Re-Index the LPC Drives
If you reuse the drives from a failed Log Processing Card (LPC) when installing a new LPC, you must install the drives in the same order in which they were removed from the old LPC and then re-index the log metadata. This ensures that the firewall properly displays the logs that are on the drives. The following example is for a PA-7050 firewall. Use the same procedure for a PA-7080 firewall, but use S7 instead of S8 as the LPC slot number in the log view step.
If you are using a data port on an NPC for management access, you must reconnect to the firewall using the console port because you will shut down all NPCs to avoid generating new traffic logs during indexing.
- After replacing an LPC as described in Replace a PA-7000 Series Log Processing Card (LPC), power on the chassis.
- If the firewall is in a high availability (HA) configuration, run the following commands to ensure that the firewall with the replacement LPC is in the suspend state:admin@PA-7050>show high-availability stateIf the firewall is active, suspend it by running the following CLI command:admin@PA-7050>request high-availability state suspend
- If the firewall is not in an HA configuration, you must disable all NPCs, so traffic does not traverses the firewall during indexing.To check for active sessions, run the following command:admin@PA-7050>show session allTo clear all sessions, run the following command:admin@PA-7050>clear session allTo view the status of each NPC:admin@PA-7050>show chassis statusFor each NPC that is in theUpstate, run the following command to power off the NPC(s):admin@PA-7050>request chassis admin-power-off slot <slot-number>For example, if there is an NPC in slot 1, run the following command:admin@PA-7050>request chassis admin-power-off slot s1Do the same for each installed NPC until all NPCs showAdminPowerOff. This ensures that network traffic will not traverse the firewall during indexing.
- Run the following commands to start indexing on the two logical drives (two RAID pairs):admin@PA-7050>request metadata-regenerate slot 1:admin@PA-7050>request metadata-regenerate slot 2You can start a second SSH session to the firewall and run the second command to simultaneously re-index both logical drives. If your session stops responding during the indexing process, re-establish a new connection.
- Monitor the indexing progress. This process may take several hours, depending on the amount of data on the drives.Run the following commands to view the progress log for the first logical RAID pair:On a PA-7080 firewall, in the following commands, replaceS8lp-logwithS7lp-log. This is required because the LPC on a PA-7080 firewall is installed in slot 7.admin@PA-7050>less s8lp-log vld-0-0.logPeriodically view the log until you see the following:Done generating metadata for LD:0Do the same to check the status of the second logical RAID pair as indicated in log vld-1-0.log:admin@PA-7050>less s8lp-log vld-1-0.logWhen the indexing is complete on the second logical drive, you will see the following in the vld-1-0.log output:Done generating metadata for LD:1
- After both logical drives complete the indexing process, check the status of the drives as described in Verify the PA-7000 Series Firewall LPC Configuration.
- If you powered off the NPCs, power them back on by running the following commands:To view the status of each NPC:admin@PA-7050>show chassis statusFor each NPC that is in theAdminPowerOffstate, run the following command:admin@PA-7050>request chassis admin-power-on slot <slot-number>For example, if there is an NPC in slot 1, run the following command:admin@PA-7050>request chassis admin-power-on slot s1Do the same for each installed NPC until all NPCs are in the Up state.
- If the firewall is in an HA configuration and you suspended it, set the state to functional by running the following command:admin@PA-7050>request high-availability state functional
- Use the CLI or web interface to check that the logs now appear. For example, run the following CLI command and press the q key to exit the log output:admin@PA-7050>show log trafficFor example:A maximum of 500 of last 7 day's logs will be displayed. Please use 'scp export log ...' if more logs are needed Time App From Src Port Source Rule Action To Dst Port Destination Src User Dst User End Reason ========================================================== 2015/01/18 07:14:12 incomplete EDM-Vwire-Vsys5 36502 10.43.5.17 EDM-Vsys5-Sec-Pol-2 allow EDM-Vwire-Vsys5 135 10.5.40.161 aged-out 2015/01/18 08:06:39 incomplete EDM-Vwire-Vsys5 40706 10.43.5.17 EDM-Vsys5-Sec-Pol-2 allow EDM-Vwire-Vsys5 135 10.5.40.161 aged-outYou can also use the web interface to view logs. For example, to view the traffic logs, select.MonitorLogsTraffic
Recommended For You
Recommended videos not found.