Configure a PA-7000 Series Firewall for Logging Per Virtual System
For Traffic, HIP Match, Threat, and WildFire
log types, the PA-7000 Series firewall does not use service routes
for SNMP Trap, Syslog, and email services. Instead, the PA-7000
Series firewall supports using a logging card.
your firewall configuration, you might have one of the following card
Log Processing Card (LPC)
—Supports virtual system-specific
paths from LPC subinterfaces to an on-premise switch to the respective
service on a server. For System and Config logs, the PA-7000 Series firewall
uses global service routes, and not the LPC. If your firewall has
an LPC installed, you need to configure a log card port.
Log Forwarding Card (LFC)
—Supports high-speed log forwarding
of all dataplane logs to an external log collector (for example, Panorama
and syslog servers). You can create and configure subinterfaces
for virtual systems. If your firewall has an LFC installed, you
do not need to configure a log card port.
Palo Alto Networks models, the dataplane sends logging service route traffic
to the management plane, which sends the traffic to logging servers.
In a PA-7000 Series firewall, the LPC or LFC have only one interface,
and dataplanes for multiple virtual systems send logging server
traffic (types mentioned above) to the PA-7000 Series firewall logging
card. The logging card is configured with multiple subinterfaces,
over which the platform sends the logging service traffic out to
a customer’s switch, which can be connected to multiple logging
Each subinterface can be configured with a subinterface
name and a dotted subinterface number. The subinterface is assigned
to a virtual system, which is configured for logging services. The
other service routes on a PA-7000 Series firewall function similarly
to service routes on other Palo Alto Networks platforms. For information
about the LPC or LFC, see the PA-7000 Series Hardware Reference Guide.