https://live.paloaltonetworks.com/t5/expedition-discussions/panorama-configuration-device-log/m-p/326498#M2562 <P>I managing all firewalls in panorama, with all rules in devicegroups and none local rules. Is it possible to use panorama configuration in expedition but forwarding logs from the firewalls ? That way I save disk space on the expedition server by only sending the logs from the firewalls I want to use the expedition for and not the complete log from panorama log collector.</P> Wed, 06 May 2020 19:32:13 GMT mrkaccount 2020-05-06T19:32:13Z https://live.paloaltonetworks.com/t5/expedition-discussions/panorama-configuration-device-log/m-p/326498#M2562 <P>I managing all firewalls in panorama, with all rules in devicegroups and none local rules. Is it possible to use panorama configuration in expedition but forwarding logs from the firewalls ? That way I save disk space on the expedition server by only sending the logs from the firewalls I want to use the expedition for and not the complete log from panorama log collector.</P> Wed, 06 May 2020 19:32:13 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/panorama-configuration-device-log/m-p/326498#M2562 mrkaccount 2020-05-06T19:32:13Z https://live.paloaltonetworks.com/t5/expedition-discussions/panorama-configuration-device-log/m-p/326537#M2563 <DIV class="lia-message-author-with-avatar"><SPAN class="UserName lia-user-name lia-user-rank-L0-Member lia-component-message-view-widget-author-username"><SPAN class="">Hi Mrkaccount,</SPAN></SPAN></DIV> <DIV class="lia-message-author-with-avatar">&nbsp;</DIV> <DIV class="lia-message-author-with-avatar">&nbsp;</DIV> <DIV class="lia-message-author-with-avatar"><SPAN class="UserName lia-user-name lia-user-rank-L0-Member lia-component-message-view-widget-author-username"><SPAN class="">&nbsp;In Expedition, you can add either Panorama or firewall as log connector.</SPAN></SPAN></DIV> <P><SPAN>&nbsp;</SPAN></P> Wed, 06 May 2020 20:14:15 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/panorama-configuration-device-log/m-p/326537#M2563 lychiang 2020-05-06T20:14:15Z https://live.paloaltonetworks.com/t5/expedition-discussions/panorama-configuration-device-log/m-p/326584#M2564 <P>Yes but can you combine, firewall logs with a panorama configuration. the reason I ask is that RE analysis on some rules has empty results even though the firewall log has a lot of entries for those same rules.</P> Thu, 07 May 2020 06:30:17 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/panorama-configuration-device-log/m-p/326584#M2564 mrkaccount 2020-05-07T06:30:17Z https://live.paloaltonetworks.com/t5/expedition-discussions/panorama-configuration-device-log/m-p/326608#M2567 <P>Sure, you can combine both.</P> <P>&nbsp;</P> <P>The idea is, as you have the whole configuration managed by panorama, you would create a project importing the Panorama configuration.&nbsp;</P> <P>Make sure that you have declared the Panorama as a device in Expedition and that you link this Panorama to your project. Is using this Panorama that you will import the config into the project.</P> <P>&nbsp;</P> <P>Declare a log connector in your project that uses the Panorama, the specific source you are checking (in case you have imported the Panorama configuration more than once, the device group that your firewalls hang from and, within the Device Group, select the firewalls that should have been seeing the traffic.</P> <P>&nbsp;</P> <P>This is the "mapping" that we can do to relate security rules in a Panorama configuration with the traffic reported by the NGFW.</P> <P>&nbsp;</P> <P>On the device list, you should still be able to pre-process the CSV traffic files that the NGFW are sending to your Expedition.</P> Thu, 07 May 2020 08:19:16 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/panorama-configuration-device-log/m-p/326608#M2567 dgildelaig 2020-05-07T08:19:16Z https://live.paloaltonetworks.com/t5/expedition-discussions/panorama-configuration-device-log/m-p/326644#M2571 <P>I also thought that was the general idea, thank you so much for clarifying.</P> Thu, 07 May 2020 13:19:00 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/panorama-configuration-device-log/m-p/326644#M2571 mrkaccount 2020-05-07T13:19:00Z