A PA-7000 series is configured as a Panorama managed device. Panorama will display logs (traffic logs) for the PA-7000 series, even if there is not a "Log Forwarding Profile" defined or configured on any security policy.
The following examples are for traffic observed on Panorama, even though there is not a Log Forwarding Profile on PA-7000 series.
Shown below is traffic observed for Rule "ANY" on Panorama for the PA-7000 series:
In the example below, changing context to the PA-7000 series, reveals the Forwarding Profile is not configured on the Security Policy "ANY":
As shown below, the Log Forwarding profile is not configured on the PA-7000 series:
What is observed in Panorama, is a real time running query from the management port on Panorama to the PA-7000 series, which results in displaying the logs.
Note: The logs are physically residing only on the PA-7000 series. This occurs because Panorama cannot handle the rate at which a PA-7000 series would send its logs out of the box, therefore offloading for this platform to Panorama is not supported.
However, the PA-7000 series does support offloading of its logs to syslog, email and SNMP servers. The PA-7000 series has a dedicated Log Processing Card (LPC). Any unused port on any of the NPCs can be defined to be the LPC (Interface Type: Log Card). A data port configured as the type Log Card performs log forwarding for all of the following:
WildFire file forwarding
Only one port on the Palo Alto Networks firewall can be configured as a Log Card interface and a commit error is displayed if log forwarding is enabled and there is no interface configured with the Interface Type: "Log Card".
Make sure that the IP assigned to the Log Card Interface can reach the Syslog, Email, SNMP and/or WildFire servers.
This limitation was overcome with the release of PAN-OS 8.0