Strata Logging Service
Onboard Firewalls to Strata Logging Service with Panorama
Table of Contents
Expand All
|
Collapse All
Onboard Firewalls to Strata Logging Service with Panorama
Strata Logging Service
with PanoramaOnboard firewalls to
Strata Logging Service
with Panorama.Where Can I Use This? | What Do I Need? |
---|---|
|
|
After you
Activate
,
it’s time to onboard your devices to the service. Ensure that you have subscribed to a
valid support license of Strata Logging Service
Strata Logging Service
(90 days software warranty is
not counted as a valid support license).Before you onboard the firewalls to
Strata Logging Service
, you must add firewalls
as managed devices to Panorama. 10.0 or Earlier
This is how you onboard firewalls to
Strata Logging Service
using
Panorama.- On your firewalls, allow access to the ports and FQDNs required to connect toStrata Logging Service. If you are using a proxy server, allow the same ports and FQDNs on the server without SSL decryption.Ensure that you are not decrypting traffic toStrata Logging Service.
- (Optional) To configure firewall to connect toStrata Logging Servicethrough a proxy server:
- On firewall, selectDeviceSetupServicesUse proxy to send logs toStrata Logging Service
- On Panorama, selectSetupServicesUse proxy to send logs toStrata Logging Service
- By default, the management interface is used to forward logs toStrata Logging Service. If you choose not to use the management interface, use a data interface by configuring destination service routes for the following FQDNs: api.paloaltonetworks.com, apitrusted.paloaltonetworks.com, lic.lc.prod.us.cs.paloaltonetworks.com,certificatetrusted.paloaltonetworks.com, certificate.paloaltonetworks.com.
- Select.DeviceSetupServicesGlobalGlobalon a firewall without multiple virtual system (multi-vsys) capability.
- Under Services Features, clickService Route Configuration.
- SelectCustomize.
- Under Service, select the following:
- Palo Alto Networks Services
- CRL status
- DNS
- HTTP
- NTP
- SetSelected Service Routes.
- Select theSource Interfaceyou want to use for activation and then select aSource Addressfrom that interface and clickOK.
- SelectDestinationandAdda destination.
- Enter any of the FQDNs above asDestination.
- Select the sameSource InterfaceandSource Addressthat you selected for activation and clickOK.
- Addtwo more destinations for the same interface using the remaining two FQDNs.
- ClickOKagain to exit Service Route Configuration.
- Update the access rules required to connect toStrata Logging Servicefor the new interface IP address.
- Configure NTP so that the firewall stays in sync withStrata Logging Service. Ignore this step if you have enabled proxy configuration:
- On firewall, clickand set it to the sameDeviceSetupServicesNTP Server Addresson Panorama. For example:pool.ntp.org.
- Retrieve and push theStrata Logging Servicelicenses for managed firewalls. Ensure that you have subscribed to a valid support license ofStrata Logging Service(90 days software warranty is not counted as a valid support license).
- From Panorama, select.PanoramaDevice DeploymentLicense
- FirstRefreshand then select the firewalls from the list. Panorama retrieves the licenses, deploys them to the selected firewalls, and updates the licensing status on the Panorama web interface.Make sure you see that Panorama successfully installed theStrata Logging Servicelicense on the firewall.Do notRefreshagain until the first refresh completes. When the refresh completes, you will see that Status shows Completed and Progress is 100%. There are also Details about whether the refresh succeeded.
- (Optional)If you have not created a template and a device group, from Panorama create a template and a device group to push log forwarding settings to the firewalls from which you want to forward logs toStrata Logging Service.
- Enable the firewalls in the template to send logs toStrata Logging Serviceand select the region where you want the logs stored.If some firewalls in your deployment are sending logs to dedicated Log Collectors or to Panorama with a local Log Collector, only firewalls that belong to the template with the EnableStrata Logging Serviceoption selected can send logs toStrata Logging Service.
- Select.DeviceSetupManagement
- Select theTemplatethat contains the firewalls from which you want to forward logs toStrata Logging Service.
- Edit theStrata Logging Servicesettings.
- Enable either of the two following options:
- Enable Logging Service—Send and save logs toStrata Logging Serviceonly. With this option, use Explore or Panorama to see and interact with your log data.
- Enable Duplicate Logging—For firewalls running PAN-OS 8.1 and later releases, you can send and save logs both toStrata Logging Serviceand to your Panorama and log collection setup. Firewalls save a copy of all log data to both Panorama andStrata Logging Serviceexcept for system and config logs, which are sent to Panorama only.
To forward logs toStrata Logging Servicewith Duplicate Logging enabled, you must add the firewalls with the option enabled to a Collector Group. - Enable Enhanced Application Logging to allow the firewall to collect data for apps running the Palo Alto Networks Cloud Services environment. These logs provide Palo Alto Networks Cloud services apps increased visibility into network activity and, in some cases, are required to support app features.
- Select theRegionwhere you want to forward logs for the firewalls associated with this template and then clickOK.Starting with PAN-OS 9.0.2, there is an option toOnboard Without Panorama. This setting is used only for firewalls that are not managed by Panorama; there’s no need to populate it when you’re enabling Panorama-managed firewalls to forward logs toStrata Logging Service.
- (Panorama 9.0 or later releases only) Specify theConnection count to.Strata Logging Servicefor PA-7000s and PA-5200sSpecify the number of connections that are established between the firewalls andStrata Logging Servicefor forwarding logs toStrata Logging Service(range is 1 to 20; default is 5).
- (Optional) Configure interfaces and zones in the template.
- Commit and push the config to the firewalls.
- Firewall fetches a certificate automatically after pushing the configuration. To check the certificate status:
- On Panorama, click Panorama > Managed Devices > Troubleshooting > Test Cloud Logging Service Status.
- On firewall, clickDevice > Setup > Managementand find theLogging Service settings.Show Statusto checkStrata Logging Servicestatus.
- Run the command locally:request logging-service-forwarding status
If a certificate was not fetched for a firewall, run this command locally to fetch a certificate:request logging-service-forwarding certificate fetchEnable Panorama-managed firewalls tosend logs to.Strata Logging ServiceRemember that for any firewalls from which you want to forward logs toStrata Logging Serviceand that are not already managed by Panorama, you first need to add the firewalls to Panorama as managed devices.
10.1 or Later
This is how you onboard firewalls to
Strata Logging Service
using
Panorama.- On your firewalls, allow access to the ports and FQDNs required to connect toStrata Logging Service. If you are using a proxy server, allow the same ports and FQDNs on the server without SSL decryption.Ensure that you are not decrypting traffic toStrata Logging Service.
- (Optional) To configure firewall to connect toStrata Logging Servicethrough a proxy server: .
- On firewall, selectDeviceSetupServicesUse proxy to send logs toStrata Logging Service
- On Panorama, selectSetupServicesUse proxy to send logs toStrata Logging Service
- By default, the management interface is used to forward logs toStrata Logging Service. If you choose not to use the management interface, use a data interface by configuring destination service routes for the following FQDNs: api.paloaltonetworks.com, apitrusted.paloaltonetworks.com, lic.lc.prod.us.cs.paloaltonetworks.com,certificatetrusted.paloaltonetworks.com, certificate.paloaltonetworks.com.
- Select.DeviceSetupServicesGlobalGlobalon a firewall without multiple virtual system (multi-vsys) capability.
- Under Services Features, clickService Route Configuration.
- SelectCustomize.
- Under Service, select the following:
- Palo Alto Networks Services
- CRL status
- DNS
- HTTP
- NTP
- SetSelected Service Routes.
- Select theSource Interfaceyou want to use for activation and then select aSource Addressfrom that interface and clickOK.
- SelectDestinationandAdda destination.
- Enter any of the FQDNs above asDestination.
- Select the sameSource InterfaceandSource Addressthat you selected for activation and clickOK.
- Addtwo more destinations for the same interface using the remaining two FQDNs.
- ClickOKagain to exit Service Route Configuration.
- Update the access rules required to connect toStrata Logging Servicefor the new interface IP address.
- Configure NTP so that the firewall stays in sync withStrata Logging Service. Ignore this step if you have enabled proxy configuration.
- On the firewall, selectand set it to the sameDeviceSetupServicesNTPNTP Server Addressyou configured on Panorama. For example:pool.ntp.org.
- Install a device certificate for managed firewalls. If this is your first time installing a device certificate, you must delete theStrata Logging Servicekey and re-fetch it by issuing the following commands:> delete license key <CDL_License_Key> > request license fetch
- Onboard the firewalls to aStrata Logging Serviceinstance.
- Log in to the hub and open theStrata Logging Serviceapp to the instance to which you are onboarding.
- Select.InventoryFirewallsAdd
- SelectNewandNext.
- Select the firewalls to connect toStrata Logging Serviceand choose whetherStrata Logging Servicewill store or only ingest their data.
- Submityour choices.
- Retrieve and push theStrata Logging Servicelicenses for managed firewalls. Ensure that you have subscribed to a valid support license ofStrata Logging Service(90 days software warranty is not counted as a valid support license).
- From Panorama, select.PanoramaDevice DeploymentLicense
- FirstRefreshand then select the firewalls from the list. Panorama retrieves the licenses, deploys them to the selected firewalls, and updates the licensing status on the Panorama web interface. Make sure you see that Panorama successfully installed theStrata Logging Servicelicense on the firewall.Do notRefreshagain until the first refresh completes. When the refresh completes, you will see that Status shows Completed and Progress is 100%. There are also Details about whether the refresh succeeded.
- (Optional) If you have not created a template and a device group, from Panorama create a template and a device group to push log forwarding settings to the firewalls from which you want to forward logs toStrata Logging Service.
- Enable the firewalls in the template to send logs toStrata Logging Serviceand select the region where you want the logs stored.If some firewalls in your deployment are sending logs to dedicated Log Collectors or to Panorama with a local Log Collector, only firewalls that belong to the template with the EnableStrata Logging Serviceoption selected can send logs toStrata Logging Service.
- Select.DeviceSetupManagement
- Select theTemplatethat contains the firewalls from which you want to forward logs toStrata Logging Service.
- Edit theStrata Logging Servicesettings.
- Enable either of the two following options:
- Enable Logging Service—Send and save logs toStrata Logging Serviceonly. With this option, use Explore or Panorama to see and interact with your log data.
- Enable Duplicate Logging—For firewalls running PAN-OS 8.1 and later releases, you can send and save logs both toStrata Logging Serviceand to your Panorama and log collection setup. Firewalls save a copy of all log data to both Panorama andStrata Logging Serviceexcept for system and config logs, which are sent to Panorama only.
To forward logs toStrata Logging Servicewith Duplicate Logging enabled, you must add the firewalls with the option enabled to a Collector Group. - Enable Enhanced Application Logging to allow the firewall to collect data for apps running the Palo Alto Networks Cloud Services environment. These logs provide Palo Alto Networks Cloud services apps increased visibility into network activity and, in some cases, are required to support app features.
- Select theRegionwhere you want to forward logs for the firewalls associated with this template and then clickOK.This region is not necessarily where your firewalls are located but the location of theStrata Logging Serviceinstance. They will send logs to theregion of theto which you onboarded them.Strata Logging ServiceinstanceThe option toOnboard Without Panoramais used only for firewalls that are not managed by Panorama; there’s no need to populate it when you’re enabling Panorama-managed firewalls to forward logs toStrata Logging Service.
- Specify theConnection count toStrata Logging Servicefor PA-7000s and PA-5200s.Specify the number of connections that are established between the firewalls andStrata Logging Servicefor forwarding logs toStrata Logging Service(range is 1 to 20; default is 5).
- (Optional) Configure interfaces and zones in the template.
- Commit and push the config to the firewalls.
- Firewall fetches a certificate automatically after pushing the configuration. To check the certificate status:
- On Panorama, click Panorama > Managed Devices > Troubleshooting > Test Cloud Logging Service Status.
- On firewall, clickDevice > Setup > Managementand find theLogging Service settings.Show Statusto checkStrata Logging Servicestatus.
- Run the command locally:request logging-service-forwarding status
If a certificate was not fetched for a firewall, run this command locally to fetch a certificate:request logging-service-forwarding certificate fetchEnable Panorama-managed firewalls tosend logs to.Strata Logging ServiceRemember that for any firewalls from which you want to forward logs toStrata Logging Serviceand that are not already managed by Panorama, you first need to add the firewalls to Panorama as managed devices.