PANOS CLI Commands to Debug Palo Alto Logging Service

The Palo Alto Networks Logging Service enables firewalls to push their logs to Cortex Data Lake (CDL). If a firewall is having issues connecting you can try the following. Check the logging service license is installed:

request license info

You should at least see the logging service license among the returned licenses. If not then things are not going to work. If the license is there and you still have issues then try the following to refresh the key and the certificate. Delete the logging service key:

delete license key Logging_Service_2020_01_06.key

The file name of your key will be different so tab after delete license key to see your installed keys. To refresh the license go to panorama and choose the panorama tab > device deployment > licenses, click refresh and select your firewall. If you don’t have panorama try the following:

request license fetch

Next delete the logging service certificate:

request logging-service-forwarding certificate delete

Then request a certificate:

request logging-service-forwarding certificate fetch

In some cases deleting and re-registering can help. The following commands may help gain visibility into further issues:

show logging-status
debug log-receiver rawlog_fwd_trial stats global show
request logging-service-forwarding status
request license info
show system state | match lcaas
show system state | match cust
request logging-service-forwarding customerinfo show
less mp-log lcaas_agent.log
request logging-service-forwarding certificate info
request logging-service-forwarding customerinfo fetch
less mp-log logrcvr.log
show netstat numeric-hosts yes numeric-ports yes | match 3978

Update

In some cases the above was not enough to enable the logging service. The full fix involved upgraded PANOS to version 8.0.12 then following the above steps to remove licenses and then refresh the certificate. This fixed half of the firewalls, the remaining firewalls required the logging service to be manually restarted:

debug software restart process log-receiver

The service takes a few minutes to initiate and in my case the remaining stubborn firewalls started pushing their logs to the cloud.

For further info check the following Palo Alto documentation:

Firewall Unable To Register To Cortex Data Lake

Troubleshooting Firewall Connectivity Issues With Logging Service


PANOS

339 Words

2020-01-20 19:53 +0000