Panorama centralised syslog forwarding ?

Showing results for 
Search instead for 
Did you mean: 

Panorama centralised syslog forwarding ?

L3 Networker

Is the following scenario configurable :


Usually enterprises have a Central Firewall Management infra (= Panorama ) and a SIEM infra.

But we want to avoid that individual firewalls needs to send out twice the same logs.


This request has been around for quite some time. We analyze feature request (FR), strategic requirements, and enhancement ideas before each release. We then propose a set of reqs for a release and review with engr. Priorities, resource capacity, and difficulty are used to thin the list of reqs to what ends up being delivered.

This particular req has made it to the short list a couple time and never through the final phase where it would end up in Panorama. We are continuing to push for inclusion since it is both requested by customers frequently and strategic.

Please ask your SE for more details about the FR process if you have more questions.

Kind of makes me wonder what the point of Panorama is, given that we don't use shared rules. Might be one for us to drop maintenance for actually. We get no value from our deployment of this service.

I'll speak to our account rep regarding the future of this product.

Panorama is essential when you have many firewalls to manage and administering each device independently no longer scales. We see customers beginning to use Panorama for centralized configuration management when they have 6-10 devices. These customers utilize it for aggregate deployment visibility, configuration management, and maintenance.

Some smaller customers with less devices will use Panorama to provide centralized visibility over their devices though log forwarding because they like our reporting, log viewing, and ACC functionality. These customers will also use it for maintenance to push SW, content, and client updates from Panorama centrally. In this case it is less about centralized configuration management as you pointed out for your enterprise currently.

Syslog collectors are important for many customers and can augment the capabilities of Palo Alto Networks devices as well as Panorama. If the Syslog forwarding from Panorama were to be implemented in a future release, we hope Panorama would be utilized for more than just Syslog relay functionality.

Not applicable

Thanks for the clarification, Mike. I'm still struggling to see value in Panorama in terms of administrating multiple devices personally - the pre/post policy rules are clunky and we haven't found the Threat/AV updates to be reliable, so the main selling points for us was the unified log. But since we have a SIEM tool, Solarwinds Orion, Panorama and Tufin SecureTrack all demanding syslog from the firewalls in order to provide various functionality, we have the firewalls generating between 3000 and 10,000 sessions of syslog continually, hammering the management plane and swamping the service-route NIC.

It shouldn't be the firewall's job to send syslog to multiple sources - it's the management device's job to do so. That Panorama can't do this reduces it to a minor convenience tool. In fact, since our main firewalls are active/standby, the only time Panorama is accessed is when we have a failover event, which is to say, almost never.

As I say, I'll raise this with our account manager, ditch Panorama from our maintenance contact next cycle and if it's ever developed in a more useful direction, we'll revisit the decision.


Seems to remember that PA talked about syslog forwarding from Panorama to syslog server, including logs from firewalls at the SE Tech Update in Helsinki a few months ago..

But I can't find anything about in Panorama 5.1..?

Has this still not been implemented...?


Niels Stoltze

Panorama Syslog forwarding of Device forwarded logs is not in the 5.1 release.

Please talk with your SE about any roadmap related inquiries.

We have been asking for this since 3.0 ;-(

Please talk with your SE about any roadmap related inquiries.

L2 Linker

A long-standing request, and an important one, since Panorama is not a qualifying platform where log retention/sanitation/deletion compliance regulations are in effect.

Bumping it again to the SE.

Feature request ID is 782 😉

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!