Newly Bootstrapped firewalls in AWS are not forwarding logs to Panorama

Newly Bootstrapped firewalls in AWS are not forwarding logs to Panorama

1858
Created On 02/01/23 22:37 PM - Last Modified 01/15/25 22:06 PM


Symptom


  • Firewall newly Bootstrapped in AWS.
  • The logs are not fowarded to Panorama which can be verified as below.
  • The logs are written to the firewall correctly.
>debug log-receiver queue stats
Logging statistics
------------------------------ -----------
Log incoming rate:             48/sec
Log written rate:              2/sec
Logs discarded (queue full):   0
Ring buffer entries:           0/2048
...(Output Omitted).....
  • Log forwarding connection stats indicate 'registering'.
Connection status
------------------------------ -----------
Active:                        0
Inactive:                      2
lr-cms0-def:
    address:                   10.237.196.100
    status:                    connected, registering <<<
lr-cms1-def:
    address:                   10.237.204.100
    status:                    connected, registering <<<

Duplicate log forwarding
------------------------------ -----------
Active:                        0
Inactive:                      0
  • "show logging-status" shows the  CMS0 connection is 'Inactive'. No preference-list is used:
-----------------------------------------------------------------------------------------------------------------------------
      Type      Last Log Created        Last Log Fwded       Last Seq Num Fwded  Last Seq Num Acked         Total Logs Fwded
-----------------------------------------------------------------------------------------------------------------------------

Log Collector           :       CMS 0
Connection IP           :     lr-cms0
Conn Source IP          : lr - def
High speed mode         :    Disabled
Connection Status       : lr - Inactive
Rate                    :  0 logs/sec
....(Output Omitted)....

Log Collector           :       CMS 1
Connection IP           :     lr-cms1
Conn Source IP          : lr - def
High speed mode         :    Disabled
Connection Status       : lr - Inactive
Rate                    :  0 logs/sec

....(Output Omitted)....

>show log-collector preference-list
Log Collector Preference List does not exist
Logging Service Preference List does not exist
  • Connectivity between mgmtsrvr and logrcvr looks good.
  • Below messages are seen in logrcvr logs, which is not seen once the CMS0 connection is active after restarting logrcvr/mgmtsrvr process.
    17:26:01.122 -0700 Timeout:4 triggered for lc_conn_id:lr-cms0-def dst_registered:false
17:28:32.419 -0700 Timeout:8 triggered for lc_conn_id:lr-cms0-def dst_registered:false
17:30:32.421 -0700 Timeout:10 triggered for lc_conn_id:lr-cms0-def dst_registered:false
17:32:32.423 -0700 Timeout:12 triggered for lc_conn_id:lr-cms0-def dst_registered:false
17:34:32.424 -0700 Timeout:14 triggered for lc_conn_id:lr-cms0-def dst_registered:false


     

    Environment


    • PA-VM on AWS 
    • PANOS 10.1.5
    • Panorama
    • Log forwarding

    Cause


    • Software Issue.

    Resolution


    1. The issue is fixed under PAN-206629.
    2. Upgrade to the fixed versions or later will resolve the issue ( PAN-OS 10.1.9, 10.2.4, 11.0.1).
    3. As a workaround, one can restart the logrcvr process using "debug software restart process log-receiver".

     

     
    Other users also viewed:
    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000samJCAQ&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail