07-04-2023 12:03 AM
Hi Team,
>In general, the PA Firewalls are manged by Panorama will log directly to Panorama or do we need any configuration to be made to push the logs to Panorama?
>What is the best way to configure logging for the firewalls managed via Panorama? For the firewalls in cluster as well the firewalls which are standalone?
>Based on what i read we can configure multiple syslog servers. But if i want to see logs in Monitoring section for troubleshooting what is the best way to save the logs? Because without logs being displayed on monitoring section we will not be able to anything except troubleshooting via CLI.
> Please help me understand this. Any documents which help me understand will also be helpful.
Regards,
Sanjay S
07-04-2023 01:45 AM
Hi @Sanjay_Ramaiah ,
Q: In general, the PA Firewalls are manged by Panorama will log directly to Panorama or do we need any configuration to be made to push the logs to Panorama?
A: No, FW that is managed by Panorama will not forward logs to Panorama. You need to explicetly tell firewall to forward/push logs to Panorama. PAN FWs split logs into to main categories:
- traffic and security logs (from traffic passing through FW): To push logs to Panorama you need to create Log Forwarding Profile and apply this profile to each rule (preferably all)
- system and user-id logs: similar to traffic logs it need forwarding profile, but this one is configured under Device -> Log Settings
The following link provide detailed steps to forward all logs - https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-log-collection/configure-log-fo...
Q:What is the best way to configure logging for the firewalls managed via Panorama?
A: If you noticed from above answer, when you create new security rule you need config it to send logs to Panorama. It is easy to forget to set log forwarding when creating new rule. But there is a little neat trick - if you use "default" for log forwarding profile name firewall/panorama will automatically add the profile when creating new rule - but this is valid only for creating rule over GUI.
Based on this my recommendation is:
- Create your log forwarding profile named default.
- Create the log forwarding profile object in the highest device group level - let say Shared. This way it will be inherited by all of your managed firewalls
For system and user-id logs as mentioned above are configured under Device -> Log Setting and defining log forwarding profile for each log subtype. Because these settings are under Device tab, they are can be managed by Template.
- Create new Template
- Configure log forwarding to Panorama for each system logs
- Add this template to each template-stack of your managed firewalls.
Q: For the firewalls in cluster as well the firewalls which are standalone?
A: Logging is exactly the same no matter if the firewall is in HA or standalone.
Q: Based on what i read we can configure multiple syslog servers. But if i want to see logs in Monitoring section for troubleshooting what is the best way to save the logs? Because without logs being displayed on monitoring section we will not be able to anything except troubleshooting via CLI.
A: It is important to understand that firewall is forwarding logs to Panorama. Which means you don' have to choose if you want to log locally or remotely. Firewall will always log locally and then forward those logs remotely (to Panorama or remote syslog server), based on your log forwarding settings.So even if you enable logging to Panorama, logs are still available locally on the firewall. But depending on your log rate and firewall storage capacity retantion could be significantly shorter than Panorama
07-04-2023 01:45 AM
Hi @Sanjay_Ramaiah ,
Q: In general, the PA Firewalls are manged by Panorama will log directly to Panorama or do we need any configuration to be made to push the logs to Panorama?
A: No, FW that is managed by Panorama will not forward logs to Panorama. You need to explicetly tell firewall to forward/push logs to Panorama. PAN FWs split logs into to main categories:
- traffic and security logs (from traffic passing through FW): To push logs to Panorama you need to create Log Forwarding Profile and apply this profile to each rule (preferably all)
- system and user-id logs: similar to traffic logs it need forwarding profile, but this one is configured under Device -> Log Settings
The following link provide detailed steps to forward all logs - https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-log-collection/configure-log-fo...
Q:What is the best way to configure logging for the firewalls managed via Panorama?
A: If you noticed from above answer, when you create new security rule you need config it to send logs to Panorama. It is easy to forget to set log forwarding when creating new rule. But there is a little neat trick - if you use "default" for log forwarding profile name firewall/panorama will automatically add the profile when creating new rule - but this is valid only for creating rule over GUI.
Based on this my recommendation is:
- Create your log forwarding profile named default.
- Create the log forwarding profile object in the highest device group level - let say Shared. This way it will be inherited by all of your managed firewalls
For system and user-id logs as mentioned above are configured under Device -> Log Setting and defining log forwarding profile for each log subtype. Because these settings are under Device tab, they are can be managed by Template.
- Create new Template
- Configure log forwarding to Panorama for each system logs
- Add this template to each template-stack of your managed firewalls.
Q: For the firewalls in cluster as well the firewalls which are standalone?
A: Logging is exactly the same no matter if the firewall is in HA or standalone.
Q: Based on what i read we can configure multiple syslog servers. But if i want to see logs in Monitoring section for troubleshooting what is the best way to save the logs? Because without logs being displayed on monitoring section we will not be able to anything except troubleshooting via CLI.
A: It is important to understand that firewall is forwarding logs to Panorama. Which means you don' have to choose if you want to log locally or remotely. Firewall will always log locally and then forward those logs remotely (to Panorama or remote syslog server), based on your log forwarding settings.So even if you enable logging to Panorama, logs are still available locally on the firewall. But depending on your log rate and firewall storage capacity retantion could be significantly shorter than Panorama
07-05-2023 05:13 AM
@aleksandar.astardzhiev thanks a lot for the detailed explanation 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
