Syslog over TLS defaults to the management port, ignoring the service port setting

• Syslog over TLS configured to use data port using service route.
• This works correctly till PAN-OS upgrade to PAN-OS 11.1 or 11.2.
• After upgrade, the port defaults to management port instead of using the data port configured in the service route.
• No issues observed with Syslog over TCP or UDP.
• Netstat confirms connections are initiated from the firewall’s management IP.

Firewall> show netstat all yes numeric-ports yes numeric-hosts yes programs yes | match "Your-Syslog-Server-IP"
tcp        0      1 FW-Mgmt-IP:41488     Your-Syslog-Server-IP:6514     SYN_SENT    13259/logrcvr

• The following are seen in the logrcvr.log (less mp-log logrcvr.log)

Error: pan_comm_get_tcp_conn_gen(comm_utils.c:875): COMM: cannot connect. remote ip="Your-Syslog-Server-IP" port=6514 err=Connection timed out(110) sock=23  
Error: pan_syslog_server_connect(cs_conn.c:12875): Failed to connect to server
Error: _pan_syslog(pan_syslog.c:1638): Failed to init socket

• Palo Alto Firewalls
• PAN-OS 11.1 / 11.2
• Syslog over TLS
• Service-port configured to use data-port

PAN-OS is not honoring the service-port configuration for Syslog over TLS, causing it to default to the management interface.

1. The issue will be fixed under PAN-279415 in PAN-OS 11.1.11 and 11.2.8
2. Upgrade to the above versions when released will resolve the issue.

Workaround:

1. Use the management port for Syslog over TLS, or
2. Switch to Syslog over TCP or UDP, which are not affected by this issue.