Log forwarding - Local on Gateway or Panorama

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Log forwarding - Local on Gateway or Panorama

L2 Linker

Hello - I have Firewalls configured with Log Forwarding to Panorama. The question is, do the traffic logs of the Firewall Gateway keeps the copy of the logs and send another copy to Panorama or does it have only one copy forwarded to Panorama

 

Can i configure to forward all the traffic logs of the Firewall to the Panorama and not to keep local copy in the Firewall?

 

Thanks RB

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @KumarRamalinga

 

no this is not possible

the logs are first generated and collected by the firewall process (the log is started at the beginning of the session and only completed at the end of the session) and then after the log is written locally, it will forward the logfile to panorama

(technically: logrcvr process is responsible for generating and writing logs locally, varrcvr process forwards log externally)

 

you can set your local log storage to be incredibly small so 'old' logs get overwritten very quickly, but this would also cause logs to get lost if you ever experience connectivity issues to panorama (as then the logs won't get forwarded and overwritten quickly thereafter)

 

only logs that are written locally first can be forwarded to panorama (so disabling logs and then enabling logforwarding as suggested by @MichaelMelone would not create any logs)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

3 REPLIES 3

L3 Networker

I believe this can be done not setting a log action on a security policy, but enabling the log forwarding option.  Typically i have local logs on the firewall as well as the copy send to panorama. I believe the checkbox for "log session start or end" controls the local logging while the fowarding option will do panorama or syslog. 

Cyber Elite
Cyber Elite

Hi @KumarRamalinga

 

no this is not possible

the logs are first generated and collected by the firewall process (the log is started at the beginning of the session and only completed at the end of the session) and then after the log is written locally, it will forward the logfile to panorama

(technically: logrcvr process is responsible for generating and writing logs locally, varrcvr process forwards log externally)

 

you can set your local log storage to be incredibly small so 'old' logs get overwritten very quickly, but this would also cause logs to get lost if you ever experience connectivity issues to panorama (as then the logs won't get forwarded and overwritten quickly thereafter)

 

only logs that are written locally first can be forwarded to panorama (so disabling logs and then enabling logforwarding as suggested by @MichaelMelone would not create any logs)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks for that explaination @reaper

  • 1 accepted solution
  • 4592 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!