We have a remote location that connects back to our corporate office via a WAN Link. At this remote site, we have two clusters of Palo Alto Firewalls that are pretty heavily utilized and produce around 1+ GB of log per day. We are preparing to deploy Panorama at our Corporate location to manage all of our PA firewalls. We would like to send the log data from the firewalls at this remote site to Panorama, but do not want to fill our wan link with this log data. Are there other options of getting this log data back to Panorama? Is it possible to create a log export policy to run overnight and import this log data into Panorama? I know that log data would not be real time in Panorama, but we could still view the log data on the firewall gateways themselves for troubleshooting purposes. Also, with a 25 node license, can we install multiple instances of Panorama (1 at Corporate and 1 at the remote site) as long as we dont exceed the total 25 node license?
Any help/input would be appreciated.
The PAN device can schedule log export for the traffic and threat log, but Panorama does not allow import of the logs in that format only the logdb.
Regarding multiple instances of Panorama yes, with the understanding that each PAN device can only comunicate with a single instance of Panorama.
You will need individual licenses for each Panorama you want to use. Only one installation of Panorama is supported per license SKU.
you could also opt to not forward all log, but selectively forward only logs that are important and leave generic logs on the units
you can accomplish this by setting logforwarding for critical and high risk threats, and select only the most important security rules to forward logs to panorama
this could dramatically decrease the total volume of log forwarded to panorama
After exporting logs, do you have any offline viewing tools that can act in the same way in PANOS? (i.e. applying filter for query.) Or is there a tool that convert the exported format back to logdb, so that we can use the log data to create global reports for all sites.
We do not provide a stand alone tool for reading logs, this doesn't mean no tools exist. If for instance you were to redirect logs to an external syslog server you could use your favorite SQL query tools to run reports. You can also use many embedded text editors to just search strings.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!