Log forwarding to Panorama from PAN-OS Firewalls for Threats

Reply
L1 Bithead

Log forwarding to Panorama from PAN-OS Firewalls for Threats

Hi Gang,

 

Would like to clarify how one sees threat logs from the PAN-OS firewalls in Panorama. Panorama is deployed as follows:

 

  • system mode = management-only
  • VM Mode = VMware ESXi 
  • Firewalls = PA-3020 
  • Version = All on 8.1.10

I have configured log forwarding to Panorama but I never see any threat logs. Log forwarding profile below, it's set on policies of post-rules to perform log forwarding for the configured profile.

clipboard_image_0.png

I check locally on PAN-OS and it does show the firewall is forwarding to Panorama. 

 

Could I kindly ask for all your advice on this :)?

 

Thank you for reading!


Daniel

 

Highlighted
L4 Transporter

Re: Log forwarding to Panorama from PAN-OS Firewalls for Threats

@danielmartins The reason you don't see the logs is, because your Panorama is in "management-only" mode and can only used for manging firewalls, but no log collection. 

 

 

"Management Only mode allows the Panorama virtual appliance to operate strictly as a Panorama management server without local log collection capabilities."

 

https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/set-up-panorama/set-up-the-panorama-vi...

L1 Bithead

Re: Log forwarding to Panorama from PAN-OS Firewalls for Threats

@BatD 

 

Thanks for the reply! Yes, I saw this and am wondering if it is ok to change it from management-mode to panorama-mode? System resources aren't an issue so that is fine. I see I would need to attach a secondary disk for logging. 

 

https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/set-up-panorama/set-up-the-panorama-vi...

 

Is this advisable or better to go with logging servers and then use collector groups?

L4 Transporter

Re: Log forwarding to Panorama from PAN-OS Firewalls for Threats

@danielmartins If you have all the available resurces the easiest will be to convert to Panorama mode and start collecting logs.

It really depends on the size and design of your deployement. External log collectors can give you redundancy, additional processing power, and log collection close to the log source. However every external log collector will need additional hardware and licenses. 

L1 Bithead

Re: Log forwarding to Panorama from PAN-OS Firewalls for Threats

@BatD Great, thanks for the quick response and noting of the additional licences! We've only initially roled out and not a massive environment, so enabling Pan mode makes sense! Thank you very much!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!