Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff

Created on ‎03-21-2023 10:39 PM Edited on ‎03-21-2023 10:41 PM By Community Manager

Article Id 249834

Troubleshooting Tip: Troubleshooting Syslog for Palo Alto VPN integrations

Description

This article describes how to verify if the appliance is receiving and processing syslog in Palo Alto VPN integrations.

 

For integration details, see Palo Alto Networks Integration reference manual in the Document Library.
Scope FortiNAC v9.4.2 and greater.
Solution

1) Review Palo Alto configuration to verify Syslog messages are configured properly.

 

2) Using tcpdump, confirm Syslog messages are reaching the appliance when the client connects.

 

In appliance CLI type:

 

tcpdump -nni eth0 host <Palo Alto IP modeled in Inventory> and port 514

 

(Type ctrl-C to stop)

 

If Syslog messages are not being received:

- Confirm Syslog is sourced from the same IP used to model the Palo Alto. See the KB article: https://community.fortinet.com/t5/FortiNAC/Technical-Note-Packets-not-processed-when-source-IP-addre....

- Confirm UDP 514 is not being blocked in the network.

 

3) If Syslog is reaching the appliance, enable debugs (written to /bsc/logs/output.master):

 

nacdebug –name PaloAlto true

nacdebug –name SyslogServer true

tf output.master | grep -i "UserName"

 

4) Have the client connect.

 

5) Review output.master for syslog messaging that provides User ID, assigned endstation VPN IP address, and session information.

 

Example of syslog output for a VPN login:

 

User ID (user): myname

VPN IP (tunnelip): 10.232.50.67

Session information: gateway-connected,connected

 

yams.SyslogServer FINER :: 2022-09-15 13:58:56:720 :: 482 :: SyslogServer received: 10.228.16.51 <14>Sep 15 13:58:56 PaloAltoPRIMARY.mydomain.local 1,2022/09/15 13:58:55,016201003252,GLOBALPROTECT,0,2305,2022/09/15 13:58:55,vsys1,gateway-connected,connected,,IPSec,myname@mydomain.LOCAL,US,xxx-xxx-xx,24.98.240.83,0.0.0.0,10.232.50.67,0.0.0.0,xxxxxxxxxxxxxx,9T4K453,5.1.9,Windows,"Microsoft Windows 10 Enterprise , 64-bit",1,,,"",success,,0,,0,….

 

Example of Syslog output for a VPN logout:

 

yams.SyslogServer FINER :: 2022-09-15 13:59:14:138 :: 482 :: SyslogServer received: 10.228.16.51 <14>Sep 15 13:59:14 PaloAltoPRIMARY.mydomain.local 1,2022/09/15 13:59:13,016201003252,GLOBALPROTECT,0,2305,2022/09/15 13:59:13,vsys1,gateway-logout,logout,,, myname@mydomain.LOCAL,US,xxx-xxx-xxx,24.98.240.83,0.0.0.0,10.232.50.67,0.0.0.0,xxxxxxxxxxxxxxx,9T4K453,5.1.9,Windows,"Microsoft Windows 10 Enterprise , 64-bit",1,,,"client logout",success,,49,,0,…

 

6) Review output.master for messaging that indicates Syslog information was processed.

 

Example of successful debug output

 

yams INFO :: 2021-11-10 15:53:31:080 :: parseStr parsed <Palo Alto ID>

yams INFO :: 2021-11-10 15:53:31:080 :: parseStr parsed 0101039947 <-- logID

yams INFO :: 2021-11-10 15:53:31:080 :: parseStr parsed root <-- VDOM

yams INFO :: 2021-11-10 15:53:31:080 :: parseStr parsed 10.232.50.67 <-- endstation VPN ip

yams INFO :: 2021-11-10 15:53:31:080 :: parseStr parsed myname <-- user ID

 

7) Once troubleshooting is complete, disable debugging:

 

nacdebug –name PaloAlto false

nacdebug –name SyslogServer false
Labels:
214
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.