PA-7000 Series Firewall Log Forwarding to Panorama

You can now forward logs from PA-7000 Series firewalls to Panorama for improved log retention, which helps you meet regulatory requirements for your industry as well as your internal log archival requirements. Because of this new ability to forward logs to Panorama, upon upgrade Panorama no longer considers the PA-7000 Series firewall as a Log Collector and you will no longer be able to view your logs and reports from Panorama until you enable log forwarding to Panorama. As soon as you enable log forwarding, the PA-7000 Series firewall begins forwarding new logs to Panorama. To forward all logs generated prior to enabling forwarding, you will have to run a CLI command.
Before upgrading your PA-7000 Series firewalls to PAN-OS 8.0, make sure Panorama has a log forwarding infrastructure that is capable of handling the logging rate and volume from the PA-7000 Series firewalls so that you will be able to enable log forwarding to Panorama. Refer to the table in Panorama Models to determine if you have the right logging capacity. If you do not yet have the required logging infrastructure, you can enable Direct Query of PA-7000 Series Firewalls from Panorama, which is available in PAN-OS 8.0.8 and later releases. After enabling this option, you will be able to view logs for managed PA-7000 Series firewalls on the Panorama Monitor tab. Additionally, as with all managed devices, you can generate reports that include PA-7000 Series log data by selecting Remote Device Data as the Data Source. For aggregated views of PA-7000 Series t log data within all Panorama views: Application Command Center (ACC), the App-Scope, the log viewer (Monitor tab), and the standard, customizable reporting options on Panorama, you must configure log forwarding as described in the following workflow.
In addition, this feature introduces the option to forward logs to Panorama in a high speed mode to enable higher forwarding and peak rates to Panorama. If you enable this option, the PA-7000 Series firewall will not log locally and you will therefore not be able to view logs, reports or see data in the ACC locally on the firewall.
Use the following workflow to configure log forwarding from a PA-7000 Series firewall to Panorama and optionally enable high speed log forwarding.
  1. Configure a managed collector if you need a new Log Collector to receive the firewall logs. You can also use an existing Log Collector.
  2. Configure a new Collector Group or edit an existing one. Assign the PA-7000 Series firewall to specific Log Collectors for log forwarding.
    In environments with high logging rates, you can Forward to all collectors in the preference list to load balance the log traffic across all Log Collectors in a Collector Group. Load balancing helps reduce bandwidth competition, which might otherwise result in dropped logs.
    collector_group_pa-7k-fw.png
  3. Select ObjectsLog Forwarding, select the Device Group of the PA-7000 Series firewall, and Add a Log Forwarding profile to define the destinations for Traffic, Threat, WildFire Submission, URL Filtering, Data Filtering, Tunnel Inspection, or Authentication logs. Add one or more match list profiles for each log type you want to forward to Panorama.
    log_forwarding_profile_panorama.png
    If you want to forward only certain logs to Panorama, you can configure Selective Log Forwarding Based on Log Attributes.
  4. Assign the Log Forwarding profile to the policy rules that trigger log generation and forwarding. Security, Authentication, and DoS Protection rules support log forwarding.
    For example, to assign the profile to a Security policy pre-rule, select PoliciesSecurityPre Rules, select the Device Group of the PA-7000 Series firewall, edit the rule, select Actions, and select the Log Forwarding profile.
  5. Select DeviceLog Settings, select the Template to which the PA-7000 Series firewall is assigned, and Add one or more match list profiles to forward System, Configuration, User-ID, or HIP Match logs to Panorama.
    Log_Settings_forward-to-Panorama.png
  6. Select NetworkInterfacesEthernet, select the Template to which the PA-7000 Series firewall is assigned, Add Interface, and configure a Log Card interface to perform log forwarding.
  7. (Optional) If you want to raise the maximum log forwarding rate from 80,000 logs/second (default) to 120,000 logs/second, select DeviceSetupManagement, edit the Logging and Reporting Settings, select Log Export and Reporting, and Enable High Speed Log Forwarding.
    If you enable this option, the firewall does not store logs locally or display them in the Dashboard, ACC, or Monitor tabs.
  8. Select CommitCommit and Push to activate your changes on Panorama and push them to the device groups, templates, and Collector Groups that you modified.
  9. Verify your changes by logging in to the CLI of the PA-7000 Series firewall and running the following command:
    > show logging-status
    For successful forwarding, the output indicates that the log forwarding agent is active.
  10. At the firewall CLI, migrate existing logs to Panorama by entering the following command for each log type:
    > request logdb
    migrate-to-panorama start end-time<end-time>start-time<start-time>type<log-type>
    This is a one-time task that you must perform after upgrading to PAN-OS 8.0.

Related Documentation