not Available Not Available 0 0 0
auth Not Available Not Available 0 0 0
sctp Not Available Not Available 0 0 0



 

Environment


  • PAN-OS 8.1 and above.
  • Any Panorama.
  • Any Palo Alto Firewall.
  • Panorama with NATed public IP (Example: Panorama in AWS environment).

Cause


  • Firewall should show connected to the agent in below command
admin@awst-pavm100-01> show logging-status
-----------------------------------------------------------------------------------------------------------------------------
Type Last Log Created Last Log Fwded Last Seq Num Fwded Last Seq Num Acked Total Logs Fwded
-----------------------------------------------------------------------------------------------------------------------------
> CMS 0
Not Sending to CMS 0
> CMS 1
Not Sending to CMS 1

>Log Collector
'Log Collection log forwarding agent' is active but not connected   >>>>>this should be connected

config Not Available Not Available 0 13 0
system Not Available Not Available 0 6882 0
threat Not Available Not Available 0 0 0
traffic Not Available Not Available 0 1578 0
hipmatch Not Available Not Available 0 0 0
gtp-tunnel Not Available Not Available 0 0 0
userid Not Available Not Available 0 0 0
iptag Not Available Not Available 0 0 0
auth Not Available Not Available 0 0 0
sctp Not Available Not Available 0 0 0
  • The firewall should show public IP in preference list if configured with NATed IP
admin@PW-Plant-1(active)> show log-collector preference-list
Log Collector Preference List
Forward to all: No
Serial Number: 000xxxxxxxxx IP Address: 68.xx.xx.xx IPV6 Address: unknown >>>public ip if Panorama in AWS with NAted Ips

 

Resolution


  1. Make sure all required ports are open between Panorama and firewall. Refer Panorama required ports.
  2. Do a Panorama local commit followed by a collector group push.
  3. If the "show logging-status" command still does not show the log forwarding agent as connected, Just do only a collector-group commit and check the status again after few minutes. This can be achieved through GUI: Panorama > Commit > Push to Device> Edit Selection > Deselect All for Device Groups and Templates > Collector Groups > select Collector Group and click OK and Push
  4. Once completed, the log forwarding agent will be seen as connected and the logs will be seen on Panorama.
admin@PW-Plant-1(active)> show logging-status
-----------------------------------------------------------------------------------------------------------------------------
Type Last Log Created Last Log Fwded Last Seq Num Fwded Last Seq Num Acked Total Logs Fwded
-----------------------------------------------------------------------------------------------------------------------------
> CMS 0
Not Sending to CMS 0
> CMS 1
Not Sending to CMS 1
>Log Collector
'Log Collection log forwarding agent' is active and connected to 68.xx.xx.xx
config    Not Available        Not Available    0 4356 0
system    Not Available        Not Available    0 17105965 0
threat    Not Available        Not Available    0 2789460711 0
traffic   2020/03/04 15:11:26  2020/03/05 07:44:31 146293907669 146288009536 33450
hipmatch  Not Available        Not Available 0 0 0
gtp-tunnelNot Available        Not Available 0 0 0
userid    Not Available        Not Available 0 0 0
auth      Not Available        Not Available 0 0 0
sctp      Not Available        Not Available 0 0 0
-----------------------

 

Additional Information


 Log forwarding agent not connected.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UpdCAE&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language