https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/log-forwarding-from-cloud-ngfw-in-azure-to-log-analytics/m-p/1243302#M2412 <P>Hi</P> <P>&nbsp;</P> <P data-start="134" data-end="219">I’m planning to replace Azure Firewall with Cloud NGFW in Azure, managed through SCM.</P> <P data-start="134" data-end="219">&nbsp;</P> <P data-start="221" data-end="389">In addition to using Strata Logging Service (SLS), we also need to forward firewall logs to an Azure Log Analytics Workspace for Microsoft Sentinel (SIEM/SOAR).</P> <P data-start="221" data-end="389">&nbsp;</P> <P data-start="391" data-end="456">Based on my research, there appear to be two possible approaches:</P> <P>&nbsp;</P> <P>Option 1 -&nbsp;Cloud NGFW for Azure and Sentinel Integration</P> <P><A href="https://live.paloaltonetworks.com/t5/cloud-ngfw-for-azure-articles/cloud-ngfw-for-azure-and-sentinel-integration/ta-p/1221654" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/cloud-ngfw-for-azure-articles/cloud-ngfw-for-azure-and-sentinel-integration/ta-p/1221654</A></P> <P data-start="613" data-end="801">This option looks ideal because Cloud NGFW logs would be sent directly to a Log Analytics Workspace inside the Azure environment, without additional configuration or external dependencies.</P> <P data-start="613" data-end="801">However, I would like to confirm if this integration also apply when Cloud NGFW is managed by SCM.(not using local rule stack).</P> <P data-start="613" data-end="801">Also wondering if the Cloud NGFW can forward specic logs (e.g. forward traffic/threat logs only, not URL/decryption logs).</P> <P>&nbsp;</P> <P>Option 2 -&nbsp;Setup Forwarding to Microsoft Sentinel</P> <P><A href="https://docs.paloaltonetworks.com/prisma-access/integration/microsoft-integrations-with-prisma-access/set-up-syslog-forwarding-to-microsoft-sentinel" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/prisma-access/integration/microsoft-integrations-with-prisma-access/set-up-syslog-forwarding-to-microsoft-sentinel</A></P> <P data-start="1181" data-end="1290">This option is documented under Prisma Access, so I’m unsure if it also applies to Cloud NGFW managed by SCM.</P> <P data-start="1292" data-end="1502">I would prefer to avoid this approach because I assume traffic flow is inefficient:<BR data-start="1367" data-end="1370" />Cloud NGFW → SLS (over the Internet) → Sentinel (over the Internet)</P> <P data-start="1292" data-end="1502">&nbsp;</P> <P>Given these considerations, which option would be best for an SCM-managed Cloud NGFW deployment?</P> <P>&nbsp;</P> <P>Thanks</P> Tue, 09 Dec 2025 01:06:36 GMT A.Hwang 2025-12-09T01:06:36Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/log-forwarding-from-cloud-ngfw-in-azure-to-log-analytics/m-p/1243302#M2412 <P>Hi</P> <P>&nbsp;</P> <P data-start="134" data-end="219">I’m planning to replace Azure Firewall with Cloud NGFW in Azure, managed through SCM.</P> <P data-start="134" data-end="219">&nbsp;</P> <P data-start="221" data-end="389">In addition to using Strata Logging Service (SLS), we also need to forward firewall logs to an Azure Log Analytics Workspace for Microsoft Sentinel (SIEM/SOAR).</P> <P data-start="221" data-end="389">&nbsp;</P> <P data-start="391" data-end="456">Based on my research, there appear to be two possible approaches:</P> <P>&nbsp;</P> <P>Option 1 -&nbsp;Cloud NGFW for Azure and Sentinel Integration</P> <P><A href="https://live.paloaltonetworks.com/t5/cloud-ngfw-for-azure-articles/cloud-ngfw-for-azure-and-sentinel-integration/ta-p/1221654" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/cloud-ngfw-for-azure-articles/cloud-ngfw-for-azure-and-sentinel-integration/ta-p/1221654</A></P> <P data-start="613" data-end="801">This option looks ideal because Cloud NGFW logs would be sent directly to a Log Analytics Workspace inside the Azure environment, without additional configuration or external dependencies.</P> <P data-start="613" data-end="801">However, I would like to confirm if this integration also apply when Cloud NGFW is managed by SCM.(not using local rule stack).</P> <P data-start="613" data-end="801">Also wondering if the Cloud NGFW can forward specic logs (e.g. forward traffic/threat logs only, not URL/decryption logs).</P> <P>&nbsp;</P> <P>Option 2 -&nbsp;Setup Forwarding to Microsoft Sentinel</P> <P><A href="https://docs.paloaltonetworks.com/prisma-access/integration/microsoft-integrations-with-prisma-access/set-up-syslog-forwarding-to-microsoft-sentinel" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/prisma-access/integration/microsoft-integrations-with-prisma-access/set-up-syslog-forwarding-to-microsoft-sentinel</A></P> <P data-start="1181" data-end="1290">This option is documented under Prisma Access, so I’m unsure if it also applies to Cloud NGFW managed by SCM.</P> <P data-start="1292" data-end="1502">I would prefer to avoid this approach because I assume traffic flow is inefficient:<BR data-start="1367" data-end="1370" />Cloud NGFW → SLS (over the Internet) → Sentinel (over the Internet)</P> <P data-start="1292" data-end="1502">&nbsp;</P> <P>Given these considerations, which option would be best for an SCM-managed Cloud NGFW deployment?</P> <P>&nbsp;</P> <P>Thanks</P> Tue, 09 Dec 2025 01:06:36 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/log-forwarding-from-cloud-ngfw-in-azure-to-log-analytics/m-p/1243302#M2412 A.Hwang 2025-12-09T01:06:36Z