After upgrade to PAN-OS 10.1, PA-7000 firewall cannot forward syslog packets when in HA Passive state.

After upgrade to PAN-OS 10.1, PA-7000 firewall cannot forward syslog packets when in HA Passive state.

1347
Created On 09/26/22 05:47 AM - Last Modified 07/26/25 03:59 AM


Symptom


  • After upgrade from PAN-OS 10.0 to 10.1 or later, PA-7000 cannot forward syslog packets when in HA Passive state.
  • This applies only when LPC (Log Processing Card) is installed. LFC (Log Forwarding Card) is not affected.
  • If the device is in Passive state, no management plane logs (system log, configuration log, etc.) are forwarded to syslog servers.
  • This also impacts other log forwarding protocols (SNMP TRAP, SMTP, etc.).

Environment


  • PA-7000 platform with LPC module.
  • PAN-OS 10.1 or later only.
  • Syslog forwarding is configured for management plane logs.
  • HA Active/Passive deployment.
Note: HA Active/Active deployment is not impacted.

Cause


  • This is due to a behavior change between PAN-OS 10.0 and 10.1. Beginning with PAN-OS 10.1, the PA-7000 Series Firewall only uses the logging port and the corresponding log card to forward system and configuration logs, not from management port. Refer: Changes to Default Behavior in PAN-OS 10.1
  • HA Active device can forward syslog packets from the log card port, but HA Passive cannot because the log card port on the dataplane would not be functional when in Passive state. 

Resolution


Use REST API to retrieve system logs, configuration logs, etc.  For example, query logs for last 1min with 1min interval.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wleECAQ&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language