We have one of our new PA4050s running in TAP mode listening to our datacentre firewalls (the firewalls they will replace - these are ASFs running Checkpoint FW1). We are also running Panorama on test machine in our testlab. The PA4050s are logging locally obviously and we're auto archiving off every day the threat, URL & traffic logs to an FTP server in csv format.
My question is - what is the best way forward for implimenting a proper log archiving strategy? I'm coming from a Checkpoint world - where it's fairly easy to archive log files off then load them back onto the management platform to view in the log GUI - and the customer likes this.
I don't see any way in Panorama of doing this - in fact the size of the logs is worrying also - we're running Panorama on a test client so it's only 10GB disk space for the VMARE - but already it looks as though I'll only get around 2 days of logs on the panorama. Our VAR suggested via PA themselves that we should have around 80GB on our live Panormama (we need the logs for around min 6 months) - but at that rate we would only get about 16 days (ish!!) of logs ever on the Panorama!! The PA4050 itself still has the full weeks worth of logs locally for the time it's been in for - and as mentioned I'm archiving that off - but it still looks very cumbersome to the customer searching through large daily CSV files.
Help!! Does anyone have any advice?
This is how I have mine setup:
Under Device > Log Settings, we have both System and Config logs being sent to the Panorama server.
Under Object > Log Forwarding, we have a profile setup to forward all threat and traffic logs to the Panorama server. We apply this profile under the options of each security policy.
The logging volumes on the PA-500, PA20xx and PA-40xx are all the same size and are not intended to store excessive amounts of data this is because the primary function they serve is as Firewall's and not reporting devices. Currently if you have a need for greater storage you can use the Panorama product that has a maximum logging volume size of two terabytes or you can use a syslog server to export your logs and then using some other reporting products output the data in a meaningful format.
There is currently no mechanism to import these logs back into the either the PAN-firewall's or the Panorama nor is this feature part of the upcoming 4.0 release. What the 4.0 will provide is a means of mounting an external storage device and utilizing space far exceeding the allocated amounts with the 3.x family.
Hi - many thanks to those who replied. I undertood that we wouldn't use the firewalls themselves as long term log storage. We were advised by our VAR that 80GB for long term log data storage on the Panorama would be more than adequate (not sure how they would know this as they didn't have visibility of the data we have going throught our current solution!!). Purchasing more software/hardware (syslog server, reporting software such as splunk) may make our customer baulk though (as would manually trailing through loads of CSV files!!). Thanks for all your input.
hi pkruse - about the limits on Panorama space. If we run VMARE server on a Windows machine with Panorama installed is the maximum 1TB or 2TB - I've read 2TB is only available if you load VMWARE ESX directly onto the hardware (ie. no host OS underneath). Will the space limit increase you speak of apply to both VMWARE on a windows machine and ESX? Or will the increase in 4.0 only be applied to the ESX variety of install? Is there any news on when 4.0 is scheduled? many thanks.
Here's the link that describes the limitations of VMware Server and VMware ESX. In 4.0, you will be able to utilize NFS which will assist in exceeding these disk space limitations. Tentative release date for 4.0 is March of this year.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!