Strata Logging Service
PAN-OS
Table of Contents
PAN-OS
Directly onboard your firewalls running PAN-OS to Strata Logging Service.
Enable Communication Between Firewall and Strata Logging Service
- On your firewalls, allow access to the ports and FQDNs required to connect to Strata Logging Service. If you are using a proxy server, allow the same ports and FQDNs on the server without SSL decryption.Ensure that you are not decrypting traffic to Strata Logging Service.(Optional) To configure firewall to connect to Strata Logging Service through a proxy server, select Strata Logging Service.By default, the management interface is used to forward logs to Strata Logging Service. If you choose not to use the management interface, use a data interface by configuring destination service routes for the following FQDNs: api.paloaltonetworks.com, apitrusted.paloaltonetworks.com, lic.lc.prod.us.cs.paloaltonetworks.com,certificatetrusted.paloaltonetworks.com, certificate.paloaltonetworks.com.
- Select . Global on a firewall without multiple virtual system (multi-vsys) capability.
- Under Services Features, click Service Route Configuration.
- Select Customize.
- Under Service, select the following:
- Palo Alto Networks Services
- CRL status
- DNS
- HTTP
- NTP
- Set Selected Service Routes.
- Select the Source Interface you want to use for activation and then select a Source Address from that interface and click OK.
![]()
- Select Destination and Add a destination.
- Enter any of the FQDNs above as
Destination.
![]()
- Select the same Source Interface and Source Address that you selected for activation and click OK.
- Add two more destinations for the same
interface using the remaining two FQDNs.
![]()
- Click OK again to exit Service Route Configuration.
- Update the access rules required to connect to Strata Logging Service for the new interface IP address.
Configure NTP so that the firewall stays in sync with Strata Logging Service. Ignore this step if you have enabled proxy configuration:- On firewall, click DeviceSetupServicesand set the NTP Server Address. For example: pool.ntp.org.
![]()
Install Device Certificate
- Install a device certificate on the firewalls that you want to connect to Strata Logging Service. If you are switching from Strata Logging Service certificate to device certificate, run the following command to restart management-server:
> debug software restart process management-server
- Restarting the management server process does not impact the packet forwarding except that the logged-in user will be signed out from the web interface and CLI.
- It is recommended to perform any process restart during non-peak hours or during a maintenance window.
Add Firewalls to Strata Logging Service
The procedure to add firewalls to your Strata Logging Service tenant depends on the device type and the Strata Logging Service license scheme you are using. You must have enough licenses to add devices to tenant.All the devices (except VM-Flex devices) are onboarded through the Device Associations page, which can be accessed in two ways:- From the standalone app Inventory menu
- From the Strata Cloud Manager Settings > Device Associations menu.
Configure Firewalls to Connect to Strata Logging Service
- Select and confirm that the Strata Logging Service license is active. Ensure that you have subscribed to a valid support license of Strata Logging Service(90 days software warranty is not counted as a valid support license).When you purchased your Strata Logging Service license, all firewalls registered to your support account received a Strata Logging Service license. If you don’t see the Strata Logging Service license, Retrieve license keys from license server to manually refresh the firewall licenses.Set up the connection to Strata Logging Service and check connection status:
- Select and find the Cloud Logging settings.Enable Cloud Logging to connect the firewall to Strata Logging Service. If you want the firewall to collect data that increases visibility for Palo Alto Networks applications, like Cortex XDR, you can also Enable Enhanced Application Logging.Strata Logging Service logging doesn’t start until after you’ve specified the log types you want to forward. Complete these steps and then start sending logs to Strata Logging Service.Do not Enable Duplicate Logging. This option applies only to Panorama-managed firewalls.Select the Region where you want to forward logs for the firewalls associated with this template and then click OK.This region is not necessarily where your firewalls are located but the location of the Strata Logging Service instance. They will send logs to the region of the Strata Logging Service instance to which you onboarded them.Specify the Connection count to Strata Logging Service for PA-7000s and PA-5200s.Specify the number of connections that are established between the firewalls and Strata Logging Service for forwarding logs to Strata Logging Service (range is 1 to 20; default is 5).Commit and push the config to firewalls.Click to check the connection status. The status for License, Certificate, and Customer Info should be green.You can also use this command to check the certificate status along with other details related to Strata Logging Service:request logging-service-forwarding status
Verify the Connection Status
- Firewall fetches a certificate automatically after pushing the configuration. To check the certificate status:
- On firewall, click Device > Setup > Management and find the Cloud Logging > Show Status to check Strata Logging Service status.
- Run the command locally:
request logging-service-forwarding statusIf a certificate was not fetched for a firewall, run this command locally to fetch a certificate:request logging-service-forwarding certificate fetchOn the hub, View Strata Logging Service Status to verify that Strata Logging Service is provisioned successfully.
