Forwarding PA-7000 Logs to Panorama

Forwarding PA-7000 Logs to Panorama

25568
Created On 09/25/18 19:02 PM - Last Modified 07/29/20 17:04 PM


Symptom
A new capability or feature introduced in PAN-OS 8.0, forwarding PA-7000 Logs to Panorama. The PA-7000 series devices can forward their logs to Panorama in the same way it is done for other Palo Alto Networks devices. 


Administrators can increase the log retention of their PA-7000 devices by adding storage capacity on Panorama or Log Collectors to meet their retention requirements.


To meet high log forwarding rate requirements of a 7K, the following changes are introduced in 8.0:

Sending Side (Firewall):

  • Logs can be forwarded directly without local writes (only on 7K).
  • Pack and compress more logs on a given send block.

Receiving Side (Panorama/Log Collector):

  • Logs from the firewall can be forwarded to ALL the log collectors instead of just the preferred one in the log collector group.
  • On M-100 and M-500, there will be an option to configure the unused 1G and 10G interface respectively for receiving logs.

topo example.png

  • On the PA-7000, Log card interface will be used for log forwarding to Panorama/LC

Changes on the PA-7000 side

  • High-Speed-Log Forwarding Mode (HSFM) is introduced for PA-7000 series firewall
  • By default HSFM is OFF
  • With HSFM, there would be no local logging and reporting and all the logs will be forwarded to Panorama/LC

Note: Summaries, scheduled reports, scheduled log exports, and offline indexing will not be available in this mode.



Environment
  • PAN-OS 8.0
  • Panorama
  • PA-7000 Series (PA-7k series)


Resolution

Configuration: PA-7000

  1. Configure a log forwarding profile and apply it to the security rule.

logforward.png

  1. Enable High-Speed Log Forwarding
  • Not a requirement but recommended in a high log forwarding rate environment

  Device > Setup > Logging and Reporting Settings

high speed log forwarding.png

 

Configuration: Panorama/Log-Collector

  1. Enable log forwarding to all the log-collectors in the collector group
  • Not a requirement but recommended in a high log forwarding rate environment

Panorama> Collector Groups

log collector.png

  1. Enable log collection on multiple interfaces of the Panorama/Log-Collector
  • Not a requirement but recommended in a high log forwarding rate environment

Panorama > Setup > Interfaces > MGMT

panorama management interface.png

  1. Enable log collection on multiple interfaces of the Panorama/Log-Collector
  • Not a requirement but recommended in a high log forwarding rate environment

Panorama > Setup > Interfaces > ETH1

Panorama eth1 setting.png

 

Troubleshooting

  • Check the log-collector preferences
> show log-collector preference-list

Forward to all: Yes

Log collector Preference List

Serial Number: 009201000001 IP Address: 10.0.0.147 IPV6 Address: unknown
Serial Number: 009201000001 IP Address: 10.0.0.101 IPV6 Address: unknown
Serial Number: 009201000002 IP Address: 10.0.0.145 IPV6 Address: unknown
Serial Number: 009201000002 IP Address: 10.0.0.100 IPV6 Address: unknown
  • Detailed logging status for each Log-collector connection
> show logging-status

---------------------------------------------------------------------------------------------------
Type  Last Log Created  Last Log Fwded  Last Seq Num Fwded  Last Seq Num Acked  Total Logs Fwded
---------------------------------------------------------------------------------------------------
Log Collector           : 009201000001
Connection IP           : 10.0.0.101
Conn Source IP          : MS - def, LR -  10.0.0.102
High speed mode         :    Disabled
Connection Status       : MS - Active, LR -  Active
Rate                    :  852 logs/sec
traffic   2016/09/27 15:28:23   2016/09/27 15:28:30      6763581 6763581 206159
threat         Not Available         Not Available                        0                   0
....
Log Collector           : 009201000002
Connection IP           : 10.0.0.145
Conn Source IP          : MS - def, LR -  10.0.0.102
High speed mode         :    Disabled
Connection Status       : MS - Active, LR -  Active
Rate                    :  22602 logs/sec
traffic   2016/09/27 15:28:22   2016/09/27 15:28:23 6758365 6758365 219000   
threat         Not Available         Not Available                        0                   0
....


Additional Information
To learn more about this topic or PAN-OS in-general, please checkout the TechDocs PAN-OS Landing page

Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClT3CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language