11-11-2019 01:17 AM
Hi Gang,
Would like to clarify how one sees threat logs from the PAN-OS firewalls in Panorama. Panorama is deployed as follows:
I have configured log forwarding to Panorama but I never see any threat logs. Log forwarding profile below, it's set on policies of post-rules to perform log forwarding for the configured profile.
I check locally on PAN-OS and it does show the firewall is forwarding to Panorama.
Could I kindly ask for all your advice on this :)?
Thank you for reading!
Daniel
11-11-2019 01:45 AM
@mr_almeida If you have all the available resurces the easiest will be to convert to Panorama mode and start collecting logs.
It really depends on the size and design of your deployement. External log collectors can give you redundancy, additional processing power, and log collection close to the log source. However every external log collector will need additional hardware and licenses.
11-11-2019 01:27 AM
@mr_almeida The reason you don't see the logs is, because your Panorama is in "management-only" mode and can only used for manging firewalls, but no log collection.
"Management Only mode allows the Panorama virtual appliance to operate strictly as a Panorama management server without local log collection capabilities."
11-11-2019 01:39 AM
Thanks for the reply! Yes, I saw this and am wondering if it is ok to change it from management-mode to panorama-mode? System resources aren't an issue so that is fine. I see I would need to attach a secondary disk for logging.
Is this advisable or better to go with logging servers and then use collector groups?
11-11-2019 01:45 AM
@mr_almeida If you have all the available resurces the easiest will be to convert to Panorama mode and start collecting logs.
It really depends on the size and design of your deployement. External log collectors can give you redundancy, additional processing power, and log collection close to the log source. However every external log collector will need additional hardware and licenses.
11-11-2019 01:48 AM
@BatD Great, thanks for the quick response and noting of the additional licences! We've only initially roled out and not a massive environment, so enabling Pan mode makes sense! Thank you very much!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
