>
    Strata Copilot
    Configure a PA-7000 Series Firewall for Logging Per Virtual System
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Virtual Systems
    4. Customize Service Routes for a Virtual System
    5. Configure a PA-7000 Series Firewall for Logging Per Virtual System
    Download PDF
    Next-Generation Firewall

    Configure a PA-7000 Series Firewall for Logging Per Virtual System

    Table of Contents

    Configure a PA-7000 Series Firewall for Logging Per Virtual System

    Where Can I Use This?What Do I Need?
    • NGFW
    • Virtual Systems license for any virtual systems beyond the base number supported by each NGFW series.
    • One of the following licenses when using Strata Cloud Manager:
      • Strata Cloud Manager Pro
      • Strata Cloud Manager Essentials
    Virtual System support on Strata Cloud Manager is available on request. Contact your account team to enable the feature.
    For Traffic, HIP Match, Threat, and WildFire log types, the PA-7000 Series firewall does not use service routes for SNMP Trap, Syslog, and email services. Instead, the PA-7000 Series firewall supports using a logging card.
    Depending on your firewall configuration, you might have one of the following card types:
    • Log Processing Card (LPC)—Supports virtual system-specific paths from LPC subinterfaces to an on-premise switch to the respective service on a server. For System and Config logs, the PA-7000 Series firewall uses global service routes, and not the LPC. If your firewall has an LPC installed, you need to configure a log card port.
    • Log Forwarding Card (LFC)—Supports high-speed log forwarding of all dataplane logs to an external log collector (for example, Panorama and syslog servers). If your firewall has an LFC installed, you do not need to configure a log card port.
      The only way to forward system logs from a PA-7000 Series firewall running PAN-OS 10.1 or later is by configuring an LFC.
      Log forwarding to an external server is not yet supported on LFC subinterfaces.
    In other Palo Alto Networks models, the dataplane sends logging service route traffic to the management plane, which sends the traffic to logging servers. In a PA-7000 Series firewall, the LPC or LFC have only one interface, and dataplanes for multiple virtual systems send logging server traffic (types mentioned above) to the PA-7000 Series firewall logging card. The logging card is configured with multiple subinterfaces, over which the platform sends the logging service traffic out to a customer’s switch, which can be connected to multiple logging servers.
    Each subinterface can be configured with a subinterface name and a dotted subinterface number. The subinterface is assigned to a virtual system, which is configured for logging services. The other service routes on a PA-7000 Series firewall function similarly to service routes on other Palo Alto Networks platforms. For information about the LPC or LFC, see thePA-7000 Series Hardware Reference Guide .

    Configure a PA-7000 Series LPC for Logging per Virtual System

    Create and configure an LPC subinterface for logging on multi-vsys.
    If you have enabled multi-vsys capability on a PA-7000 Series firewall with a Log Processing Card (LPC) installed, you can configure logging for different virtual systems as described in the following workflow.
    1. Create a Log Card subinterface.
      1. Select NetworkInterfacesEthernet and select the interface to be the Log Card interface.
      2. Enter the Interface Name.
      3. For Interface Type, select Log Card.
      4. Click OK.
    2. Add a subinterface for each tenant on the LPCs physical interface.
      1. Highlight the Ethernet interface that is a Log Card interface type and click Add Subinterface.
      2. For Interface Name, after the period, enter the subinterface assigned to the tenant’s virtual system.
      3. For Tag, enter a VLAN tag value.
        Make the tag the same as the subinterface number for ease of use, but it could be a different number.
      4. (Optional) Enter a Comment.
      5. On the Config tab, in the Assign Interface to Virtual System field, select the virtual system to which the LPC subinterface is assigned. Alternatively, you can click Virtual Systems to add a new virtual system.
      6. Click OK.
    3. Enter the addresses assigned to the subinterface, and configure the default gateway.
      1. Select the Log Card Forwarding tab, and do one or both of the following:
        • For the IPv4 section, enter the IP Address and Netmask assigned to the subinterface. Enter the Default Gateway (the next hop where packets will be sent that have no known next hop address in the Routing Information Base [RIB]).
        • For the IPv6 section, enter the IPv6 Address assigned to the subinterface. Enter the IPv6 Default Gateway.
      2. Click OK.
    4. Commit your changes.
      Click OK and Commit.
    5. If you haven’t already done so, configure the remaining service routes for the virtual system.
      Customize Service Routes for a Virtual System.

    Configure a PA-7000 Series LFC for Logging per Virtual System

    Create and configure an LFC subinterface for logging on multi-vsys.
    If you have enabled multiple virtual system (multi-vsys) capability on a PA-7000 Series firewall with a Log Forwarding Card (LFC) installed, you can configure logging for different virtual systems. The LFC can then forward logs to a Panorama Log Collector or syslog server.
    You can choose to configure only the physical interface. Because syslog forwarding via subinterfaces is not yet supported on LFCs, each virtual system uses the single untagged physical interface.
    If you configure an LFC subinterface to forward logs externally, the interfaces will no longer work as expected.
    To configure a separate subinterface for each virtual system, add subinterfaces to the physical interface and assign the necessary tag to segment the subinterface traffic.
    For a PA-7000 Series firewall managed by a Panorama management server, you cannot override or revert the LFC configuration locally on the firewall if the LFC configuration is pushed from Panorama. To override the LFC configuration pushed from Panorama, you must log in to the firewall CLI and delete the Panorama pushed configuration.
    admin> configure
    admin# delete deviceconfig log-fwd-card
    admin# commit

    © 2026 Palo Alto Networks, Inc. All rights reserved.