https://live.paloaltonetworks.com/t5/general-articles/understanding-pan-os-dual-forwarding-mode-and-log-delivery/ta-p/1255293 <DIV class="lia-message-template-content-zone"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ferozv_0-1780476218161.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/71543i128367D70A6DF730/image-size/large?v=v2&amp;px=999" role="button" title="ferozv_0-1780476218161.png" alt="ferozv_0-1780476218161.png" /></span> <P>&nbsp;</P> <P><SPAN>When PAN-OS is configured to use Strata Logging Service (SLS), administrators can choose between </SPAN><STRONG>Single Forwarding</STRONG><SPAN> and </SPAN><STRONG>Dual Forwarding</STRONG><SPAN> modes. While both options facilitate log delivery to SLS, they utilize entirely different delivery mechanisms and provide different operational guarantees.</SPAN></P> <P>&nbsp;</P> <P><SPAN>This distinction is critical if you observe logs that are present in a local Log Collector (LC) but missing from SLS. In many cases, this variance is expected behavior dictated by the forwarding architecture rather than a product defect or software regression.</SPAN></P> <P>&nbsp;</P> <P><SPAN>This article details how log delivery operates in each mode, what behaviors to expect, and which deployment model to implement when complete log fidelity to SLS is required.</SPAN></P> <P>&nbsp;</P> <H2><STRONG>Single Forwarding vs. Dual Forwarding</STRONG></H2> <P>&nbsp;</P> <P><SPAN>PAN-OS supports two forwarding models when SLS is in use:</SPAN></P> <P>&nbsp;</P> <OL> <LI><STRONG>Single Forwarding<BR /></STRONG>Logs are directed to a <STRONG style="font-family: inherit;">single destination</STRONG><SPAN>—either a local Log Collector or SLS. PAN-OS maintains strict, acknowledgment-based delivery and automatically retries failed transmissions, ensuring </SPAN><STRONG style="font-family: inherit;">guaranteed delivery</STRONG><SPAN> to the configured destination.</SPAN></LI> <LI><STRONG>Dual Forwarding</STRONG><BR />Logs are sent <STRONG style="font-family: inherit;">simultaneously</STRONG><SPAN> to both a local Log Collector and SLS. In this mode, PAN-OS splits its delivery behavior:<BR /><BR /></SPAN> <UL> <LI><SPAN>Log delivery to the </SPAN><STRONG>Log Collector remains guaranteed</STRONG><SPAN>.</SPAN></LI> <LI><SPAN>Log delivery to </SPAN><STRONG>SLS operates on a best-effort basis</STRONG><SPAN>.</SPAN></LI> </UL> </LI> </OL> <P>&nbsp;</P> <P><SPAN>Because these models handle data streams differently, you may observe discrepancies in log completeness between your Log Collector and SLS when Dual Forwarding is enabled.</SPAN></P> <H2>&nbsp;</H2> <H2><STRONG>Log Delivery Guarantees and Recommended Usage</STRONG></H2> <P>&nbsp;</P> <P><SPAN>The underlying mechanics of Dual Forwarding mode dictate how data is prioritized:</SPAN></P> <P>&nbsp;</P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Log Collector (LC):</STRONG><SPAN> PAN-OS maintains an in-memory queue, waits for processing acknowledgments, and actively retries failed deliveries. </SPAN><STRONG>Delivery is guaranteed.</STRONG></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Strata Logging Service (SLS):</STRONG><SPAN> PAN-OS utilizes a </SPAN><STRONG>fire-and-forget</STRONG><SPAN> delivery model. The firewall does not wait for a transport acknowledgment from SLS and does not retry dropped or failed transmissions. Consequently, minor log loss to SLS can occur by design during periods of high throughput or network congestion.</SPAN></LI> </UL> <P><STRONG>Operational Recommendation:</STRONG><SPAN> Dual Forwarding mode is primarily intended for short-term evaluation and migration scenarios (e.g., validating SLS log ingestion before decommissioning an on-premises Log Collector). It is </SPAN><STRONG>not recommended</STRONG><SPAN> as a permanent production configuration if absolute log fidelity to SLS is required.</SPAN></P> <P>&nbsp;</P> <P><SPAN>For production environments requiring strictly guaranteed log delivery to SLS, Palo Alto Networks recommends configuring </SPAN><STRONG>Single Forwarding</STRONG><SPAN> directly to SLS.</SPAN></P> <P>&nbsp;</P> <H4><STRONG>Comparison at a Glance</STRONG></H4> <TABLE> <TBODY> <TR> <TD> <P><STRONG>Feature / Capability</STRONG></P> </TD> <TD> <P><STRONG>Single Forwarding to SLS</STRONG></P> </TD> <TD> <P><STRONG>Dual Forwarding (LC + SLS)</STRONG></P> </TD> </TR> <TR> <TD> <P><STRONG>Primary Use Case</STRONG></P> </TD> <TD> <P><SPAN>Production environments requiring full SLS fidelity</SPAN></P> </TD> <TD> <P><SPAN>Short-term evaluation and migration testing</SPAN></P> </TD> </TR> <TR> <TD> <P><STRONG>Delivery to Log Collector</STRONG></P> </TD> <TD> <P><SPAN>N/A (Disabled)</SPAN></P> </TD> <TD> <P><STRONG>Guaranteed</STRONG><SPAN> (Acknowledgment-based retries)</SPAN></P> </TD> </TR> <TR> <TD> <P><STRONG>Delivery to SLS</STRONG></P> </TD> <TD> <P><STRONG>Guaranteed</STRONG><SPAN> (Acknowledgment-based retries)</SPAN></P> </TD> <TD> <P><STRONG>Best-Effort</STRONG><SPAN> (Fire-and-forget architecture)</SPAN></P> </TD> </TR> <TR> <TD> <P><STRONG>SLS Retry Behavior</STRONG></P> </TD> <TD> <P><SPAN>Available and active</SPAN></P> </TD> <TD> <P><SPAN>Not available</SPAN></P> </TD> </TR> </TBODY> </TABLE> <H3>&nbsp;</H3> <H2><STRONG>Frequently Asked Questions (FAQ)</STRONG></H2> <P>&nbsp;</P> <P><STRONG>I see logs in my local Log Collector but not in SLS. Is this a bug?</STRONG></P> <P><SPAN>Not necessarily. When Dual Forwarding is enabled, the firewall streams logs to SLS using a best-effort, fire-and-forget mechanism. Some log variance is expected by design because PAN-OS does not buffer or retry failed transmissions to SLS in this mode. However, if the volume of missing logs is significantly high, investigate potential environmental factors such as local network congestion, upstream ISP drops, or firewall-to-SLS connectivity disruptions.</SPAN></P> <P>&nbsp;</P> <P><STRONG>Did a recent PAN-OS release introduce this best-effort behavior?</STRONG></P> <P><SPAN>No. This architectural behavior has been inherent to Dual Forwarding mode since its inception. It is a structural design characteristic, not a regression introduced by any recent PAN-OS software update.</SPAN></P> <P>&nbsp;</P> <P><STRONG>Will this behavior change or be enhanced in a future release?</STRONG></P> <P><SPAN>Palo Alto Networks engineering teams are continuously evaluating architectural enhancements to our logging mechanisms. If your organization has strict compliance or architectural requirements for guaranteed dual-destination forwarding, please coordinate with your account team or Technical Assistance Center (TAC) to submit a formal Feature Request (FR).</SPAN></P> <H3>&nbsp;</H3> <H2><STRONG>Summary</STRONG></H2> <P>&nbsp;</P> <P><SPAN>Choosing the correct logging topology depends entirely on your compliance and operational mandates:</SPAN></P> <P>&nbsp;</P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Single Forwarding to SLS</STRONG><SPAN> provides robust, acknowledgment-backed delivery and should always be used when complete SLS log fidelity is mandatory.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG style="font-family: inherit;">Dual Forwarding (LC + SLS)</STRONG><SPAN> prioritizes local logging integrity while providing a convenient, best-effort mirror to the cloud, making it ideal for proof-of-concepts and migration windows.</SPAN></LI> </UL> </DIV> Wed, 03 Jun 2026 08:51:30 GMT ferozv 2026-06-03T08:51:30Z https://live.paloaltonetworks.com/t5/general-articles/understanding-pan-os-dual-forwarding-mode-and-log-delivery/ta-p/1255293 <P>When configuring PAN-OS with Strata Logging Service (SLS), choosing between Single Forwarding and Dual Forwarding modes drastically impacts your log delivery guarantees. If you’ve ever noticed log discrepancies between your local Log Collector and SLS, it might not be a bug—it’s architectural by design. While Dual Forwarding provides a convenient, best-effort cloud mirror ideal for short-term migrations, it relies on a fire-and-forget mechanism for SLS. Discover the underlying mechanics of both modes and learn why transitioning to Single Forwarding is the recommended path for production environments requiring absolute log fidelity.</P> Wed, 03 Jun 2026 08:51:30 GMT https://live.paloaltonetworks.com/t5/general-articles/understanding-pan-os-dual-forwarding-mode-and-log-delivery/ta-p/1255293 ferozv 2026-06-03T08:51:30Z