Onboard Firewalls with Panorama (10.1 or Later)
Table of Contents
Expand all | Collapse all
-
- Cortex Data Lake for Panorama-Managed Firewalls
- Start Sending Logs to a New Cortex Data Lake Instance
- Configure Panorama in High Availability for Cortex Data Lake
- Allocate Storage Based on Log Type
- View Cortex Data Lake Status
- View Logs in Cortex Data Lake
- TCP Ports and FQDNs Required for Cortex Data Lake
- Sizing for Cortex Data Lake Storage
-
- Forward Logs from Cortex Data Lake to a Syslog Server
- Forward Logs from Cortex Data Lake to an HTTPS Server
- Forward Logs from Cortex Data Lake to an Email Server
- Log Record Formats
- Create Log Filters
- Server Certificate Validation
- List of Trusted Certificates for Syslog and HTTPS Forwarding
- Log Forwarding Errors
- Forward Logs With Log Replay
Onboard Firewalls with Panorama (10.1 or Later)
- On your firewalls, allow access to the ports and FQDNs required to connect toCortex Data Lake. If you are using a proxy server, allow the same ports and FQDNs on the server without SSL decryption.Ensure that you are not decrypting traffic toCortex Data Lake.
- (Optional) To configure firewall to connect toCortex Data Lakethrough a proxy server: .
- On firewall, selectDeviceSetupServicesUse proxy to send logs to Cortex Data Lake
- On Panorama, selectSetupServicesUse proxy to send logs to Cortex Data Lake
- By default, the management interface is used to forward logs toCortex Data Lake. If you choose not to use the management interface, use a data interface by configuring destination service routes for the following FQDNs: api.paloaltonetworks.com, apitrusted.paloaltonetworks.com, lic.lc.prod.us.cs.paloaltonetworks.com,certificatetrusted.paloaltonetworks.com, certificate.paloaltonetworks.com.
- Select.DeviceSetupServicesGlobalGlobalon a firewall without multiple virtual system (multi-vsys) capability.
- Under Services Features, clickService Route Configuration.
- SelectCustomize.
- Under Service, select the following:
- Palo Alto Networks Services
- CRL status
- DNS
- HTTP
- NTP
- SetSelected Service Routes.
- Select theSource Interfaceyou want to use for activation and then select aSource Addressfrom that interface and clickOK.
- SelectDestinationandAdda destination.
- Enter any of the FQDNs above asDestination.
- Select the sameSource InterfaceandSource Addressthat you selected for activation and clickOK.
- Addtwo more destinations for the same interface using the remaining two FQDNs.
- ClickOKagain to exit Service Route Configuration.
- Update the access rules required to connect toCortex Data Lakefor the new interface IP address.
- Configure NTP so that the firewall stays in sync withCortex Data Lake. Ignore this step if you have enabled proxy configuration.
- On the firewall, selectand set it to the sameDeviceSetupServicesNTPNTP Server Addressyou configured on Panorama. For example:pool.ntp.org.
- Install a device certificate for managed firewalls. If this is your first time installing a device certificate, you must delete theCortex Data Lakekey and re-fetch it by issuing the following commands:> delete license key <CDL_License_Key> > request license fetch
- Onboard the firewalls to aCortex Data Lakeinstance.
- Log in to the hub and open theCortex Data Lakeapp to the instance to which you are onboarding.
- Select.InventoryFirewallsAdd
- SelectNewandNext.
- Select the firewalls to connect toCortex Data Lakeand choose whetherCortex Data Lakewill store or only ingest their data.
- Submityour choices.
- Retrieve and push theCortex Data Lakelicenses for managed firewalls. Ensure that you have subscribed to a valid support license ofCortex Data Lake(90 days software warranty is not counted as a valid support license).
- From Panorama, select.PanoramaDevice DeploymentLicense
- FirstRefreshand then select the firewalls from the list. Panorama retrieves the licenses, deploys them to the selected firewalls, and updates the licensing status on the Panorama web interface. Make sure you see that Panorama successfully installed theCortex Data Lakelicense on the firewall.Do notRefreshagain until the first refresh completes. When the refresh completes, you will see that Status shows Completed and Progress is 100%. There are also Details about whether the refresh succeeded.
- (Optional) If you have not created a template and a device group, from Panorama create a template and a device group to push log forwarding settings to the firewalls from which you want to forward logs toCortex Data Lake.
- Enable the firewalls in the template to send logs toCortex Data Lakeand select the region where you want the logs stored.If some firewalls in your deployment are sending logs to dedicated Log Collectors or to Panorama with a local Log Collector, only firewalls that belong to the template with the EnableCortex Data Lakeoption selected can send logs toCortex Data Lake.
- Select.DeviceSetupManagement
- Select theTemplatethat contains the firewalls from which you want to forward logs toCortex Data Lake.
- Edit theCortex Data Lakesettings.
- Enable either of the two following options:
- Enable Logging Service—Send and save logs toCortex Data Lakeonly. With this option, use Explore or Panorama to see and interact with your log data.
- Enable Duplicate Logging—For firewalls running PAN-OS 8.1 and later releases, you can send and save logs both toCortex Data Lakeand to your Panorama and log collection setup. Firewalls save a copy of all log data to both Panorama andCortex Data Lakeexcept for system and config logs, which are sent to Panorama only.
To forward logs toCortex Data Lakewith Duplicate Logging enabled, you must add the firewalls with the option enabled to a Collector Group. - Enable Enhanced Application Logging to allow the firewall to collect data for apps running the Palo Alto Networks Cloud Services environment. These logs provide Palo Alto Networks Cloud services apps increased visibility into network activity and, in some cases, are required to support app features.
- Select theRegionwhere you want to forward logs for the firewalls associated with this template and then clickOK.This region is not necessarily where your firewalls are located but the location of theCortex Data Lakeinstance. They will send logs to theregion of theto which you onboarded them.Cortex Data LakeinstanceThe option toOnboard Without Panoramais used only for firewalls that are not managed by Panorama; there’s no need to populate it when you’re enabling Panorama-managed firewalls to forward logs toCortex Data Lake.
- Specify theConnection count to Cortex Data Lake for PA-7000s and PA-5200s.Specify the number of connections that are established between the firewalls andCortex Data Lakefor forwarding logs toCortex Data Lake(range is 1 to 20; default is 5).
- (Optional) Configure interfaces and zones in the template.
- Commit and push the config to the firewalls.
- Firewall fetches a certificate automatically after pushing the configuration. To check the certificate status:
- On Panorama, click Panorama > Managed Devices > Troubleshooting > Test Cloud Logging Service Status.
- On firewall, clickDevice > Setup > Managementand find theLogging Service settings.Show Statusto checkCortex Data Lakestatus.
- Run the command locally:request logging-service-forwarding status
If a certificate was not fetched for a firewall, run this command locally to fetch a certificate:request logging-service-forwarding certificate fetchEnable Panorama-managed firewalls tosend logs to.Cortex Data LakeRemember that for any firewalls from which you want to forward logs toCortex Data Lakeand that are not already managed by Panorama, you first need to add the firewalls to Panorama as managed devices.