Log forwarding - Local on Gateway or Panorama

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
KumarRamalinga
L2 Linker

Log forwarding - Local on Gateway or Panorama

Hello - I have Firewalls configured with Log Forwarding to Panorama. The question is, do the traffic logs of the Firewall Gateway keeps the copy of the logs and send another copy to Panorama or does it have only one copy forwarded to Panorama

 

Can i configure to forward all the traffic logs of the Firewall to the Panorama and not to keep local copy in the Firewall?

 

Thanks RB


Accepted Solutions
reaper
L7 Applicator

Hi @KumarRamalinga

 

no this is not possible

the logs are first generated and collected by the firewall process (the log is started at the beginning of the session and only completed at the end of the session) and then after the log is written locally, it will forward the logfile to panorama

(technically: logrcvr process is responsible for generating and writing logs locally, varrcvr process forwards log externally)

 

you can set your local log storage to be incredibly small so 'old' logs get overwritten very quickly, but this would also cause logs to get lost if you ever experience connectivity issues to panorama (as then the logs won't get forwarded and overwritten quickly thereafter)

 

only logs that are written locally first can be forwarded to panorama (so disabling logs and then enabling logforwarding as suggested by @mmelone would not create any logs)

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374

View solution in original post


All Replies
mmelone
L3 Networker

I believe this can be done not setting a log action on a security policy, but enabling the log forwarding option.  Typically i have local logs on the firewall as well as the copy send to panorama. I believe the checkbox for "log session start or end" controls the local logging while the fowarding option will do panorama or syslog. 

reaper
L7 Applicator

Hi @KumarRamalinga

 

no this is not possible

the logs are first generated and collected by the firewall process (the log is started at the beginning of the session and only completed at the end of the session) and then after the log is written locally, it will forward the logfile to panorama

(technically: logrcvr process is responsible for generating and writing logs locally, varrcvr process forwards log externally)

 

you can set your local log storage to be incredibly small so 'old' logs get overwritten very quickly, but this would also cause logs to get lost if you ever experience connectivity issues to panorama (as then the logs won't get forwarded and overwritten quickly thereafter)

 

only logs that are written locally first can be forwarded to panorama (so disabling logs and then enabling logforwarding as suggested by @mmelone would not create any logs)

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374

View solution in original post

mmelone
L3 Networker

Thanks for that explaination @reaper

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!