By default, firewalls store all log files locally. To aggregate logs on Panorama, you must configure the firewalls to forward logs to Panorama.
To forward firewall logs directly to external services (such as a syslog server) and also to Panorama, see Configure Log Forwarding. For details about all the log collection deployments that Panorama supports, see Log Forwarding Options. The PA-7000 Series firewall can’t forward logs to Panorama, only to external services. However, when you monitor logs or generate reports for a device group that includes a PA-7000 Series firewall, Panorama queries the firewall in real-time to display its log data. If Panorama will manage firewalls running software versions earlier than PAN-OS 7.0, specify a WildFire server from which Panorama can gather analysis information for WildFire samples that those firewalls submit. Panorama uses the information to complete WildFire Submissions logs that are missing field values introduced in PAN-OS 7.0. Firewalls running earlier releases won’t populate those fields. To specify the server, select Panorama > Setup > WildFire, edit the General Settings, and enter the WildFire Private Cloud name. The default is wildfire-public-cloud, which is the WildFire cloud hosted in the United States.
Configure Log Forwarding to Panorama
Add a Device Group for the firewalls that will forward logs. Panorama requires a device group to push a Log Forwarding profile to firewalls. Create a new device group or assign the firewalls to an existing device group.
Add a Template for the firewalls that will forward logs. Panorama requires a template to push log settings to firewalls. Create a new template or assign the firewalls to an existing template.
Create a Log Forwarding profile. The profile defines the destination of Traffic, Threat, and WildFire logs. (Threat logs include URL Filtering and Data Filtering logs.) Select Objects > Log Forwarding, select the Device Group of the firewalls that will forward logs, and Add a profile. Enter a Name to identify the profile. For each log type and each severity level or WildFire verdict, select Panorama. Click OK to save the profile.
Assign the Log Forwarding profile to Security rules. Perform the following steps for each rule that will trigger log forwarding: Select the rulebase (for example, Policies > Security > Pre Rules), select the Device Group of the firewalls that will forward logs, and select the rule. Select the Actions tab and select the Log Forwarding profile. In the Profile Type drop-down, select Profiles or Group, and then select the security profiles or Group Profile required to trigger log generation and forwarding for: Threat logs—Traffic must match any security profile assigned to the rule. WildFire logs—Traffic must match a WildFire Analysis profile assigned to the rule. For Traffic logs, select Log At Session Start and/or Log At Session End. Click OK to save the rule.
Configure the destination of System, Config, and HIP Match logs. You cannot forward Correlation logs (correlated events) from the firewalls to Panorama. On the logs that are forwarded from your managed firewalls, Panorama matches for the conditions specified in the correlation objects and automatically generates correlated event(s) when a match is observed. If you want, you can then forward these correlated events (Correlation logs) from Panorama to an external syslog server. Select Device > Log Settings and select the Template of the firewalls that will forward logs. For System logs, click each Severity level, select Panorama, and click OK. Edit the Config and HIP Match sections, select Panorama, and click OK.
( M-Series appliances only ) Configure Panorama to receive the logs. For each Log Collector that will receive logs, Configure a Managed Collector. Configure a Collector Group, in which you assign firewalls to specific Log Collectors for log forwarding.
Commit your configuration changes. Click Commit, set the Commit Type to Panorama, and click Commit again. Click Commit, set the Commit Type to Device Group, select the device group of the firewalls that will forward logs, select Include Device and Network Templates, and click Commit again. Click Commit, set the Commit Type to Collector Group, select the Collector Group you configured to receive the logs, and click Commit again. Verify Log Forwarding to Panorama to confirm that your configuration is successful. To change the log forwarding mode that the firewalls use to send logs to Panorama and to specify which Panorama HA peer can receive logs, you can Modify Log Forwarding and Buffering Defaults. You can also Manage Storage Quotas and Expiration Periods for Logs and Reports.

Related Documentation