Configure a PA-7000 Series Firewall for Logging Per Virtual System

For Traffic, HIP Match, Threat, and WildFire log types, the PA-7000 Series firewall does not use service routes for SNMP Trap, Syslog, and email services. Instead, the PA-7000 Series firewall supports using a logging card.
Depending on your firewall configuration, you might have one of the following card types:
  • Log Processing Card (LPC)—Supports virtual system-specific paths from LPC subinterfaces to an on-premise switch to the respective service on a server. For System and Config logs, the PA-7000 Series firewall uses global service routes, and not the LPC. If your firewall has an LPC installed, you need to configure a log card port.
  • Log Forwarding Card (LFC)—Supports high-speed log forwarding of all dataplane logs to an external log collector (for example, Panorama and syslog servers). You can create and configure subinterfaces for virtual systems. If your firewall has an LFC installed, you do not need to configure a log card port.
In other Palo Alto Networks models, the dataplane sends logging service route traffic to the management plane, which sends the traffic to logging servers. In a PA-7000 Series firewall, the LPC or LFC have only one interface, and dataplanes for multiple virtual systems send logging server traffic (types mentioned above) to the PA-7000 Series firewall logging card. The logging card is configured with multiple subinterfaces, over which the platform sends the logging service traffic out to a customer’s switch, which can be connected to multiple logging servers.
Each subinterface can be configured with a subinterface name and a dotted subinterface number. The subinterface is assigned to a virtual system, which is configured for logging services. The other service routes on a PA-7000 Series firewall function similarly to service routes on other Palo Alto Networks platforms. For information about the LPC or LFC, see the PA-7000 Series Hardware Reference Guide.

Related Documentation