04-16-2018 08:14 AM - edited 04-16-2018 08:15 AM
I use panorama to configure and push policies as well as log forwarding (to the panorama) for all my firewalls. I now want to send all those logs (traffic, threat, data, etc..) to a syslog server as well but running into a problem when doing this. It seems I can't push/create a syslog server on the PAN and add it to the 'panorama log forwarding' profile.
If I create a syslog server profile on the PAN it doesn't show up under > Log Forwarding > Forward to Panorama > Log Forwarding Profile > Traffic (or any other log) > Syslog.
So because I do all this from the PAN I can't seem to figure out how to push all logs to the PAN and a syslog server at the sametime. The only way I think I can do it is by doing the policies locally on the firewall which then defeats the entire purpose of the PAN.
Anyone run into this before?
04-16-2018 08:35 AM
Is there a reason you can't FW your logs from Panorama to your syslog device? (That's what I do)
04-16-2018 08:54 AM
Did you configure the syslpg server profile in the shared context or for a specific vsys? And in addition: the log forwarding profile also must be greated in shared context and not in a device group in order to make it work.
04-16-2018 09:01 AM - edited 04-16-2018 09:03 AM
@vsys_remoProblem is the syslog server profile is NOT shared on the Panorama. It seems to be local and not even able to assign it on the panorama. The log forwarding is created under a 'Branches' DG which includes all of my sites.
@Brandon_Wertz Only reason is I was trying to forward only a single sites logs and not all of them. Can you post a screenshot of you have it configured?
04-16-2018 09:35 AM
I have the same config here. I have the syslog server profile on all firewalls in a global template, even if I do not need in on all devices. And obviously I also don't need the log forwarding profile on all firewalls, but creating it in shared devicegroup context is the only working solution. And because the forwarding profile is created in shared context it will be pushed to all firewalls - even if it is not used - which the other way requires the syslog profile on all firewalls for not getting commit errors because of deoendencies.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!