Onboard Firewalls with Panorama (10.0 or Earlier)

Add the firewall as a managed device on Panorama. Before you add the firewall as a managed device, you must configure NTP so that the firewall stays in sync with Cortex Data Lake.
On the firewall, select
Device
Setup
Services
NTP
and set it to the same
NTP Server Address
you configured on Panorama. For example:
pool.ntp.org
.
(
Optional, Panorama 10.0 or and later releases
) To configure Panorama to connect to Cortex Data Lake through a proxy server, select
Panorama
Setup
Services

and
Use proxy to send logs to Cortex Data Lake
.
Retrieve and push the Cortex Data Lake licenses for managed firewalls.
From Panorama, select

Panorama

Device Deployment

License

.

First

Refresh

and then select the firewalls from the list. Panorama retrieves the licenses, deploys them to the selected firewalls, and updates the licensing status on the Panorama web interface.

Make sure you see that Panorama successfully installed the Cortex Data Lake license on the firewall.

Do not

Refresh

again until the first refresh completes. When the refresh completes, you will see that Status shows Completed and Progress is 100%. There are also Details about whether the refresh succeeded.


From Panorama, create a template and a device group to push log forwarding settings to the firewalls from which you want to forward logs to Cortex Data Lake.
Enable the firewalls in the template to send logs to Cortex Data Lake and select the region where you want the logs stored.
If some firewalls in your deployment are sending logs to dedicated Log Collectors or to Panorama with a local Log Collector, only firewalls that belong to the template with the Enable Cortex Data Lake option selected can send logs to Cortex Data Lake.
Select
Device
Setup
Management
.
Select the
Template
that contains the firewalls from which you want to forward logs to Cortex Data Lake.
Edit the Cortex Data Lake settings.

Enable either of the two following options:
Enable Logging Service
—Send and save logs to Cortex Data Lake only. With this option, use Explore to see and interact with your log data.
Enable Duplicate Logging
—For firewalls running PAN-OS 8.1 and later releases, you can send and save logs both to Cortex Data Lake and to your Panorama and log collection setup. Firewalls save a copy of all log data to both Panorama and Cortex Data Lake except for system and config logs, which are sent to Panorama only.
To forward logs to Cortex Data Lake with Duplicate Logging enabled, you must add the firewalls with the option enabled to a Collector Group.
Enable Enhanced Application Logging to allow the firewall to collect data for apps running the Palo Alto Networks Cloud Services environment. These logs provide Palo Alto Networks Cloud services apps increased visibility into network activity and, in some cases, are required to support app features.
Select the
Region
where you want to forward logs for the firewalls associated with this template and then click
OK
.
Starting with PAN-OS 9.0.2, there is an option to
Onboard Without Panorama
. This setting is used only for firewalls that are not managed by Panorama; there’s no need to populate it when you’re enabling Panorama-managed firewalls to forward logs to Cortex Data Lake.
(
Panorama 9.0 or later releases only
) Specify the
Connection count to Cortex Data Lake for PA-7000s and PA-5200s
.
Specify the number of connections that are established between the firewalls and Cortex Data Lake for forwarding logs to Cortex Data Lake (range is 1 to 20; default is 5).
Configure interfaces and zones in the template.
Set the
Palo Alto Networks Services
service route to use either the management interface or a data interface.
Follow these steps to use the management interface for activation. Otherwise, use a data interface.
Select
Device
Setup
Services
Global
on a firewall without multiple virtual system (multi-vsys) capability.
Under Services Features, click
Service Route Configuration
.
Select
Customize
.
Under Service, click
Palo Alto Networks Services
.
For
Source Interface
, select
MGT
.
Click
OK
to exit the Service Route Source dialog and click
OK
again to exit Service Route Configuration.
After activation, you can configure a different interface to forward logs to Cortex Data Lake (see how to start sending logs to Cortex Data Lake).
If you chose not to use the management interface for activation, use a data interface by configuring destination service routes for the following FQDNs:
api.paloaltonetworks.com
apitrusted.paloaltonetworks.com
lic.lc.prod.us.cs.paloaltonetworks.com
Select
Device
Setup
Services
Global
.
Global
on a firewall without multiple virtual system (multi-vsys) capability.
Under Services Features, click
Service Route Configuration
.
Select
Customize
.
Under Service, select the following:
Palo Alto Networks Services
CRL status
DNS
HTTP
NTP
Set Selected Service Routes
.
Select the
Source Interface
you want to use for activation and then select a
Source Address
from that interface.

Click
OK
.
Select
Destination
.
Add
a destination.
Enter any of the FQDNs above as
Destination
.

Select the same
Source Interface
and
Source Address
that you selected for activation.
Click
OK
.
Add
two more destinations for the same interface using the remaining two FQDNs.

Click
OK
again to exit Service Route Configuration.
Enable Panorama-managed firewalls to send logs to Cortex Data Lake.
Remember that for any firewalls from which you want to forward logs to Cortex Data Lake and that are not already managed by Panorama, you first need to add the firewalls to Panorama as managed devices.