Palo Alto Networks Knowledgebase: Panorama Logs with the PA-7000 Series on PAN-OS prior to 8.0

Panorama Logs with the PA-7000 Series on PAN-OS prior to 8.0

2489
Created On 02/07/19 23:44 PM - Last Updated 02/07/19 23:44 PM
Cortex Data Lake Panorama
Resolution

For Panorama 7.0, refer to the Panorama Administrator’s Guide for the procedures to Configure Log Forwarding, Add a Firewall as a Managed Device, and Analyze Log Data for the PA-7050 firewall and other firewall platforms.

 

Details

A PA-7000 series is configured as a Panorama managed device. Panorama will display logs (traffic logs) for the PA-7000 series, even if there is not a "Log Forwarding Profile" defined or configured on any security policy.

 

The following examples are for traffic observed on Panorama, even though there is not a Log Forwarding Profile on PA-7000 series.

Shown below is traffic observed for Rule "ANY" on Panorama for the PA-7000 series:

Screen Shot 2014-06-10 at 2.04.10 PM copy.jpg

 

In the example below, changing context to the PA-7000 series, reveals the Forwarding Profile is not configured on the Security Policy "ANY":

Screen Shot 2014-06-10 at 1.31.55 PM copy.jpg

 

As shown below, the Log Forwarding profile is not configured on the PA-7000 series:

Screen Shot 2014-06-16 at 4.34.47 PM copy.jpg

 

What is observed in Panorama, is a real time running query from the management port on Panorama to the PA-7000 series, which results in displaying the logs.

 

Note: The logs are physically residing only on the PA-7000 series. This occurs because Panorama cannot handle the rate at which a PA-7000 series would send its logs out of the box, therefore offloading for this platform to Panorama is not supported.

 

However, the PA-7000 series does support offloading of its logs to syslog, email and SNMP servers. The PA-7000 series has a dedicated Log Processing Card (LPC). Any unused port on any of the NPCs can be defined to be the LPC (Interface Type: Log Card). A data port configured as the type Log Card performs log forwarding for all of the following:

  • Syslog
  • Email
  • SNMP
  • WildFire file forwarding

Only one port on the Palo Alto Networks firewall can be configured as a Log Card interface and a commit error is displayed if log forwarding is enabled and there is no interface configured with the Interface Type: "Log Card".

Screen Shot 2014-06-13 at 4.54.30 PM.png

 

Make sure that the IP assigned to the Log Card Interface can reach the Syslog, Email, SNMP and/or WildFire servers.

Screen Shot 2014-06-13 at 5.00.21 PM.png

 

Special Note

This limitation was overcome with the release of PAN-OS 8.0

For more information please refer to:

 

https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/management-features/pa-7000-series-firewall-log-forwarding-to-panorama

 

https://live.paloaltonetworks.com/t5/Featured-Articles/PAN-OS-8-0-Forwarding-PA-7000-Logs-to-Panorama/ta-p/132063



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClpkCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language