End-of-Life (EoL)

PA-7000 Series Firewall Log Forwarding to Panorama

You can now forward logs from PA-7000 Series firewalls to Panorama for improved log retention, which helps you meet regulatory requirements for your industry as well as your internal log archival requirements. Because of this new ability to forward logs to Panorama, upon upgrade Panorama no longer considers the PA-7000 Series firewall as a Log Collector and you will no longer be able to view your logs and reports from Panorama until you enable log forwarding to Panorama. As soon as you enable log forwarding, the PA-7000 Series firewall begins forwarding new logs to Panorama. To forward all logs generated prior to enabling forwarding, you will have to run a CLI command.
Before upgrading your PA-7000 Series firewalls to PAN-OS 8.0, make sure Panorama has a log forwarding infrastructure that is capable of handling the logging rate and volume from the PA-7000 Series firewalls so that you will be able to enable log forwarding to Panorama. Refer to the table in Panorama Models to determine if you have the right logging capacity. If you do not yet have the required logging infrastructure, you can enable Direct Query of PA-7000 Series Firewalls from Panorama, which is available in PAN-OS 8.0.8 and later releases. After enabling this option, you will be able to view logs for managed PA-7000 Series firewalls on the Panorama
Monitor
tab. Additionally, as with all managed devices, you can generate reports that include PA-7000 Series log data by selecting
Remote Device Data
as the
Data Source
. For aggregated views of PA-7000 Series t log data within all Panorama views: Application Command Center (ACC), the App-Scope, the log viewer (
Monitor
tab), and the standard, customizable reporting options on Panorama, you must configure log forwarding as described in the following workflow.
In addition, this feature introduces the option to forward logs to Panorama in a high speed mode to enable higher forwarding and peak rates to Panorama. If you enable this option, the PA-7000 Series firewall will not log locally and you will therefore not be able to view logs, reports or see data in the ACC locally on the firewall.
Use the following workflow to configure log forwarding from a PA-7000 Series firewall to Panorama and optionally enable high speed log forwarding.
  1. Configure a managed collector if you need a new Log Collector to receive the firewall logs. You can also use an existing Log Collector.
  2. Configure a new Collector Group or edit an existing one. Assign the PA-7000 Series firewall to specific Log Collectors for log forwarding.
    In environments with high logging rates, you can
    Forward to all collectors in the preference list
    to load balance the log traffic across all Log Collectors in a Collector Group. Load balancing helps reduce bandwidth competition, which might otherwise result in dropped logs.
  3. Select
    Objects
    Log Forwarding
    , select the
    Device Group
    of the PA-7000 Series firewall, and
    Add
    a Log Forwarding profile to define the destinations for Traffic, Threat, WildFire Submission, URL Filtering, Data Filtering, Tunnel Inspection, or Authentication logs.
    Add
    one or more match list profiles for each log type you want to forward to Panorama.
    If you want to forward only certain logs to Panorama, you can configure Selective Log Forwarding Based on Log Attributes.
  4. Assign the Log Forwarding profile to the policy rules that trigger log generation and forwarding. Security, Authentication, and DoS Protection rules support log forwarding.
    For example, to assign the profile to a Security policy pre-rule, select
    Policies
    Security
    Pre Rules
    , select the
    Device Group
    of the PA-7000 Series firewall, edit the rule, select
    Actions
    , and select the
    Log Forwarding
    profile.
  5. Select
    Device
    Log Settings
    , select the
    Template
    to which the PA-7000 Series firewall is assigned, and
    Add
    one or more match list profiles to forward System, Configuration, User-ID, or HIP Match logs to Panorama.
  6. Select
    Network
    Interfaces
    Ethernet
    , select the
    Template
    to which the PA-7000 Series firewall is assigned,
    Add Interface
    , and configure a
    Log Card
    interface to perform log forwarding.
  7. (
    Optional
    ) If you want to raise the maximum log forwarding rate from 80,000 logs/second (default) to 120,000 logs/second, select
    Device
    Setup
    Management
    , edit the Logging and Reporting Settings, select
    Log Export and Reporting
    , and
    Enable High Speed Log Forwarding
    .
    If you enable this option, the firewall does not store logs locally or display them in the
    Dashboard
    ,
    ACC
    , or
    Monitor
    tabs.
  8. Select
    Commit
    Commit and Push
    to activate your changes on Panorama and push them to the device groups, templates, and Collector Groups that you modified.
  9. Verify your changes by logging in to the CLI of the PA-7000 Series firewall and running the following command:
    >
    show logging-status
    For successful forwarding, the output indicates that the log forwarding agent is active.
  10. At the firewall CLI, migrate existing logs to Panorama by entering the following command for each log type:
    >
    request logdb migrate-to-panorama start end-time
    <end-time>
    start-time
    <start-time>
    type
    <log-type>
    This is a one-time task that you must perform after upgrading to PAN-OS 8.0.

Recommended For You