Loss of connectivity when trasfering log to syslog server

Our PAN firewallls send their log to a central syslog server; in case there is a gap in the connectivity (e.g. satellite link down) what happens to the corresponding log entries?

Shall the remote firewall store them till the connection is available again and then send them to the central server?

At this time PANOS only appears to support Syslog over UDP, so your messages are lost if there is not a path to your syslog server.

Thanks, Shaun, indeed that was our guess...

The device ( firewall related ) logs will still be stored under the system logs locally on the firewall. But if you are sending all the traffic, threat, URL and the data filtering logs to a syslog server and in case there is a connectivity issue to the syslog server , you can still leverage the "scheduled log export" feature, as mentioned under the following document: https://live.paloaltonetworks.com/docs/DOC-3824#comment-3469,

by exporting the logs onto an FTP server.

The other method would be to backup the logs to Panorama, if the PANFW is being managed by it.


As I understand it Panorama is supposed to use a "delivery guaranteed" method of transfering logs between the firewall and the Panorama (and if it fails it should be logged which block of logs is missing).

That is in order to get the logs reliably from your firewall to your syslog-server something like this should work:

PA-firewall -> unreliable link (satellite link or whatever) -> Panorama -> reliable link (like in the same or nearby rack) -> Syslog-server

@mikand Correct, Panorama uses an internal acknowledgment mechanism over a TCP/SSL channel for log forwarding.

Panorama does not currently support forwarding any logs which it did not internally generate. Thus, logs from devices cannot be sent from Panorama to a syslog server.

Any ETA on when logs that has been forwarded to Panorama can then from Panorama be forwarded further to a syslog-server or such?

Please speak with your SE about setting up a call PM.

