Strata Logging Service
Firewalls
Table of Contents
Firewalls
Onboard firewalls to Strata Logging Service.
You can onboard both software firewalls and hardware firewalls. The process to
onboard hardware firewalls and software firewalls varies for qualifying and
non-qualifying users of the new Strata Logging Service and Strata Cloud
Manager Pro licenses. You can perform the following actions:
- Check only show firewalls that are storing logs to hide the firewalls that send data to Strata Logging Service only for ingestion and further streaming to other Palo Alto Networks applications.You can Generate PSK and Add devices only in Standalone Strata Logging Service app. When you select these options in Strata Cloud Manager, you will be automatically redirected to Strata Logging Service app.
- Generate PSK to create the pre-shared key used to onboard a firewall running PAN-OS 10.0 or earlier to your Strata Logging Service instance.
- Add a hardware device to your Strata Logging Service instance. Use the centralized Device Associations page to onboard devices. Navigate to this page either from the standalone app (Inventory > Manage Firewall Inventory > Manage other firewalls > Add) or from the Strata Cloud Manager(Strata Cloud Manager > Settings > Device Associations > Add Device)
- Add a VM-Flex device to your Strata Logging Service
instance.
- For qualifying user of Strata Logging Service - VM-Flex devices are automatically onboarded when you select Strata Logging Service or Strata Cloud Manager Pro (new license) on the deployment profile and have associated the deployment profile to the TSG in which Strata Logging Service resides.
- If you are a non-qualifying user and are not enabling the new Strata Logging Service or Strata Cloud Manager Pro services
on the deployment profile, use the Inventory > Manage Firewall
Inventory > Manage flexible VM-Series firewalls option to
add VM-Flex devices. Onboarding of VM-Flex device is not enabled from the Strata Cloud Manager Device Associations page.
- Move a hardware device from one Strata Logging Service to another- remove the associated device from the tenant and add it to the new tenant.
- Navigate to
- Select the device you want to disassociate with Strata Logging Service and other products.
- Click and click Remove.
- Select the device you want to disassociate from the tenant.
- Click and click Remove.
- Move a VM-Flex device from one Strata Logging Service to another-
- For qualifying user of Strata Logging Service - refer to the VM-series deployment guide.
- For non-qualifying user of Strata Logging Service-
- In Strata Logging Service standalone app, navigate to
- Select the firewall you want to connect to your Strata Logging Service instance.
- Submit the changes.
- Check the connection status- Above the firewalls table, you can see the number of firewalls with each connection status. Select the chart icon () on any table row to view a chart of the incoming log rate and connectivity history for the firewall:
![]()
![]()
Name The name under which the Customer Support Portal registered the Firewall. If unnamed, then the name appears as Firewall. You can change the firewall name in the Customer Support Portal.Model The model of the firewall Serial Number The unique serial number of the firewall PAN-OS Version The version of PAN-OS that the firewall is running Managed By Panorama Whether a Panorama manages the firewall or not Connection StatusWhether the firewall can connect to Strata Logging Service. This can have four different values:- Connected—The firewall has an active channel through which it's sending session logs to Strata Logging Service.
- Partially Connected—The firewall does not have an active channel through which it's sending session logs to Strata Logging Service. However, it's sending Enhanced Application logs on a second channel.
- Disconnected—The firewall does not have an active channel through which to send sessions logs to Strata Logging Service, and it's not sending Enhanced Application logs.
- Need Certificate—The firewall does not have the certificate to connect to Strata Logging Service
Ingestion Rate The rate, in logs per second, at which the firewall is sending logs to Strata Logging Service(Non-qualifying users only) Storage Used The amount of your Strata Logging Service storage capacity that a firewall is using at this point in timeApps Using Log Data All apps that consume data from the firewall (Non-qualifying users only)Store Log Data Choose whether Strata Logging Service stores firewall data or only ingests it. - On—Strata Logging Service will store the log data.
- Off—Strata Logging Service will only ingest the log data.
After you toggle On, Strata Logging Service can take up to 15 minutes to start storing log data for the firewall.If toggled On and grayed out, this switch means that the IoT Security package to which you subscribe requires that you store log data.You can set log retention policy for your entire Strata Logging Service instance from .Last Contact Time The last time that the device communicated with Strata Logging Service, either to send logs or to report telemetry Certificate Status Whether the firewall has the certificate necessary to connect to Strata Logging Service. Hover over the certificate status to see which certificate the Panorama is using to connect to Strata Logging Service: logging service certificate or device certificate - Needs Certificate—The certificate is missing. This device can't connect to Strata Logging Service.
- Activated—This device has the certificate necessary to connect to Strata Logging Service
- Expired—The certificate has expired. The device is unable to connect to Strata Logging Service until you renew the certificate.
- Expiring in 7 Days—The certificate will expire in 7 days. Renew the certificate as soon as possible to remain connected to Strata Logging Service
