Forwarding PA-7000 Logs to Panorama
39011
Created On 09/25/18 19:02 PM - Last Modified 07/29/20 17:04 PM
Symptom
A new capability or feature introduced in PAN-OS 8.0, forwarding PA-7000 Logs to Panorama. The PA-7000 series devices can forward their logs to Panorama in the same way it is done for other Palo Alto Networks devices.
Administrators can increase the log retention of their PA-7000 devices by adding storage capacity on Panorama or Log Collectors to meet their retention requirements.
To meet high log forwarding rate requirements of a 7K, the following changes are introduced in 8.0:
Sending Side (Firewall):
- Logs can be forwarded directly without local writes (only on 7K).
- Pack and compress more logs on a given send block.
Receiving Side (Panorama/Log Collector):
- Logs from the firewall can be forwarded to ALL the log collectors instead of just the preferred one in the log collector group.
- On M-100 and M-500, there will be an option to configure the unused 1G and 10G interface respectively for receiving logs.
- On the PA-7000, Log card interface will be used for log forwarding to Panorama/LC
Changes on the PA-7000 side
- High-Speed-Log Forwarding Mode (HSFM) is introduced for PA-7000 series firewall
- By default HSFM is OFF
- With HSFM, there would be no local logging and reporting and all the logs will be forwarded to Panorama/LC
Note: Summaries, scheduled reports, scheduled log exports, and offline indexing will not be available in this mode.
Environment
- PAN-OS 8.0
- Panorama
- PA-7000 Series (PA-7k series)
Resolution
Configuration: PA-7000
- Configure a log forwarding profile and apply it to the security rule.
- Enable High-Speed Log Forwarding
- Not a requirement but recommended in a high log forwarding rate environment
Device > Setup > Logging and Reporting Settings
Configuration: Panorama/Log-Collector
- Enable log forwarding to all the log-collectors in the collector group
- Not a requirement but recommended in a high log forwarding rate environment
Panorama> Collector Groups
- Enable log collection on multiple interfaces of the Panorama/Log-Collector
- Not a requirement but recommended in a high log forwarding rate environment
Panorama > Setup > Interfaces > MGMT
- Enable log collection on multiple interfaces of the Panorama/Log-Collector
- Not a requirement but recommended in a high log forwarding rate environment
Panorama > Setup > Interfaces > ETH1
Troubleshooting
- Check the log-collector preferences
> show log-collector preference-list Forward to all: Yes Log collector Preference List Serial Number: 009201000001 IP Address: 10.0.0.147 IPV6 Address: unknown Serial Number: 009201000001 IP Address: 10.0.0.101 IPV6 Address: unknown Serial Number: 009201000002 IP Address: 10.0.0.145 IPV6 Address: unknown Serial Number: 009201000002 IP Address: 10.0.0.100 IPV6 Address: unknown
- Detailed logging status for each Log-collector connection
> show logging-status --------------------------------------------------------------------------------------------------- Type Last Log Created Last Log Fwded Last Seq Num Fwded Last Seq Num Acked Total Logs Fwded --------------------------------------------------------------------------------------------------- Log Collector : 009201000001 Connection IP : 10.0.0.101 Conn Source IP : MS - def, LR - 10.0.0.102 High speed mode : Disabled Connection Status : MS - Active, LR - Active Rate : 852 logs/sec traffic 2016/09/27 15:28:23 2016/09/27 15:28:30 6763581 6763581 206159 threat Not Available Not Available 0 0 .... Log Collector : 009201000002 Connection IP : 10.0.0.145 Conn Source IP : MS - def, LR - 10.0.0.102 High speed mode : Disabled Connection Status : MS - Active, LR - Active Rate : 22602 logs/sec traffic 2016/09/27 15:28:22 2016/09/27 15:28:23 6758365 6758365 219000 threat Not Available Not Available 0 0 ....
Additional Information
To learn more about this topic or PAN-OS in-general, please checkout the TechDocs PAN-OS Landing page
Attachments