This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Virtual Panorama for Log viewing only

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Virtual Panorama for Log viewing only

Remo
L7 Applicator

‎08-17-2017 06:31 AM - edited ‎08-17-2017 09:16 AM

Hi all,

 

I hope someone already did something like that to answer my question 😛

 

We have a virtual Panorama on PAN-OS 8 with a local log collector. On this panorama we manage differdnt firewalls and also store the logs of these firewalls. This panorama is in a secure zone where we ONLY allow acces for firewall administrators.

So far so good. Now we have a customer who got a visit from PaloAlto itself, where he was shown PaloAlto products - including Panorama. Result of this visit was, the customer now asks me if he could have access to Panorama to view specially the ACC tab of the logs of ONE firewallcluster. And unfortunately not only current data. We are storing these logs for 180 days. So he'd likes to have access to this data, for reporting reasons.

Our own policy now doed not allow to give the customer this access.

 

But my idea now was the following: we build a second panorama only for this one firewall of this customer. This second panorama will not be used for managing this firewall because on the first panorama we forward some specific logs to the second panorama, where the customer can have access to view these logs.

 

Is this even possible with PAN-OS 8 and the local log collectors?

 

Any input or better ideas is appreciated 😉

 

Regards,

Remo

 

0 Likes Likes
2 REPLIES 2

Raido_Rattameister
Cyber Elite
Cyber Elite

‎08-17-2017 08:24 AM

If firewall is at client site why don't you just allow direct login into firewall with read only access to spcecific tabs?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

Remo
L7 Applicator
In response to Raido_Rattameister

‎08-17-2017 09:13 AM

@Raido_Rattameister

Thanks for your reply. Yes, this would actually be a pretty simple solution. But theres two little problems (besides the one that there are important information missing in my initial post)

  1. This "one" firewall unfortunately is a active/passive HA pair
  2. Its not only to view current data. We have to store logs for 180 days. And these logs need to be available
0 Likes Likes
  • 1396 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks