>
    Troubleshooting Firewall Connectivity
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Logging Service
    3. Strata Logging Service Administration
    4. Monitor Strata Logging Service
    5. Troubleshooting Firewall Connectivity
    Download PDF
    Strata Logging Service

    Troubleshooting Firewall Connectivity

    Table of Contents

    Troubleshooting Firewall Connectivity

    If you’re having trouble connecting your firewall to Strata Logging Service, here are some steps you can try to solve the issue.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • NGFW (Managed by PAN-OS or Panorama)
    • NGFW (Managed by Strata Cloud Manager)
    • Strata Logging Service
    Find out what to do if one of the firewalls in your Inventory shows one of these issues:

    License Expired

    If a firewall is disconnected, check its license status by logging into the firewall CLI and entering the following:
    request license info
    Sample output:
    Feature: Logging Service
				Description: Device Logging Service
				Expires: April 06, 2038
				Expired?: no
    If you see Expired?: yes, follow the steps below to refresh the license on the firewall or on the Panorama managing the firewall.
    FirewallPanorama
    For Panorama-managed firewalls, refresh the license from Panorama.
    For firewalls not managed by Panorama, manually refresh the license from Device > License in the firewall UI.     		If the license on the Panorama managing the firewall is expired, refresh the license on Panorama.
    If the above does not resolve the issue, enter the following command in the firewall CLI:
    • If Strata Logging Service Forwarding is enabled, enter:request logging-service-forwarding status
    • If Duplicate Logging (Cloud and On-Premise) is enabled, enter:debug log-receiver log-forwarding-connections status
    Sample output:
    Logging Service Licensed: Yes
				Logging Service forwarding enabled: No
				Duplicate logging enabled: No
				Enhanced application logging enabled: No

				Logging Service License Status:
				Status:

				Fetch:

				Install:
				Status: Success
				Msg: Successfully install fetched license
				Last Fetched: 2021/12/22 11:56:34

				Upgrade:



				Logging Service Certificate information:
				Info: Failed
				Status: failure
				Last fetched: Mon Dec 27 15:20:44 2021



				Logging Service Customer file information:
				Info: Failed to validate server certificate for endpoint api.paloaltonetworks.com
				Status: failure
				Last Fetched: 2021/12/27 15:24:24
    If your output contains similar failures, this means that you upgraded a device from PAN-OS 10.0 or earlier to PAN-OS 10.1 or later, or you installed a device certificate on your 10.1 or later device. In that case, you should restart the management-server or restart the device. You can use the following CLI command to restart the management-server:
    debug software restart process management-server

    Needs Certificate

    If the Certificate Status of a firewall indicates that the firewall Needs Certificate, this means that the firewall must be onboarded to (To onboard firewalls without Panorama, see Onboard Firewalls to Strata Logging Service without Panorama).

    Certificate Expired

    To check the Certificate Status of a firewall, log into the firewall CLI and enter the following:
    request logging-service-forwarding status
    For Firewall running on 10.1 or earlier, enter:request logging-service-forwarding certificate info
    For firewall running on 10.1 or later, enter:show device-certificate infoshow device-certificate status
    If the output states that the certificate has expired, then follow the steps below for manually refreshing the certificate on the firewall.
    If the output contains Info: Error sending CSR signing request to Panorama, then follow the steps for refreshing the certificate on Panorama.
    FirewallPanoramaUnmanaged Firewall
    In the firewall CLI, enter
    request logging-service-forwarding certificate delete
    request logging-service-forwarding certificate fetch
    In the Panorama CLI, enter
    request plugins cloud_services logging-service status
    If the output contains Logging service certificate expired, then fetch a new certificate using the following command:
    request plugins cloud_services panorama-certificate fetch otp <value>
    where value is the one time password OTP needed to fetch the certificate from the customer support portal(CSP) server.
    If the command failed, check the plug-in log file with the following command:
    less mp-log plugin_cloud_services.log
    Otherwise, return to the CLI of the firewall you are troubleshooting and enter
    request logging-service-forwarding certificate fetch
    In the firewall CLI, enter
    request logging-service-forwarding certificate fetch-noproxy pre-shared-key <value>
    Here value is the pre-shared key from the customer support portal (CSP).
    After you’ve completed the above, check the certificate status in your Strata Logging Service Inventory.

    Connected but Logging Rate is Zero

    If the Connection Status of your firewall is Connected but the Ingestion Rate is zero, then verify that your log forwarding profiles are correctly configured.

    Failed to Fetch FQDN

    The firewall may be unable to connect because it is not successfully retrieving the ingest/query FQDN for Strata Logging Service. To find out if this is the case, log in to the firewall CLI and enter
    request logging-service-forwarding status
    or
    request logging-service-forwarding customerinfo show
    Sample output:
    Logging Service Customer file information:
				Customer ID: xxxxxxx
				EAL Ingest FQDN: xxxxx.fei.lcaas-qa.us.paloaltonetworks.com.
				Ingest FQDN: xxxxxx.in2.lcaas-qa.us.paloaltonetworks.com
				Info: Failed to fetch ingest/query FQDN for customer (curl failed)
				Query FQDN: xxxxx.api2.lcaas-qa.us.paloaltonetworks.com:444
				Status: failure
				Last Fetched: 2020/07/22 19:01:06
    If you see Info: Failed to fetch ingest/query FQDN for customer (curl failed) as in the above, then enter request logging-service-forwarding customerinfo fetch
    to manually refresh the certificate. Then, check the Connection Status in your Strata Logging Service Inventory to see if the firewall is now connected.

    © 2024 Palo Alto Networks, Inc. All rights reserved.