https://live.paloaltonetworks.com/t5/general-topics/log-forwarding-to-panorama-from-pan-os-firewalls-for-threats/m-p/297615#M78092 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/74884">@BatD</a>&nbsp;Great, thanks for the quick response and noting of the additional licences! We've only initially roled out and not a massive environment, so enabling Pan mode makes sense! Thank you very much!</P> Mon, 11 Nov 2019 09:48:11 GMT mr_almeida 2019-11-11T09:48:11Z https://live.paloaltonetworks.com/t5/general-topics/log-forwarding-to-panorama-from-pan-os-firewalls-for-threats/m-p/297605#M78088 <P>Hi Gang,</P><P>&nbsp;</P><P>Would like to clarify how one sees threat logs from the PAN-OS firewalls in Panorama.&nbsp;<SPAN>Panorama is deployed as follows:</SPAN></P><P>&nbsp;</P><UL><LI><SPAN>system mode = management-only</SPAN></LI><LI><SPAN>VM Mode = VMware ESXi&nbsp;</SPAN></LI><LI><SPAN>Firewalls = PA-3020&nbsp;</SPAN></LI><LI><SPAN>Version = All on 8.1.10</SPAN></LI></UL><P>I have configured <EM>log forwarding</EM>&nbsp;to Panorama but I never see any threat logs. Log forwarding profile below, it's set on policies of post-rules to perform log forwarding for the configured profile.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="clipboard_image_0.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/22215iDC0AE37CECB00DC7/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="clipboard_image_0.png" alt="clipboard_image_0.png" /></span></P><P>I check locally on PAN-OS and it does show the firewall is forwarding to Panorama.&nbsp;</P><P>&nbsp;</P><P>Could I kindly ask for all your advice on this :)?</P><P>&nbsp;</P><P>Thank you for reading!</P><P><SPAN><BR />Daniel</SPAN></P><P>&nbsp;</P> Mon, 11 Nov 2019 09:17:44 GMT https://live.paloaltonetworks.com/t5/general-topics/log-forwarding-to-panorama-from-pan-os-firewalls-for-threats/m-p/297605#M78088 mr_almeida 2019-11-11T09:17:44Z https://live.paloaltonetworks.com/t5/general-topics/log-forwarding-to-panorama-from-pan-os-firewalls-for-threats/m-p/297612#M78089 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/121189">@mr_almeida</a>&nbsp;The reason you don't see the logs is, because your Panorama is in "management-only" mode and can only used for manging firewalls, but no log collection.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><EM>"Management Only mode allows the Panorama virtual appliance to operate strictly as a Panorama management server without local log collection capabilities."</EM></P><P>&nbsp;</P><P><EM><A href="https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/set-up-panorama/set-up-the-panorama-virtual-appliance/set-up-the-panorama-virtual-appliance-in-management-only-mode.html#id182QC0YK0ED" target="_blank">https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/set-up-panorama/set-up-the-panorama-virtual-appliance/set-up-the-panorama-virtual-appliance-in-management-only-mode.html</A></EM></P> Mon, 11 Nov 2019 09:27:53 GMT https://live.paloaltonetworks.com/t5/general-topics/log-forwarding-to-panorama-from-pan-os-firewalls-for-threats/m-p/297612#M78089 BatD 2019-11-11T09:27:53Z https://live.paloaltonetworks.com/t5/general-topics/log-forwarding-to-panorama-from-pan-os-firewalls-for-threats/m-p/297613#M78090 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/74884">@BatD</a>&nbsp;</P><P>&nbsp;</P><P>Thanks for the reply! Yes, I saw this and am wondering if it is ok to change it from management-mode to panorama-mode? System resources aren't an issue so that is fine. I see I would need to attach a secondary disk for logging.&nbsp;</P><P>&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/set-up-panorama/set-up-the-panorama-virtual-appliance/set-up-the-panorama-virtual-appliance-in-panorama-mode.html" target="_blank">https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/set-up-panorama/set-up-the-panorama-virtual-appliance/set-up-the-panorama-virtual-appliance-in-panorama-mode.html</A></P><P>&nbsp;</P><P>Is this advisable or better to go with logging servers and then use collector groups?</P> Mon, 11 Nov 2019 09:39:08 GMT https://live.paloaltonetworks.com/t5/general-topics/log-forwarding-to-panorama-from-pan-os-firewalls-for-threats/m-p/297613#M78090 mr_almeida 2019-11-11T09:39:08Z https://live.paloaltonetworks.com/t5/general-topics/log-forwarding-to-panorama-from-pan-os-firewalls-for-threats/m-p/297614#M78091 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/121189">@mr_almeida</a>&nbsp;If you have all the available resurces the easiest will be to convert to Panorama mode and start collecting logs.</P><P>It really depends on the size and design of your deployement. External log collectors can give you redundancy, additional processing power, and log collection close to the log source. However every external log collector will need additional hardware and licenses.&nbsp;</P> Mon, 11 Nov 2019 09:45:31 GMT https://live.paloaltonetworks.com/t5/general-topics/log-forwarding-to-panorama-from-pan-os-firewalls-for-threats/m-p/297614#M78091 BatD 2019-11-11T09:45:31Z https://live.paloaltonetworks.com/t5/general-topics/log-forwarding-to-panorama-from-pan-os-firewalls-for-threats/m-p/297615#M78092 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/74884">@BatD</a>&nbsp;Great, thanks for the quick response and noting of the additional licences! We've only initially roled out and not a massive environment, so enabling Pan mode makes sense! Thank you very much!</P> Mon, 11 Nov 2019 09:48:11 GMT https://live.paloaltonetworks.com/t5/general-topics/log-forwarding-to-panorama-from-pan-os-firewalls-for-threats/m-p/297615#M78092 mr_almeida 2019-11-11T09:48:11Z