Objects > Log Forwarding
By default, the logs that the firewall generates reside only in its local storage. However, if you want to use Panorama, the Logging Service, or external services (such as a syslog server) to centrally monitor log information, you can define a Log Forwarding profile and assign it to Security, Authentication, and DoS Protection policy rules. Log Forwarding profiles define forwarding destinations for the following Log Types: Traffic, Threat, WildFire Submissions, URL Filtering, Data Filtering, Tunnel Inspection, and Authentication logs.
To forward other log types, see Device > Log Settings.
As of PAN-OS 8.0, Panorama no longer considers a PA-7000 Series firewall as a Log Collector. To enable Panorama to run aggregated reports that include log data from PA-7000 Series firewalls, configure the firewalls to forward logs to Panorama.
To enable a PA-7000 Series firewall to forward logs or forward files to WildFire®, you must first configure a Log Card Interface on the PA-7000 Series firewall. As soon as you configure this interface, the firewall will automatically use this port—there is no special configuration required. Just configure a data port on one of the PA-7000 Series Network Processing Cards (NPCs) as a Log Card interface type and ensure that the network that you use can communicate with your log servers. For WildFire forwarding, the network must communicate successfully with the WildFire cloud or WildFire appliance (or both).
On PA-7000 Series firewalls, you must configure a Log Card Interface for the firewall to forward logs to the following logging destinations: Syslog, HTTP, Email, and SNMP. This is also required to forward files to WildFire. After the port is configured, log forwarding and WildFire forwarding will automatically use this port and there is no special configuration required for this to occur. Just configure a data port on one of the PA-7000 Series NPCs as interface type Log Card and ensure that the network that will be used can communicate with your log servers. For WildFire forwarding, the network must communicate successfully with the WildFire cloud and/or WildFire appliance.
The following table describes the Log Forwarding profile settings:
Log Forwarding Profile Settings
Enter a name (up to 64 characters) to identify the profile. This name appears in the list of Log Forwarding profiles when defining Security policy rules. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Select this option if you want the profile to be available to:
Select this option to prevent administrators from overriding the settings of this Log Forwarding profile in device groups that inherit the profile. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the profile.
Enter a description to explain the purpose of this Log Forwarding profile.
Match List (unlabeled)
Addone or more match list profiles (up to 64) that specify forwarding destinations, log attribute-based filters to control which logs the firewall forwards, and actions to perform on the logs (such as automatic tagging). Complete the following two fields for each match list profile.
Name (match list profile)
Enter a name (up to 31 characters) to identify the match list profile.
Description (match list profile)
Enter a description (up to 1,023 characters) to explain the purpose of this match list profile.
Select the type of logs to which this match list profile applies:
tunnel, or authentication (
By default, the firewall forwards
All Logsof the selected
Log Type. To forward a subset of the logs, select an existing filter from the drop-down or select
Filter Builderto add a new filter. For each query in a new filter, specify the following fields and
To display or export the logs that the filter matches, select
View Filtered Logs. This tab provides the same options as the
Monitoringtab pages (such as
Addthe action to perform. Add or remove a tag to the source or destination IP address in a log entry automatically and register the IP address and tag mapping to a User-ID agent on the firewall or Panorama, or to a remote User-ID agent so that you can respond to an event and dynamically enforce Security policy. The ability to tag an IP address and dynamically enforce policy using dynamic address groups gives you better visibility, context, and control for consistently enforcing Security policy irrespective of where the IP address moves across your network.
Configure the following settings:
Recommended For You
Recommended videos not found.