Strata Logging Service
Firewalls
Table of Contents
Expand All
|
Collapse All
Firewalls
Follow these steps to send logs from your firewalls to
Strata Logging Service
.Before you start sending logs to Cortex™ Data Lake, you must:
The following task describes how to start forwarding logs to
Strata Logging Service
from firewalls that are not managed by Panorama™.
You’ll specify the log types you want to forward and also take steps to make sure
that the traffic between the firewall and Strata Logging Service
remains
secure.- If you haven’t done so already,ActivateandStrata Logging Serviceonboard firewalls to.Strata Logging Service
- InStrata Logging Serviceapp, clickInventory > Firewalland enablestore log dataif you want to store logs from firewall.
- Specify the log types to forward toStrata Logging Service.
- To forward System, Configuration, User-ID, and HIP Match logs:
- Select.DeviceLog Settings
- For each log type that you want to forward toStrata Logging Service,Adda match list filter. Give it aName, optionally define aFilter, selectLogging Service, and clickOK.
- To forward log types that are generated when a policy match occurs—Traffic, Threat, WildFire®Submission, URL Filtering, Data Filtering, and Authentication logs—create and attach a Log Forwarding profile to each policy rule for which you want to forward logs.
- SelecttoObjectsLog ForwardingAdda profile. In the log forwarding profile match list, add each log type that you want to forward.If you enabled the Enhanced Application Logs feature, then fullyEnable enhanced application logging toStrata Logging Serviceon the firewall to forward these log types. When you enable this feature, the match lists that specify the log types required for enhanced application logging are automatically added to the profile.
- SelectLogging Serviceas the Forward Method to enable the firewalls in the device group to forward the logs toStrata Logging Service. You can monitor the logs and generate reports from Panorama.
- If you haven’t already done so, create basic Security policy rules.Until the firewall has interfaces and zones and a basic Security policy, it will not let any traffic through and, by default, only traffic that matches a Security policy rule will be logged.
- For each rule you create, selectActionsand select the Log Forwarding profile that allows the firewall to send logs toStrata Logging Service.
- (PA-7000 Series firewalls only) Configure a log card interface to perform log forwarding.As of PAN-OS 10.1, you can no longer forward system logs using the Management interface or using service routes through the Data Plane interfaces. The only way to forward system logs from a PA-7000 Series firewall running PAN-OS 10.1 or later is by configuring a Log Forwarding Card (LFC).
- Selectand clickNetworkInterfacesEthernetAdd Interface.
- Select theSlotandInterface Name.
- Set theInterface TypetoLog Card.
- Enter theIP Address,Default Gateway, and (for IPv4 only)Netmask.
- SelectAdvancedand specify theLink Speed,Link Duplex, andLink State.These fields default toauto, which specifies that the firewall automatically determines the values based on the connection. However, the minimum recommendedLink Speedfor any connection is1000(Mbps).
- ClickOKto save your changes.
- Commityour changes.
- Verify that the firewall logs are forwarded toStrata Logging Service.
- Click theExplore tab inStrata Logging Serviceapp, so that you can view and filterStrata Logging Servicelogs.
- On a firewall, enter the CLI commandrequest logging-service-forwarding statusto view detailed information on the connectivity status toStrata Logging Service:
Look for the----------------------------------------------------------------------------------------------------------------------------- Type Last Log Created Last Log Fwded Last Seq Num Fwded Last Seq Num Acked Total Logs Fwded ----------------------------------------------------------------------------------------------------------------------------- > CMS 0 Not Sending to CMS 0 > CMS 1 Not Sending to CMS 1 >Log Collection Service 'Log Collection log forwarding agent' is active and connected to xx.xxx.xxx.xx config 2017/07/26 16:33:20 2017/07/26 16:34:09 323 321 2 system 2017/07/31 12:23:10 2017/07/31 12:23:18 13634645 13634637 84831 threat 2014/12/01 14:47:52 2017/07/26 16:34:24 557404252 557404169 93 traffic 2017/07/28 18:03:39 2017/07/28 18:03:50 3619306590 3619306590 1740 hipmatch Not Available Not Available 0 0 0 gtp-tunnel Not Available Not Available 0 0 0 userid Not Available Not Available 0 0 0 auth Not Available Not Available 0 0 0‘Log collection log forwarding agent’ is active and connected to <IP_address>line. You can also see that CMS 0 and CMS (the Log Collectors) are not receiving logs.Show Status(and clickDeviceSetupManagementStrata Logging Service) to verify that the firewall is connected and sending logs toStrata Logging Service.
- Next steps:
- Use Explore tab to search, filter, and export log data. Explore offers you critical visibility into the network activity in your enterprise by enabling you to easily examine network and endpoint log data.
- ArchiveStrata Logging Servicelogs byforwarding logs fromto a Syslog server or email server for long-term storage, SOC, or internal audit.Strata Logging Service