This issue is documented under PAN-215869. The global counters (show counter global
) can display the traffic loss count. Below are the relevant traffic and threat log counters:
Traffic Log Counters:
log_traffic_loss_cnt
: Number of traffic logs that are lost.log_traffic_loss_queue_full
: Number of traffic logs that are lost due to the next queue being full.
Threat Log Counters:
log_threat_queue_full
: Number of threat log queues that are full.log_threat_loss_cnt
: Number of threat logs that are lost.
Resolution
To resolve this issue, the logging rate needs to be reduced. Here are several options to achieve this:
Option 1: Reduce NetFlow Traffic
Decrease the amount of NetFlow traffic pulled from the NetFlow collector to allow the firewall to recover. This action will reduce the number of NetFlow logs.
Option 2: Reduce URL Filtering Traffic
Reduce the amount of traffic the firewall needs to categorize for URL filtering by changing the alert settings that generate logs. This action will decrease the number of threat logs.
Option 3: Turn Off “Log at Session Start”
Disable the “Log at Session Start” option in security policies. This action will decrease the number of traffic logs. For more information, refer to the article on Session Log Best Practices.
By implementing these steps, you can effectively reduce the logging rate and resolve the issue of delayed PAN-OS logs when NetFlow is enabled on an interface.
Leave a Reply