Is the following scenario configurable :
Usually enterprises have a Central Firewall Management infra (= Panorama ) and a SIEM infra.
But we want to avoid that individual firewalls needs to send out twice the same logs.
This request has been around for quite some time. We analyze feature request (FR), strategic requirements, and enhancement ideas before each release. We then propose a set of reqs for a release and review with engr. Priorities, resource capacity, and difficulty are used to thin the list of reqs to what ends up being delivered.
This particular req has made it to the short list a couple time and never through the final phase where it would end up in Panorama. We are continuing to push for inclusion since it is both requested by customers frequently and strategic.
Please ask your SE for more details about the FR process if you have more questions.
Panorama is essential when you have many firewalls to manage and administering each device independently no longer scales. We see customers beginning to use Panorama for centralized configuration management when they have 6-10 devices. These customers utilize it for aggregate deployment visibility, configuration management, and maintenance.
Some smaller customers with less devices will use Panorama to provide centralized visibility over their devices though log forwarding because they like our reporting, log viewing, and ACC functionality. These customers will also use it for maintenance to push SW, content, and client updates from Panorama centrally. In this case it is less about centralized configuration management as you pointed out for your enterprise currently.
Syslog collectors are important for many customers and can augment the capabilities of Palo Alto Networks devices as well as Panorama. If the Syslog forwarding from Panorama were to be implemented in a future release, we hope Panorama would be utilized for more than just Syslog relay functionality.
Thanks for the clarification, Mike. I'm still struggling to see value in Panorama in terms of administrating multiple devices personally - the pre/post policy rules are clunky and we haven't found the Threat/AV updates to be reliable, so the main selling points for us was the unified log. But since we have a SIEM tool, Solarwinds Orion, Panorama and Tufin SecureTrack all demanding syslog from the firewalls in order to provide various functionality, we have the firewalls generating between 3000 and 10,000 sessions of syslog continually, hammering the management plane and swamping the service-route NIC.
It shouldn't be the firewall's job to send syslog to multiple sources - it's the management device's job to do so. That Panorama can't do this reduces it to a minor convenience tool. In fact, since our main firewalls are active/standby, the only time Panorama is accessed is when we have a failover event, which is to say, almost never.
As I say, I'll raise this with our account manager, ditch Panorama from our maintenance contact next cycle and if it's ever developed in a more useful direction, we'll revisit the decision.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!