This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Understanding PAN-OS Dual Forwarding Mode and Log Delivery Behavior to Strata Logging Service (SLS)

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
General Articles
4 min read

Understanding PAN-OS Dual Forwarding Mode and Log Delivery Behavior to Strata Logging Service (SLS)

ferozv
L1 Bithead

on ‎06-03-2026 01:46 AM - edited on ‎06-03-2026 01:51 AM by

No ratings
ferozv_0-1780476218161.png

 

When PAN-OS is configured to use Strata Logging Service (SLS), administrators can choose between Single Forwarding and Dual Forwarding modes. While both options facilitate log delivery to SLS, they utilize entirely different delivery mechanisms and provide different operational guarantees.

 

This distinction is critical if you observe logs that are present in a local Log Collector (LC) but missing from SLS. In many cases, this variance is expected behavior dictated by the forwarding architecture rather than a product defect or software regression.

 

This article details how log delivery operates in each mode, what behaviors to expect, and which deployment model to implement when complete log fidelity to SLS is required.

 

Single Forwarding vs. Dual Forwarding

 

PAN-OS supports two forwarding models when SLS is in use:

 

  1. Single Forwarding
    Logs are directed to a single destination—either a local Log Collector or SLS. PAN-OS maintains strict, acknowledgment-based delivery and automatically retries failed transmissions, ensuring guaranteed delivery to the configured destination.
  2. Dual Forwarding
    Logs are sent simultaneously to both a local Log Collector and SLS. In this mode, PAN-OS splits its delivery behavior:
    • Log delivery to the Log Collector remains guaranteed.
    • Log delivery to SLS operates on a best-effort basis.

 

Because these models handle data streams differently, you may observe discrepancies in log completeness between your Log Collector and SLS when Dual Forwarding is enabled.

 

Log Delivery Guarantees and Recommended Usage

 

The underlying mechanics of Dual Forwarding mode dictate how data is prioritized:

 

  • Log Collector (LC): PAN-OS maintains an in-memory queue, waits for processing acknowledgments, and actively retries failed deliveries. Delivery is guaranteed.
  • Strata Logging Service (SLS): PAN-OS utilizes a fire-and-forget delivery model. The firewall does not wait for a transport acknowledgment from SLS and does not retry dropped or failed transmissions. Consequently, minor log loss to SLS can occur by design during periods of high throughput or network congestion.

Operational Recommendation: Dual Forwarding mode is primarily intended for short-term evaluation and migration scenarios (e.g., validating SLS log ingestion before decommissioning an on-premises Log Collector). It is not recommended as a permanent production configuration if absolute log fidelity to SLS is required.

 

For production environments requiring strictly guaranteed log delivery to SLS, Palo Alto Networks recommends configuring Single Forwarding directly to SLS.

 

Comparison at a Glance

Feature / Capability

Single Forwarding to SLS

Dual Forwarding (LC + SLS)

Primary Use Case

Production environments requiring full SLS fidelity

Short-term evaluation and migration testing

Delivery to Log Collector

N/A (Disabled)

Guaranteed (Acknowledgment-based retries)

Delivery to SLS

Guaranteed (Acknowledgment-based retries)

Best-Effort (Fire-and-forget architecture)

SLS Retry Behavior

Available and active

Not available

 

Frequently Asked Questions (FAQ)

 

I see logs in my local Log Collector but not in SLS. Is this a bug?

Not necessarily. When Dual Forwarding is enabled, the firewall streams logs to SLS using a best-effort, fire-and-forget mechanism. Some log variance is expected by design because PAN-OS does not buffer or retry failed transmissions to SLS in this mode. However, if the volume of missing logs is significantly high, investigate potential environmental factors such as local network congestion, upstream ISP drops, or firewall-to-SLS connectivity disruptions.

 

Did a recent PAN-OS release introduce this best-effort behavior?

No. This architectural behavior has been inherent to Dual Forwarding mode since its inception. It is a structural design characteristic, not a regression introduced by any recent PAN-OS software update.

 

Will this behavior change or be enhanced in a future release?

Palo Alto Networks engineering teams are continuously evaluating architectural enhancements to our logging mechanisms. If your organization has strict compliance or architectural requirements for guaranteed dual-destination forwarding, please coordinate with your account team or Technical Assistance Center (TAC) to submit a formal Feature Request (FR).

 

Summary

 

Choosing the correct logging topology depends entirely on your compliance and operational mandates:

 

  • Single Forwarding to SLS provides robust, acknowledgment-backed delivery and should always be used when complete SLS log fidelity is mandatory.
  • Dual Forwarding (LC + SLS) prioritizes local logging integrity while providing a convenient, best-effort mirror to the cloud, making it ideal for proof-of-concepts and migration windows.
Rate this article:
  • 44 Views
  • 0 comments
  • 1 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎06-03-2026 01:51 AM
Updated by:
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks