Strata Logging Service
10.0 or Earlier
Table of Contents
10.0 or Earlier
Directly onboard your firewalls running PAN-OS 10.1 or earlier to
Strata Logging Service
.- On your firewalls, allow access to the ports and FQDNs required to connect toStrata Logging Service. If you are using a proxy server, allow the same ports and FQDNs on the server without SSL decryption.Ensure that you are not decrypting traffic toStrata Logging Service.
- (Optional) To configure firewall to connect toStrata Logging Servicethrough a proxy server, selectStrata Logging Service.
- By default, the management interface is used to forward logs toStrata Logging Service. If you choose not to use the management interface, use a data interface by configuring destination service routes for the following FQDNs: api.paloaltonetworks.com, apitrusted.paloaltonetworks.com, lic.lc.prod.us.cs.paloaltonetworks.com,certificatetrusted.paloaltonetworks.com, certificate.paloaltonetworks.com.
- Select .Globalon a firewall without multiple virtual system (multi-vsys) capability.
- Under Services Features, clickService Route Configuration.
- SelectCustomize.
- Under Service, select the following:
- Palo Alto Networks Services
- CRL status
- DNS
- HTTP
- NTP
- SetSelected Service Routes.
- Select theSource Interfaceyou want to use for activation and then select aSource Addressfrom that interface and clickOK.
- SelectDestinationandAdda destination.
- Enter any of the FQDNs above asDestination.
- Select the sameSource InterfaceandSource Addressthat you selected for activation and clickOK.
- Addtwo more destinations for the same interface using the remaining FQDNs.
- ClickOKagain to exit Service Route Configuration.
- Update the access rules required to connect toStrata Logging Servicefor the new interface IP address.
- Configure NTP so that the firewall stays in sync withStrata Logging Service. Ignore this step if you have enabled proxy configuration:
- On firewall, clickand set theDeviceSetupServices
NTP Server Address. For example:pool.ntp.org.
- Onboard the firewalls to aStrata Logging Serviceinstance.Ignore this step if you don't have aStrata Logging Servicelicense and want to send logs to Cortex XDR only.
- Log in to the hub and open theStrata Logging Serviceapp.
- Select to generate the onboarding key. Copy or save the key so that you can use it in later steps.
If you have already connected the firewall to aStrata Logging Serviceinstance and want to connect it to a new instance, first issue the following command from the firewall CLI:admin@PA-220> request logging-service-forwarding certificate deleteThis will serve the connection between the firewall and the currentStrata Logging Serviceinstance. Then, simply follow the below procedure to connect to the newStrata Logging Serviceinstance. - Log in to the firewall that you want to connect toStrata Logging Service.
- Select and confirm that theStrata Logging Servicelicense is active. Ensure that you have subscribed to a valid support license ofStrata Logging Service(90 days software warranty is not counted as a valid support license).When you purchased yourStrata Logging Servicelicense, all firewalls registered to your support account received aStrata Logging Servicelicense. If you don’t see theStrata Logging Servicelicense,Retrieve license keys from license serverto manually refresh the firewall licenses.
- Set up the connection toStrata Logging Serviceand check connection status:
- Select and find theLogging Servicesettings.
- (Important) Before you populate any other settings, find theOnboard to Cloudoption. ClickConnectand enter thePSK(onboarding key) in theStrata Logging Serviceapp. Then clickConnectagain.After you connect you should see a pop-up dialog that confirms that the firewall is equipped with the certificate it needs to authenticate toStrata Logging Service. You can also check theTask Managerto confirm that the firewall successfully authenticated toStrata Logging Service.
- Enable Logging Serviceto connect the firewall toStrata Logging Service. If you want the firewall to collect data that increases visibility for Palo Alto Networks applications, like Cortex XDR, you can alsoEnable Enhanced Application Logging.Strata Logging Servicelogging doesn’t start until after you’ve specified the log types you want to forward. Complete these steps and thenstart sending logs to.Strata Logging ServiceDo notEnable Duplicate Logging. This option applies only to Panorama-managed firewalls.
- Select the geographicRegionof theStrata Logging Serviceinstance to which you want to forward logs. This is the region you chose when you activatedStrata Logging Service.
- Commit and push the config to firewalls.
- Show Statusto checkLogging Service Status. The status for License, Certificate, and Customer Info should be green. You can also use this command to check the certificate status along with other details related toStrata Logging Service:request logging-service-forwarding status.There is a known issue where device connectivity does not display a green status indicator even when the firewall is successfully connected toStrata Logging Service.
- The firewall is now connected toStrata Logging Servicebut is not yet forwarding logs. Follow these steps to start sending logs and to best secure traffic between the firewall andStrata Logging Service.