Panorama enables you to forward logs to external servers, including syslog, email, and SNMP trap servers. Forwarding firewall logs from Panorama reduces the load on the firewalls and provides a reliable and streamlined approach to forwarding logs to remote destinations. You can also forward logs that Panorama and its managed collectors generate.
To forward firewall logs directly to external services and also to Panorama, see Configure Log Forwarding. For details about all the log collection deployments that Panorama supports, see Log Forwarding Options. On a Panorama virtual appliance running Panorama 5.1 or earlier releases, you can use Secure Copy (SCP) commands from the CLI to export the entire log database to an SCP server and import it to another Panorama virtual appliance. A Panorama virtual appliance running Panorama 6.0 or later releases, and M-Series appliances running any release, do not support these options because the log database on those appliances is too large for an export or import to be practical.
Configure Log Forwarding from Panorama to External Destinations
Configure the firewalls to forward logs to Panorama. Configure Log Forwarding to Panorama.
Configure a server profile for each external service that will receive log data. Select Panorama > Server Profiles and select the type of server that will receive the log data: SNMP Trap, Syslog, or Email. Configure the server profile. Optionally, you can configure separate profiles for different log types and severity levels or WildFire verdicts. Configure an SNMP Trap server profile. For details on how Simple Network Management Protocol (SNMP) works for Panorama and Log Collectors, refer to SNMP Support. Configure a Syslog server profile. If the syslog server requires client authentication, use the Panorama > Certificate Management > Certificates page to create a certificate for securing syslog communication over SSL. Configure an Email server profile.
Configure destinations for: Firewall logs that a Panorama virtual appliance collects. Logs that Panorama (a virtual appliance or M-Series appliance) and managed collectors generate. Select Panorama > Log Settings. For System, Correlation, and Threat logs, click each Severity level, select the SNMP Trap, Email, or Syslog server profile you just created, and click OK. For WildFire logs, click each Verdict, select the SNMP Trap, Email, or Syslog server profile you just created, and click OK. For Config, HIP Match, and Traffic logs, edit the corresponding section, select the SNMP Trap, Email, or Syslog server profile you just created, and click OK.
( M-Series appliance only ) Configure destinations for firewall logs that an M-Series appliance in Panorama or Log Collector mode collects. Each Collector Group can forward logs to different destinations. If the Log Collectors are local to a high availability (HA) pair of M-Series appliances in Panorama mode, you must log into each HA peer to configure log forwarding for its Collector Group. Select Panorama > Collector Groups and select the Collector Group that receives the firewall logs. ( SNMP trap forwarding only ) Select the Monitoring tab and configure the settings. Select the Collector Log Forwarding tab. For each log Severity level in the System, Threat, and Correlation tabs, click a cell in the SNMP Trap, Email Profile, or Syslog Profile column, and select the server profile you just created. In the Config, HIP Match, and Traffic tabs, select the SNMP Trap, Email, or Syslog server profile you just created. For each Verdict in the WildFire tab, click a cell in the SNMP Trap, Email Profile, or Syslog Profile column, and select the server profile you just created. Click OK to save your changes to the Collector Group.
( Syslog forwarding only ) If the syslog server requires client authentication and the firewalls forward logs to Dedicated Log Collectors, assign a certificate that secures syslog communication over SSL. Perform the following steps for each Dedicated Log Collector: Select Panorama > Managed Collectors and select the Log Collector. In the General tab, select the Certificate for Secure Syslog and click OK.
( SNMP trap forwarding only ) Enable your SNMP manager to interpret traps. Load the Supported MIBs and, if necessary, compile them. For the specific steps, refer to the documentation of your SNMP manager.
Commit your configuration changes. Click Commit, set the Commit Type to Panorama, and click Commit again. Click Commit, set the Commit Type to Device Group, select all the device groups of the firewalls from which Panorama collects logs, Include Device and Network Templates, and click Commit again. ( M-Series appliance only ) Click Commit, set the Commit Type to Collector Group, select the Collector Group you just configured to forward logs, and click Commit again.
Verify the external services are receiving logs from Panorama. Email server—Verify that the specified recipients are receiving logs as email notifications. Syslog server—Refer to the documentation for your syslog server to verify it is receiving logs as syslog messages. SNMP manager— Use an SNMP Manager to Explore MIBs and Objects to verify it is receiving logs as SNMP traps.

Related Documentation