Configure a Log Card Port on a PA-7000 Series Firewall
Table of Contents
Expand all | Collapse all
-
-
-
- PA-7000 Series Power Configuration Options
- Determine PA-7000 Series Firewall Power Configuration Requirements
- Connect AC Power to a PA-7050 Firewall
- Connect DC Power to a PA-7050 Firewall
- Connect AC Power to a PA-7080 Firewall
- Connect DC Power to a PA-7080 Firewall
- View PA-7000 Series Firewall Power Statistics
- Connect Cables to a PA-7000 Series Firewall
- Install the PA-7080 Firewall EMI Filter
-
- Replace a PA-7000 Series Firewall Air Filter
- Replace a PA-7000 Series SMC Boot Drive
- Replace a PA-7000 Series Firewall LPC Drive
- Re-Index the LPC Drives
- Replace a PA-7050-SMC-B or PA-7080-SMC-B Drive
- Increase the PA-7000 Series Firewall LPC Log Storage Capacity
Configure a Log Card Port on a PA-7000 Series Firewall
A log card port is required if
you configure the firewall to forward logs to an external system
or if you configure a WildFire™ forwarding profile. You configure
the log card port on one available port on a Network Processing
Card (NPC) using the type Log Card. This is required because the
traffic processing and logging capabilities of a PA-7000 Series
firewall exceeds the capabilities of the management port, which is
the port used for these services on other firewall models.
A
log card port is not required if the firewall has a Log Forwarding Card
(LFC) installed. See PA-7000 Series Firewall Log Forwarding Card (LFC).
When
configuring an LFC interface for HA, ensure that you configure different
IP addresses on the peers.
This special port is used
by the firewall for the following log forwarding functions: syslog,
emails generated by the firewall, SNMP, WildFire file forwarding,
and Panorama log forwarding. Log forwarding to Panorama requires
PAN-OS 8.0 or later. In PAN-OS 7.1 and earlier releases, Panorama
queries logs stored on the PA-7000 Series firewall.
You
can set only one NPC port on the firewall to the type Log Card.
If you enable log forwarding and this port is not configured, a
commit error occurs. Also ensure that this port can reach the servers
that will receive content from the firewall. For example, if you
configure a log forwarding profile for a syslog server, this port
must be able to reach the syslog server. As another example, if
you enable WildFire file forwarding, the interface must be able
to reach the WildFire cloud server or if applicable, a private WF-500
appliance.
When selecting the
NPC port to use as the log card port, you must use a 1 Gbps port
connection or higher to ensure that the firewall can maintain log
forwarding rates.
- Select NetworkInterfaces and click the Ethernet tab.Select the Slot and Interface Name. For example, to configure ethernet2/1, expand Slot 2 and click on ethernet2/1.Select the Interface Type drop-down and select Log Card.If multiple virtual systems are enabled, select the desired virtual system in the Config tab. For details on the LPC and virtual systems, refer to Configure a PA-7000 Series Firewall for Logging Per Virtual System.Click the Log Card Forwarding tab.Enter the IPv4 and/or IPv6 IP Address, Netmask, and Default Gateway.Click OK and then click Commit. After the commit completes, connect the port to your network equipment.Verify that the log port is sending and receiving traffic by viewing logical interface counters. To view counters, run the following command:
admin@PA-7050> debug log-card-interface info slot s8
If counters are incrementing, but traffic is not reaching to the remote server, you can ping the server from the log port by running the following command:admin@PA-7050> debug log-card-interface ping slot s8 host <host-ip-address>
The firewall will now use this port to forward dataplane logs, email, and WildFire file forwarding.For complete details on configuring log forwarding, refer to the PAN-OS Administrator’s Guide.