Configure a Log Card Port on a PA-7000 Series Firewall

A log card port is required if you configure the firewall to forward logs to an external system or if you configure a WildFire™ forwarding profile. You configure the log card port on one available port on a Network Processing Card (NPC) using the type Log Card. This is required because the traffic processing and logging capabilities of a PA-7000 Series firewall exceeds the capabilities of the management port, which is the port used for these services on other firewall models.
A log card port is not required if the firewall has a Log Forwarding Card (LFC) installed. See PA-7000 Series Firewall Log Forwarding Card (LFC).
When configuring an LFC interface for HA, ensure that you configure different IP addresses on the peers.
This special port is used by the firewall for the following log forwarding functions: syslog, emails generated by the firewall, SNMP, WildFire file forwarding, and Panorama log forwarding. Log forwarding to Panorama requires PAN-OS 8.0 or later. In PAN-OS 7.1 and earlier releases, Panorama queries logs stored on the PA-7000 Series firewall.
You can set only one NPC port on the firewall to the type Log Card. If you enable log forwarding and this port is not configured, a commit error occurs. Also ensure that this port can reach the servers that will receive content from the firewall. For example, if you configure a log forwarding profile for a syslog server, this port must be able to reach the syslog server. As another example, if you enable WildFire file forwarding, the interface must be able to reach the WildFire cloud server or if applicable, a private WF-500 appliance.
When selecting the NPC port to use as the log card port, you must use a 1 Gbps port connection or higher to ensure that the firewall can maintain log forwarding rates.
  1. Select
    and click the
  2. Select the
    Interface Name
    . For example, to configure ethernet2/1, expand Slot 2 and click on ethernet2/1.
  3. Select the
    Interface Type
    drop-down and select
    Log Card
  4. If multiple virtual systems are enabled, select the desired virtual system in the
    tab. For details on the LPC and virtual systems, refer to Configure a PA-7000 Series Firewall for Logging Per Virtual System.
  5. Click the
    Log Card Forwarding
  6. Enter the IPv4 and/or IPv6 IP Address, Netmask, and Default Gateway.
  7. Click
    and then click
    . After the commit completes, connect the port to your network equipment.
  8. Verify that the log port is sending and receiving traffic by viewing logical interface counters. To view counters, run the following command:
    debug log-card-interface info slot s8
    If counters are incrementing, but traffic is not reaching to the remote server, you can ping the server from the log port by running the following command:
    debug log-card-interface ping slot s8 host <host-ip-address>
    The firewall will now use this port to forward dataplane logs, email, and WildFire file forwarding.
    For complete details on configuring log forwarding, refer to the PAN-OS Administrator’s Guide.

Recommended For You