Panorama Logs with the PA-7000 Series on PAN-OS prior to 8.0

The following examples are for traffic observed on Panorama, even though there is not a Log Forwarding Profile on PA-7000 series.

Shown below is traffic observed for Rule "ANY" on Panorama for the PA-7000 series:

In the example below, changing context to the PA-7000 series, reveals the Forwarding Profile is not configured on the Security Policy "ANY":

As shown below, the Log Forwarding profile is not configured on the PA-7000 series:




What is observed in Panorama, is a real time running query from the management port on Panorama to the PA-7000 series, which results in displaying the logs.

Note: The logs are physically residing only on the PA-7000 series. This occurs because Panorama cannot handle the rate at which a PA-7000 series would send its logs out of the box, therefore offloading for this platform to Panorama is not supported.

However, the PA-7000 series does support offloading of its logs to syslog, email and SNMP servers. The PA-7000 series has a dedicated Log Processing Card (LPC). Any unused port on any of the NPCs can be defined to be the LPC (Interface Type: Log Card). A data port configured as the type Log Card performs log forwarding for all of the following:
 

• Syslog
• Email
• SNMP
• WildFire file forwarding

Only one port on the Palo Alto Networks firewall can be configured as a Log Card interface and a commit error is displayed if log forwarding is enabled and there is no interface configured with the Interface Type: "Log Card"

Make sure that the IP assigned to the Log Card Interface can reach the Syslog, Email, SNMP and/or WildFire servers.