Palo Alto Networks Knowledgebase: Panorama Logs with the PA-7000 Series on PAN-OS prior to 8.0

Panorama Logs with the PA-7000 Series on PAN-OS prior to 8.0

Created On 02/07/19 23:44 PM - Last Updated 02/07/19 23:44 PM
Cortex Data Lake Panorama

For Panorama 7.0, refer to the Panorama Administrator’s Guide for the procedures to Configure Log Forwarding, Add a Firewall as a Managed Device, and Analyze Log Data for the PA-7050 firewall and other firewall platforms.



A PA-7000 series is configured as a Panorama managed device. Panorama will display logs (traffic logs) for the PA-7000 series, even if there is not a "Log Forwarding Profile" defined or configured on any security policy.


The following examples are for traffic observed on Panorama, even though there is not a Log Forwarding Profile on PA-7000 series.

Shown below is traffic observed for Rule "ANY" on Panorama for the PA-7000 series:

Screen Shot 2014-06-10 at 2.04.10 PM copy.jpg


In the example below, changing context to the PA-7000 series, reveals the Forwarding Profile is not configured on the Security Policy "ANY":

Screen Shot 2014-06-10 at 1.31.55 PM copy.jpg


As shown below, the Log Forwarding profile is not configured on the PA-7000 series:

Screen Shot 2014-06-16 at 4.34.47 PM copy.jpg


What is observed in Panorama, is a real time running query from the management port on Panorama to the PA-7000 series, which results in displaying the logs.


Note: The logs are physically residing only on the PA-7000 series. This occurs because Panorama cannot handle the rate at which a PA-7000 series would send its logs out of the box, therefore offloading for this platform to Panorama is not supported.


However, the PA-7000 series does support offloading of its logs to syslog, email and SNMP servers. The PA-7000 series has a dedicated Log Processing Card (LPC). Any unused port on any of the NPCs can be defined to be the LPC (Interface Type: Log Card). A data port configured as the type Log Card performs log forwarding for all of the following:

  • Syslog
  • Email
  • SNMP
  • WildFire file forwarding

Only one port on the Palo Alto Networks firewall can be configured as a Log Card interface and a commit error is displayed if log forwarding is enabled and there is no interface configured with the Interface Type: "Log Card".

Screen Shot 2014-06-13 at 4.54.30 PM.png


Make sure that the IP assigned to the Log Card Interface can reach the Syslog, Email, SNMP and/or WildFire servers.

Screen Shot 2014-06-13 at 5.00.21 PM.png


Special Note

This limitation was overcome with the release of PAN-OS 8.0

For more information please refer to:

  • Print
  • Copy Link

Choose Language