Configure a PA-7000 Series Firewall for Logging Per Virtual System
For Traffic, HIP Match, Threat, and Wildfire log types, the PA-7000 Series firewall does not use service routes for SNMP Trap, Syslog and email services. Instead, the PA-7000 Series firewall Log Processing Card (LPC) supports virtual system-specific paths from LPC subinterfaces to an on-premise switch to the respective service on a server. For System and Config logs, the PA-7000 Series firewall uses global service routes, and not the LPC.
In other Palo Alto Networks models, the dataplane sends logging service route traffic to the management plane, which sends the traffic to logging servers. In the PA-7000 Series firewall, each LPC has only one interface, and data planes for multiple virtual systems send logging server traffic (types mentioned above) to the PA-7000 Series firewall LPC. The LPC is configured with multiple subinterfaces, over which the platform sends the logging service traffic out to a customer’s switch, which can be connected to multiple logging servers.
Each LPC subinterface can be configured with a subinterface name and a dotted subinterface number. The subinterface is assigned to a virtual system, which is configured for logging services. The other service routes on a PA-7000 Series firewall function similarly to service routes on other Palo Alto Networks platforms. For information about the LPC itself, see the PA-7000 Series Hardware Reference Guide.
If you have enabled multi virtual system capability on your PA-7000 Series firewall, you can configure logging for different virtual systems as described in the following workflow.
- Create a Log Card subinterface.
- Select NetworkInterfacesEthernet and select the interface that will be the Log Card interface.
- Enter the Interface Name.
- For Interface Type, select Log Card from the drop-down.
- Click OK.
- Add a subinterface for each tenant on the LPCs physical
- Highlight the Ethernet interface that is a Log Card interface type and click Add Subinterface.
- For Interface Name, after the period, enter the subinterface assigned to the tenant’s virtual system.
- For Tag, enter a VLAN tag value.Make the tag the same as the subinterface number for ease of use, but it could be a different number.
- (Optional) Enter a Comment.
- On the Config tab, in the Assign Interface to Virtual System field, select the virtual system to which the LPC subinterface is assigned (from the drop-down). Alternatively, you can click Virtual Systems to add a new virtual system.
- Click OK.
- Enter the addresses assigned to the subinterface, and
configure the default gateway.
- Select the Log Card Forwarding tab,
and do one or both of the following:
- For the IPv4 section, enter the IP Address and Netmask assigned to the subinterface. Enter the Default Gateway (the next hop where packets will be sent that have no known next hop address in the Routing Information Base [RIB]).
- For the IPv6 section, enter the IPv6 Address assigned to the subinterface. Enter the IPv6 Default Gateway.
- Click OK.
- Select the Log Card Forwarding tab, and do one or both of the following:
- Commit your changes.Click OK and Commit.
- If you haven’t already done so, configure the remaining service routes for the virtual system.
Log Card Subinterface
Log Card Subinterface Network > Interfaces > Ethernet To add a Log Card Interface , select the row for that interface, Add Subinterface , and ...
PA-7000 Series Layer 2 Subinterface
PA-7000 Series Layer 2 Subinterface Network > Interfaces > Ethernet For each Ethernet port configured as a physical Layer 2 interface, you can define an ...
Network > Interfaces
Network > Interfaces Firewall interfaces (ports) enable a firewall to connect with other network devices and with other interfaces within the firewall. The following topics ...
Common Building Blocks for Firewall Interfaces
Common Building Blocks for Firewall Interfaces Select Network Interfaces to display and configure the components that are common to most interface types. For a description ...
Layer 3 Subinterface
Layer 3 Subinterface Network > Interfaces > Ethernet For each Ethernet port configured as a physical Layer 3 interface, you can define additional logical Layer ...
Customize Service Routes to Services for Virtual Systems
Customize Service Routes to Services for Virtual Systems When you enable Multi Virtual System Capability, any virtual system that does not have specific service routes ...
Virtual Wire Subinterface
Virtual Wire Subinterface Network > Interfaces > Ethernet Virtual wire (vwire) subinterfaces allow you to separate traffic by VLAN tags or a VLAN tag and ...
Virtual Wire Subinterfaces
You can create subinterfaces on a virtual wire and then apply different policies to different traffic zones based on VLAN tags. You can further separate ...
Customize Service Routes for a Virtual System
Customize Service Routes for a Virtual System When a firewall is enabled for multiple virtual systems, the virtual systems inherit the global service and service ...