Direct Query of PA-7000 Series Firewalls from Panorama

Learn how to directly query managed PA-7000 Series firewalls from Panorama without enabling log forwarding.
Because PA-7000 Series firewall can now forward logs to Panorama, Panorama no longer treats the PA-7000 Series firewalls it manages as Log Collectors. If you have not configured the PA-7000 Series firewalls to forward logs to Panorama, all logs a managed PA-7000 Series firewall generates are only viewable from the local firewall and not from Panorama. If you do not yet have a log forwarding infrastructure that is capable of handling the logging rate and volume from the PA-7000 Series firewalls, you can now enable Panorama to directly query PA-7000 Series firewalls when monitoring logs.
For Panorama to directly query PA-7000 Series firewalls, the firewalls must be running PAN-OS 8.0.8 or later.
With this new functionality, Panorama now provides two options for monitoring logs and running reports for managed PA-7000 Series firewalls:
  • (
    New
    ) Enable Panorama to directly query managed PA-7000 Series firewalls when monitoring logs.
    To enable Panorama to directly query the PA-7000 Series firewalls without requiring the firewalls to forward logs, you must enter the following command from the Panorama CLI:
    admin@panorama>
    debug-reportd send-request-to-7k yes
    After running the command, you will be able to view logs for managed PA-7000 Series firewalls on the Panorama
    Monitor
    tab. Additionally, as with all managed devices, you can also generate reports that include PA-7000 Series log data by selecting
    Remote Device Data
    as the
    Data Source
    .
  • Before enabling your PA-7000 Series firewalls to forward logs to Panorama, make sure you have a logging infrastructure that will handle the logging rate and volume. Refer to the table in Panorama Models to determine if you have the right logging capacity. Additionally, if you have enabled Panorama to directly query PA-7000 Series firewalls, you must disable this before you enable log forwarding by entering the following command from the Panorama CLI:
    >
    debug-reportd send-request-to-7k no
    After you have enabled your PA-7000 Series firewalls to forward logs to Panorama, the PA-7000 Series log data will be aggregated within all Panorama views: Application Command Center (ACC), the App-Scope, the log viewer (
    Monitor
    tab), and the standard, customizable reporting options on Panorama.

Related Documentation