Panorama Logs with the PA-7000 Series on PAN-OS prior to 8.0

Printer Friendly Page

For Panorama 7.0, refer to the Panorama Administrator’s Guide for the procedures to Configure Log Forwarding, Add a Firewall as a Managed Device, and Analyze Log Data for the PA-7050 firewall and other firewall platforms.

 

Details

A PA-7000 series is configured as a Panorama managed device. Panorama will display logs (traffic logs) for the PA-7000 series, even if there is not a "Log Forwarding Profile" defined or configured on any security policy.

 

The following examples are for traffic observed on Panorama, even though there is not a Log Forwarding Profile on PA-7000 series.

Shown below is traffic observed for Rule "ANY" on Panorama for the PA-7000 series:

Screen Shot 2014-06-10 at 2.04.10 PM copy.jpg

 

In the example below, changing context to the PA-7000 series, reveals the Forwarding Profile is not configured on the Security Policy "ANY":

Screen Shot 2014-06-10 at 1.31.55 PM copy.jpg

 

As shown below, the Log Forwarding profile is not configured on the PA-7000 series:

Screen Shot 2014-06-16 at 4.34.47 PM copy.jpg

 

What is observed in Panorama, is a real time running query from the management port on Panorama to the PA-7000 series, which results in displaying the logs.

 

Note: The logs are physically residing only on the PA-7000 series. This occurs because Panorama cannot handle the rate at which a PA-7000 series would send its logs out of the box, therefore offloading for this platform to Panorama is not supported.

 

However, the PA-7000 series does support offloading of its logs to syslog, email and SNMP servers. The PA-7000 series has a dedicated Log Processing Card (LPC). Any unused port on any of the NPCs can be defined to be the LPC (Interface Type: Log Card). A data port configured as the type Log Card performs log forwarding for all of the following:

  • Syslog
  • Email
  • SNMP
  • WildFire file forwarding

Only one port on the Palo Alto Networks firewall can be configured as a Log Card interface and a commit error is displayed if log forwarding is enabled and there is no interface configured with the Interface Type: "Log Card".

Screen Shot 2014-06-13 at 4.54.30 PM.png

 

Make sure that the IP assigned to the Log Card Interface can reach the Syslog, Email, SNMP and/or WildFire servers.

Screen Shot 2014-06-13 at 5.00.21 PM.png

 

Special Note

This limitation was overcome with the release of PAN-OS 8.0

For more information please refer to:

 

https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/management-features/pa-700...

 

https://live.paloaltonetworks.com/t5/Featured-Articles/PAN-OS-8-0-Forwarding-PA-7000-Logs-to-Panoram...

Tags (6)
Comments

Local config and system logs are not viewable from Panorama - this is tracked as Bug ID # 79854, targeted fix in 7.0.1.  Unclear on 6.1.x.

Hi,

Can 7050 forward syslog using its management interface? Or is there any other option other than Log card interface?

Thanks :)

Hi

 

Logs cannot be forwarded out of the management interface because the PA-7000 has a dedicated log processing card which is logically connected to the dataplane (whereas on other platforms the logging process is part of the management plane)

 

hope this helps

Tom

 

 

 

 

could this port be an aggregate port  ? 

if this NPC card fails is the external logging cached before being re-sent once the NPC comes back up ?

Does this really mean you must have a log port configured if want to submit files to the WildFire cloud or does it only start using this interface for that purpose if you configure a logging port ?

 

This doesn't seem like a very reliable system if off box logging or wildfire submissions are critical if you can only have a single interface.

 

The log card can currently not be aggregated, I'd recommend reaching out to your SE to have your vote added to the feature request. If the interface is down, the logs will be queued for delivery after connectivity is restored.

If you require wilfire uploads or log forwarding, a log-card interface must be configured

 

 

hope this helps

 

The Log Card Interface in a 7050 HA Active-Passive pair is generating syslog errors:

 

The passive device in the HA-pair shows LCI device 3/4 link-state is auto, syslog shows:

'Syslog connection failed to server[\'Server IP.\']'

 

 

 

The Active device in the HA-pair shows LCI device 3/4 link-state is auto, syslog shows:

'Syslog connection established to server[\'Server IP.\']'

 

The devices utilize the same IP on Active/Passive, because the Sync will not allow for different IP's to the same interface, yet are causing ip conflicts between primary/secondary.  The syslog is being flooded with these error messages. Is there a fix?