Description |
This article describes how to verify if the appliance is receiving and processing syslog in Palo Alto VPN integrations.
For integration details, see Palo Alto Networks Integration reference manual in the Document Library. |
Scope | FortiNAC v9.4.2 and greater. |
Solution |
1) Review Palo Alto configuration to verify Syslog messages are configured properly.
2) Using tcpdump, confirm Syslog messages are reaching the appliance when the client connects.
In appliance CLI type:
tcpdump -nni eth0 host <Palo Alto IP modeled in Inventory> and port 514
(Type ctrl-C to stop)
If Syslog messages are not being received: - Confirm Syslog is sourced from the same IP used to model the Palo Alto. See the KB article: https://community.fortinet.com/t5/FortiNAC/Technical-Note-Packets-not-processed-when-source-IP-addre.... - Confirm UDP 514 is not being blocked in the network.
3) If Syslog is reaching the appliance, enable debugs (written to /bsc/logs/output.master):
nacdebug –name PaloAlto true nacdebug –name SyslogServer true tf output.master | grep -i "UserName"
4) Have the client connect.
5) Review output.master for syslog messaging that provides User ID, assigned endstation VPN IP address, and session information.
Example of syslog output for a VPN login:
User ID (user): myname VPN IP (tunnelip): 10.232.50.67 Session information: gateway-connected,connected
yams.SyslogServer FINER :: 2022-09-15 13:58:56:720 :: 482 :: SyslogServer received: 10.228.16.51 <14>Sep 15 13:58:56 PaloAltoPRIMARY.mydomain.local 1,2022/09/15 13:58:55,016201003252,GLOBALPROTECT,0,2305,2022/09/15 13:58:55,vsys1,gateway-connected,connected,,IPSec,myname@mydomain.LOCAL,US,xxx-xxx-xx,24.98.240.83,0.0.0.0,10.232.50.67,0.0.0.0,xxxxxxxxxxxxxx,9T4K453,5.1.9,Windows,"Microsoft Windows 10 Enterprise , 64-bit",1,,,"",success,,0,,0,….
Example of Syslog output for a VPN logout:
yams.SyslogServer FINER :: 2022-09-15 13:59:14:138 :: 482 :: SyslogServer received: 10.228.16.51 <14>Sep 15 13:59:14 PaloAltoPRIMARY.mydomain.local 1,2022/09/15 13:59:13,016201003252,GLOBALPROTECT,0,2305,2022/09/15 13:59:13,vsys1,gateway-logout,logout,,, myname@mydomain.LOCAL,US,xxx-xxx-xxx,24.98.240.83,0.0.0.0,10.232.50.67,0.0.0.0,xxxxxxxxxxxxxxx,9T4K453,5.1.9,Windows,"Microsoft Windows 10 Enterprise , 64-bit",1,,,"client logout",success,,49,,0,…
6) Review output.master for messaging that indicates Syslog information was processed.
Example of successful debug output
yams INFO :: 2021-11-10 15:53:31:080 :: parseStr parsed <Palo Alto ID> yams INFO :: 2021-11-10 15:53:31:080 :: parseStr parsed 0101039947 <-- logID yams INFO :: 2021-11-10 15:53:31:080 :: parseStr parsed root <-- VDOM … yams INFO :: 2021-11-10 15:53:31:080 :: parseStr parsed 10.232.50.67 <-- endstation VPN ip yams INFO :: 2021-11-10 15:53:31:080 :: parseStr parsed myname <-- user ID
7) Once troubleshooting is complete, disable debugging:
nacdebug –name PaloAlto false nacdebug –name SyslogServer false |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.