Onboard Firewalls with Panorama (10.0 or Earlier)

  1. Add the firewall as a managed device on Panorama. Before you add the firewall as a managed device, you must configure NTP so that the firewall stays in sync with Cortex Data Lake.
    On the firewall, select
    Device
    Setup
    Services
    NTP
    and set it to the same
    NTP Server Address
    you configured on Panorama. For example:
    pool.ntp.org
    .
    1. (
      Optional, Panorama 10.0 or and later releases
      ) To configure Panorama to connect to Cortex Data Lake through a proxy server, select
      Panorama
      Setup
      Services
      and
      Use proxy to send logs to Cortex Data Lake
      .
  2. Retrieve and push the Cortex Data Lake licenses for managed firewalls.
    1. From Panorama, select
      Panorama
      Device Deployment
      License
      .
    2. First
      Refresh
      and then select the firewalls from the list. Panorama retrieves the licenses, deploys them to the selected firewalls, and updates the licensing status on the Panorama web interface.
      Make sure you see that Panorama successfully installed the Cortex Data Lake license on the firewall.
      Do not
      Refresh
      again until the first refresh completes. When the refresh completes, you will see that Status shows Completed and Progress is 100%. There are also Details about whether the refresh succeeded.
  3. From Panorama, create a template and a device group to push log forwarding settings to the firewalls from which you want to forward logs to Cortex Data Lake.
  4. Enable the firewalls in the template to send logs to Cortex Data Lake and select the region where you want the logs stored.
    If some firewalls in your deployment are sending logs to dedicated Log Collectors or to Panorama with a local Log Collector, only firewalls that belong to the template with the Enable Cortex Data Lake option selected can send logs to Cortex Data Lake.
    1. Select
      Device
      Setup
      Management
      .
    2. Select the
      Template
      that contains the firewalls from which you want to forward logs to Cortex Data Lake.
    3. Edit the Cortex Data Lake settings.
    4. Enable either of the two following options:
      • Enable Logging Service
        —Send and save logs to Cortex Data Lake only. With this option, use Explore to see and interact with your log data.
      • Enable Duplicate Logging
        —For firewalls running PAN-OS 8.1 and later releases, you can send and save logs both to Cortex Data Lake and to your Panorama and log collection setup. Firewalls save a copy of all log data to both Panorama and Cortex Data Lake except for system and config logs, which are sent to Panorama only.
      To forward logs to Cortex Data Lake with Duplicate Logging enabled, you must add the firewalls with the option enabled to a Collector Group.
    5. Enable Enhanced Application Logging to allow the firewall to collect data for apps running the Palo Alto Networks Cloud Services environment. These logs provide Palo Alto Networks Cloud services apps increased visibility into network activity and, in some cases, are required to support app features.
    6. Select the
      Region
      where you want to forward logs for the firewalls associated with this template and then click
      OK
      .
      Starting with PAN-OS 9.0.2, there is an option to
      Onboard Without Panorama
      . This setting is used only for firewalls that are not managed by Panorama; there’s no need to populate it when you’re enabling Panorama-managed firewalls to forward logs to Cortex Data Lake.
    7. (
      Panorama 9.0 or later releases only
      ) Specify the
      Connection count to Cortex Data Lake for PA-7000s and PA-5200s
      .
      Specify the number of connections that are established between the firewalls and Cortex Data Lake for forwarding logs to Cortex Data Lake (range is 1 to 20; default is 5).
  5. Set the
    Palo Alto Networks Services
    service route to use either the management interface or a data interface.
    • Follow these steps to use the management interface for activation. Otherwise, use a data interface.
      1. Select
        Device
        Setup
        Services
        Global
        on a firewall without multiple virtual system (multi-vsys) capability.
      2. Under Services Features, click
        Service Route Configuration
        .
      3. Select
        Customize
        .
      4. Under Service, click
        Palo Alto Networks Services
        .
      5. For
        Source Interface
        , select
        MGT
        .
      6. Click
        OK
        to exit the Service Route Source dialog and click
        OK
        again to exit Service Route Configuration.
    After activation, you can configure a different interface to forward logs to Cortex Data Lake (see how to start sending logs to Cortex Data Lake).
    • If you chose not to use the management interface for activation, use a data interface by configuring destination service routes for the following FQDNs:
      • api.paloaltonetworks.com
      • apitrusted.paloaltonetworks.com
      • lic.lc.prod.us.cs.paloaltonetworks.com
      1. Select
        Device
        Setup
        Services
        Global
        .
        Global
        on a firewall without multiple virtual system (multi-vsys) capability.
      2. Under Services Features, click
        Service Route Configuration
        .
      3. Select
        Customize
        .
      4. Under Service, select the following:
        • Palo Alto Networks Services
        • CRL status
        • DNS
        • HTTP
        • NTP
      5. Set Selected Service Routes
        .
      6. Select the
        Source Interface
        you want to use for activation and then select a
        Source Address
        from that interface.
      7. Click
        OK
        .
      8. Select
        Destination
        .
      9. Add
        a destination.
      10. Enter any of the FQDNs above as
        Destination
        .
      11. Select the same
        Source Interface
        and
        Source Address
        that you selected for activation.
      12. Click
        OK
        .
      13. Add
        two more destinations for the same interface using the remaining two FQDNs.
      14. Click
        OK
        again to exit Service Route Configuration.
  6. Enable Panorama-managed firewalls to send logs to Cortex Data Lake.
    Remember that for any firewalls from which you want to forward logs to Cortex Data Lake and that are not already managed by Panorama, you first need to add the firewalls to Panorama as managed devices.

Recommended For You