Strata Logging Service
Onboard Firewalls to Strata Logging Service without Panorama
Table of Contents
Expand All
|
Collapse All
Onboard Firewalls to Strata Logging Service without Panorama
Strata Logging Service
without PanoramaOnboard Firewalls to
Strata Logging Service
without Panorama.Where Can I Use This? | What Do I Need? |
---|---|
|
|
After you
Activate
,
onboard your devices to the service. How you do this depends on the a PAN-OS version of your devices. Ensure that
you have subscribed to a valid support license of Strata Logging Service
Strata Logging Service
(90
days software warranty is not counted as a valid support license).Beginning with PAN-OS 10.1, you can install a device certificate on your firewalls
to simplify the onboarding process. Before you start sending logs to
Strata Logging Service
, you must install device certificates on as many firewalls
as you’d like to onboard. After you’ve installed the certificates, use the Strata Logging Service
app to complete the onboarding process.To start sending logs to
Strata Logging Service
, you must
generate the key that enables firewalls to securely connect to Strata Logging Service
. Onboarding keys are valid for 24 hours and you can use a
single key for as many firewalls as you’d like to onboard during that 24-hour
period.After you use the
Strata Logging Service
app to generate the
key, copy the key and save it for future reference. You cannot reference it again after
you close out of the Strata Logging Service
app and you will need to add the key
to each firewall that you want to connect to Strata Logging Service
. Generating a
new key invalidates any other keys that were generated in the previous 24 hours.10.0 or Earlier
Directly onboard your firewalls running PAN-OS 10.1 or earlier to
Strata Logging Service
.- On your firewalls, allow access to the ports and FQDNs required to connect toStrata Logging Service. If you are using a proxy server, allow the same ports and FQDNs on the server without SSL decryption.Ensure that you are not decrypting traffic toStrata Logging Service.
- (Optional) To configure firewall to connect toStrata Logging Servicethrough a proxy server, selectDeviceSetupServicesUse proxy to send logs toStrata Logging Service.
- By default, the management interface is used to forward logs toStrata Logging Service. If you choose not to use the management interface, use a data interface by configuring destination service routes for the following FQDNs: api.paloaltonetworks.com, apitrusted.paloaltonetworks.com, lic.lc.prod.us.cs.paloaltonetworks.com,certificatetrusted.paloaltonetworks.com, certificate.paloaltonetworks.com.
- Select.DeviceSetupServicesGlobalGlobalon a firewall without multiple virtual system (multi-vsys) capability.
- Under Services Features, clickService Route Configuration.
- SelectCustomize.
- Under Service, select the following:
- Palo Alto Networks Services
- CRL status
- DNS
- HTTP
- NTP
- SetSelected Service Routes.
- Select theSource Interfaceyou want to use for activation and then select aSource Addressfrom that interface and clickOK.
- SelectDestinationandAdda destination.
- Enter any of the FQDNs above asDestination.
- Select the sameSource InterfaceandSource Addressthat you selected for activation and clickOK.
- Addtwo more destinations for the same interface using the remaining FQDNs.
- ClickOKagain to exit Service Route Configuration.
- Update the access rules required to connect toStrata Logging Servicefor the new interface IP address.
- Configure NTP so that the firewall stays in sync withStrata Logging Service. Ignore this step if you have enabled proxy configuration:
- On firewall, clickand set theDeviceSetupServicesNTP Server Address. For example:pool.ntp.org.
- Onboard the firewalls to aStrata Logging Serviceinstance.Ignore this step if you don't have aStrata Logging Servicelicense and want to send logs to Cortex XDR only.
- Log in to the hub and open theStrata Logging Serviceapp.
- Selectto generate the onboarding key. Copy or save the key so that you can use it in later steps.InventoryFirewallsGenerate PSK
If you have already connected the firewall to aStrata Logging Serviceinstance and want to connect it to a new instance, first issue the following command from the firewall CLI:admin@PA-220> request logging-service-forwarding certificate deleteThis will serve the connection between the firewall and the currentStrata Logging Serviceinstance. Then, simply follow the below procedure to connect to the newStrata Logging Serviceinstance. - Log in to the firewall that you want to connect toStrata Logging Service.
- Selectand confirm that theDeviceLicensesStrata Logging Servicelicense is active. Ensure that you have subscribed to a valid support license ofStrata Logging Service(90 days software warranty is not counted as a valid support license).When you purchased yourStrata Logging Servicelicense, all firewalls registered to your support account received aStrata Logging Servicelicense. If you don’t see theStrata Logging Servicelicense,Retrieve license keys from license serverto manually refresh the firewall licenses.
- Set up the connection toStrata Logging Serviceand check connection status:
- Selectand find theDeviceSetupManagementLogging Servicesettings.
- (Important) Before you populate any other settings, find theOnboard to Cloudoption. ClickConnectand enter thePSK(onboarding key) in theStrata Logging Serviceapp. Then clickConnectagain.After you connect you should see a pop-up dialog that confirms that the firewall is equipped with the certificate it needs to authenticate toStrata Logging Service. You can also check theTask Managerto confirm that the firewall successfully authenticated toStrata Logging Service.
- Enable Logging Serviceto connect the firewall toStrata Logging Service. If you want the firewall to collect data that increases visibility for Palo Alto Networks applications, like Cortex XDR, you can alsoEnable Enhanced Application Logging.Strata Logging Servicelogging doesn’t start until after you’ve specified the log types you want to forward. Complete these steps and thenstart sending logs to.Strata Logging ServiceDo notEnable Duplicate Logging. This option applies only to Panorama-managed firewalls.
- Select the geographicRegionof theStrata Logging Serviceinstance to which you want to forward logs. This is the region you chose when you activatedStrata Logging Service.
- Commit and push the config to firewalls.
- Show Statusto checkLogging Service Status. The status for License, Certificate, and Customer Info should be green. You can also use this command to check the certificate status along with other details related toStrata Logging Service:request logging-service-forwarding status.There is a known issue where device connectivity does not display a green status indicator even when the firewall is successfully connected toStrata Logging Service.
- The firewall is now connected toStrata Logging Servicebut is not yet forwarding logs. Follow these steps to start sending logs and to best secure traffic between the firewall andStrata Logging Service.
10.1 or Later
Directly onboard your firewalls running PAN-OS 10.1 or later to
Strata Logging Service
.Beginning with PAN-OS 10.1, you can install a device certificate on your
firewalls to simplify the onboarding process. Before you start sending logs to
Strata Logging Service
, you must install device certificates on as
many firewalls as you’d like to onboard. After you’ve installed the certificates,
use the Strata Logging Service
app to complete the onboarding
process.Before you begin, ensure that your firewalls are running PAN-OS 10.1 or later and
that they have the device certificate installed.
- On your firewalls, allow access to the ports and FQDNs required to connect toStrata Logging Service. If you are using a proxy server, allow the same ports and FQDNs on the server without SSL decryption.Ensure that you are not decrypting traffic toStrata Logging Service.
- (Optional) To configure firewall to connect toStrata Logging Servicethrough a proxy server, selectDeviceSetupServicesUse proxy to send logs toStrata Logging Service.
- By default, the management interface is used to forward logs toStrata Logging Service. If you choose not to use the management interface, use a data interface by configuring destination service routes for the following FQDNs: api.paloaltonetworks.com, apitrusted.paloaltonetworks.com, lic.lc.prod.us.cs.paloaltonetworks.com,certificatetrusted.paloaltonetworks.com, certificate.paloaltonetworks.com.
- Select.DeviceSetupServicesGlobalGlobalon a firewall without multiple virtual system (multi-vsys) capability.
- Under Services Features, clickService Route Configuration.
- SelectCustomize.
- Under Service, select the following:
- Palo Alto Networks Services
- CRL status
- DNS
- HTTP
- NTP
- SetSelected Service Routes.
- Select theSource Interfaceyou want to use for activation and then select aSource Addressfrom that interface and clickOK.
- SelectDestinationandAdda destination.
- Enter any of the FQDNs above asDestination.
- Select the sameSource InterfaceandSource Addressthat you selected for activation and clickOK.
- Addtwo more destinations for the same interface using the remaining two FQDNs.
- ClickOKagain to exit Service Route Configuration.
- Update the access rules required to connect toStrata Logging Servicefor the new interface IP address.
- Configure NTP so that the firewall stays in sync withStrata Logging Service. Ignore this step if you have enabled proxy configuration:
- On firewall, clickand set theDeviceSetupServicesNTP Server Address. For example:pool.ntp.org.
- Install a device certificate on the firewalls that you want to connect toStrata Logging Service.
- If this is your first time installing a device certificate, you must delete theStrata Logging Servicekey and re-fetch it by issuing the following commands:> delete license key <CDL_License_Key> > request license fetchThis is only required the first time that you install the device certificate.
- Onboard the firewalls to aStrata Logging Serviceinstance.Ignore this step if you don't have aStrata Logging Servicelicense and want to send logs to Cortex XDR only.
- Log in to the hub and open theStrata Logging Serviceapp to the instance to which you are onboarding.
- Select.InventoryFirewallsAdd
- SelectNewandNext.
- Select the firewalls to connect toStrata Logging Serviceand choose whetherStrata Logging Servicewill store or only ingest their data.
- Submityour choices.
- Selectand confirm that theDeviceLicensesStrata Logging Servicelicense is active. Ensure that you have subscribed to a valid support license ofStrata Logging Service(90 days software warranty is not counted as a valid support license).When you purchased yourStrata Logging Servicelicense, all firewalls registered to your support account received aStrata Logging Servicelicense. If you don’t see theStrata Logging Servicelicense,Retrieve license keys from license serverto manually refresh the firewall licenses.
- Set up the connection toStrata Logging Serviceand check connection status:
- Selectand find theDeviceSetupManagementLogging Servicesettings.
- Enable Logging Serviceto connect the firewall toStrata Logging Service. If you want the firewall to collect data that increases visibility for Palo Alto Networks applications, like Cortex XDR, you can alsoEnable Enhanced Application Logging.Strata Logging Servicelogging doesn’t start until after you’ve specified the log types you want to forward. Complete these steps and thenstart sending logs to.Strata Logging ServiceDo notEnable Duplicate Logging. This option applies only to Panorama-managed firewalls.
- Commit and push the config to firewalls.
- Show Statusto checkLogging Service Status(Strata Logging Service). The status for License, Certificate, and Customer Info should be green.You can also use this command to check the certificate status along with other details related toStrata Logging Service:request logging-service-forwarding status
- The firewall is now connected toStrata Logging Servicebut is not yet forwarding logs. Follow these steps to start sending logs and to best secure traffic between the firewall andStrata Logging Service.