Strata Logging Service
10.1 or Later
Table of Contents
10.1 or Later
Directly onboard your firewalls running PAN-OS 10.1 or later to
Strata Logging Service
.Beginning with PAN-OS 10.1, you can install a device certificate on your
firewalls to simplify the onboarding process. Before you start sending logs to
Strata Logging Service
, you must install device certificates on as
many firewalls as you’d like to onboard. After you’ve installed the certificates,
use the Strata Logging Service
app to complete the onboarding
process.Before you begin, ensure that your firewalls are running PAN-OS 10.1 or later and
that they have the device certificate installed.
- On your firewalls, allow access to the ports and FQDNs required to connect toStrata Logging Service. If you are using a proxy server, allow the same ports and FQDNs on the server without SSL decryption.Ensure that you are not decrypting traffic toStrata Logging Service.
- (Optional) To configure firewall to connect toStrata Logging Servicethrough a proxy server, selectStrata Logging Service.
- By default, the management interface is used to forward logs toStrata Logging Service. If you choose not to use the management interface, use a data interface by configuring destination service routes for the following FQDNs: api.paloaltonetworks.com, apitrusted.paloaltonetworks.com, lic.lc.prod.us.cs.paloaltonetworks.com,certificatetrusted.paloaltonetworks.com, certificate.paloaltonetworks.com.
- Select .Globalon a firewall without multiple virtual system (multi-vsys) capability.
- Under Services Features, clickService Route Configuration.
- SelectCustomize.
- Under Service, select the following:
- Palo Alto Networks Services
- CRL status
- DNS
- HTTP
- NTP
- SetSelected Service Routes.
- Select theSource Interfaceyou want to use for activation and then select aSource Addressfrom that interface and clickOK.
- SelectDestinationandAdda destination.
- Enter any of the FQDNs above asDestination.
- Select the sameSource InterfaceandSource Addressthat you selected for activation and clickOK.
- Addtwo more destinations for the same interface using the remaining two FQDNs.
- ClickOKagain to exit Service Route Configuration.
- Update the access rules required to connect toStrata Logging Servicefor the new interface IP address.
- Configure NTP so that the firewall stays in sync withStrata Logging Service. Ignore this step if you have enabled proxy configuration:
- On firewall, clickand set theDeviceSetupServices
NTP Server Address. For example:pool.ntp.org.
- Install a device certificate on the firewalls that you want to connect toStrata Logging Service.
- If this is your first time installing a device certificate, you must delete theStrata Logging Servicekey and re-fetch it by issuing the following commands:> delete license key <CDL_License_Key> > request license fetchThis is only required the first time that you install the device certificate.
- Onboard the firewalls to aStrata Logging Serviceinstance.Ignore this step if you don't have aStrata Logging Servicelicense and want to send logs to Cortex XDR only.
- Log in to the hub and open theStrata Logging Serviceapp to the instance to which you are onboarding.
- Select .
- SelectNewandNext.
- Select the firewalls to connect toStrata Logging Serviceand choose whetherStrata Logging Servicewill store or only ingest their data.
- Submityour choices.
- Select and confirm that theStrata Logging Servicelicense is active. Ensure that you have subscribed to a valid support license ofStrata Logging Service(90 days software warranty is not counted as a valid support license).When you purchased yourStrata Logging Servicelicense, all firewalls registered to your support account received aStrata Logging Servicelicense. If you don’t see theStrata Logging Servicelicense,Retrieve license keys from license serverto manually refresh the firewall licenses.
- Set up the connection toStrata Logging Serviceand check connection status:
- Select and find theLogging Servicesettings.
- Enable Logging Serviceto connect the firewall toStrata Logging Service. If you want the firewall to collect data that increases visibility for Palo Alto Networks applications, like Cortex XDR, you can alsoEnable Enhanced Application Logging.Strata Logging Servicelogging doesn’t start until after you’ve specified the log types you want to forward. Complete these steps and thenstart sending logs to.Strata Logging ServiceDo notEnable Duplicate Logging. This option applies only to Panorama-managed firewalls.
- Commit and push the config to firewalls.
- Show Statusto checkLogging Service Status(Strata Logging Service). The status for License, Certificate, and Customer Info should be green.You can also use this command to check the certificate status along with other details related toStrata Logging Service:request logging-service-forwarding status
- The firewall is now connected toStrata Logging Servicebut is not yet forwarding logs. Follow these steps to start sending logs and to best secure traffic between the firewall andStrata Logging Service.