Panorama centralised syslog forwarding ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Panorama centralised syslog forwarding ?

L3 Networker

Is the following scenario configurable :

FIREWALLS--->panoramalogging--->PANORAMA--->syslog--->SYSLOGSERVER

Usually enterprises have a Central Firewall Management infra (= Panorama ) and a SIEM infra.

But we want to avoid that individual firewalls needs to send out twice the same logs.

1 accepted solution

Accepted Solutions

L4 Transporter

Currently there is no feature for panorama to forward traffic logs to the syslog server. The traffic logs have to be configured to forward logs to the syslog server via log forwarding profile.

Dominic

View solution in original post

20 REPLIES 20

L4 Transporter

Currently there is no feature for panorama to forward traffic logs to the syslog server. The traffic logs have to be configured to forward logs to the syslog server via log forwarding profile.

Dominic

Just wanted to clarify the response to this question. The log forwarding profiles would have to be created on each Firewall to send syslogs to the SIEM in addition to sending logs to Panorama? There is no way to use Panorama as a central point for forwarding all the firewall logs to a SIEM?

Thanks,

Chris

Chris,

You could create the log forwarding profile in Panorama and push it to the devices. Then you can use the log forwarding profile on rules on the device or in Panorama pushed rules so the profile is centrally managed.

There is no way to use Panorama as the syslog forwarding point for traffic logs.

Can we get this functionality added in a future release of PANORAMA?

Please work with your SE to file a feature request.

L2 Linker

Just wondering if this feature request was ever implemented. We are also in the same boat. We got Panorama 4.1.2 and Firewall devices, They all sending traffic/threat/datafiltering and other logs to Panorama, We would like to see if the same logs could be forwarded to SIEM.

Appreciate the answer.

Thanks

Junaid

Unfortunately this FR has not been implemented yet.

But is it on the roadmap or does all customers need to contact their sales rep for this to happen?

We requested this feature to our sales rep a year ago.

This request has been around for quite some time. We analyze feature request (FR), strategic requirements, and enhancement ideas before each release. We then propose a set of reqs for a release and review with engr. Priorities, resource capacity, and difficulty are used to thin the list of reqs to what ends up being delivered.

This particular req has made it to the short list a couple time and never through the final phase where it would end up in Panorama. We are continuing to push for inclusion since it is both requested by customers frequently and strategic.

Please ask your SE for more details about the FR process if you have more questions.

Kind of makes me wonder what the point of Panorama is, given that we don't use shared rules. Might be one for us to drop maintenance for actually. We get no value from our deployment of this service.

I'll speak to our account rep regarding the future of this product.

Panorama is essential when you have many firewalls to manage and administering each device independently no longer scales. We see customers beginning to use Panorama for centralized configuration management when they have 6-10 devices. These customers utilize it for aggregate deployment visibility, configuration management, and maintenance.

Some smaller customers with less devices will use Panorama to provide centralized visibility over their devices though log forwarding because they like our reporting, log viewing, and ACC functionality. These customers will also use it for maintenance to push SW, content, and client updates from Panorama centrally. In this case it is less about centralized configuration management as you pointed out for your enterprise currently.

Syslog collectors are important for many customers and can augment the capabilities of Palo Alto Networks devices as well as Panorama. If the Syslog forwarding from Panorama were to be implemented in a future release, we hope Panorama would be utilized for more than just Syslog relay functionality.

Not applicable

Thanks for the clarification, Mike. I'm still struggling to see value in Panorama in terms of administrating multiple devices personally - the pre/post policy rules are clunky and we haven't found the Threat/AV updates to be reliable, so the main selling points for us was the unified log. But since we have a SIEM tool, Solarwinds Orion, Panorama and Tufin SecureTrack all demanding syslog from the firewalls in order to provide various functionality, we have the firewalls generating between 3000 and 10,000 sessions of syslog continually, hammering the management plane and swamping the service-route NIC.

It shouldn't be the firewall's job to send syslog to multiple sources - it's the management device's job to do so. That Panorama can't do this reduces it to a minor convenience tool. In fact, since our main firewalls are active/standby, the only time Panorama is accessed is when we have a failover event, which is to say, almost never.

As I say, I'll raise this with our account manager, ditch Panorama from our maintenance contact next cycle and if it's ever developed in a more useful direction, we'll revisit the decision.

Hi,

Seems to remember that PA talked about syslog forwarding from Panorama to syslog server, including logs from firewalls at the SE Tech Update in Helsinki a few months ago..

But I can't find anything about in Panorama 5.1..?

Has this still not been implemented...?

Regards,

Niels Stoltze

  • 1 accepted solution
  • 9963 Views
  • 20 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!