10-25-2023 08:05 AM
Hi,
New to all things Palo Alto after coming from Cisco ASA and Firepower.
I've been ask to set 2 Palo alto Firewall in HA, this has been successful. Added them to Panorama which appear to be successful and configure the Palo Altos to send logs to Panorama, on the Palo Alto under objects>Log forwarding> Created a profile and ticked the 'Panorama' Box.
I was surprised it was that easy till I checked on Panorama Monitor>Logs>Traffic and there was nothing there. what have i misssed ?
This is the first step as the final Idea is to then output Panorama to QRadar.
10-30-2023 10:30 PM
Hello @PaulTowns
you should add log forwarding profile to all 78 policies. If you create log forwarding profile with name "default" it will be automatically added to every new security policy you create. Here is a link in documentation for reference: Configure Log Forwarding.
For all existing security policies you will have to add log forwarding profile. Starting with PAN-OS 10.2 you can add log forwarding profile to all policies in bulk. Here is a link for reference: How to Add Log Forwarding Profiles in All Security Policies.
Lastly, predefined policies: “intrazone-default” or “interzone-default” have to be overridden to make changes to add log forwarding profile. Link for reference: What are Universal, Intrazone and Interzone Rules
Kind Regards
Pavel
10-25-2023 08:25 AM
Hi @PaulTowns
Can you check if log forwarding profile is attached to the security policies ?
You can refer steps given here for the configuration.
Hope it helps!
10-27-2023 12:46 AM
In that it asks to setup Options for Log settings, does this mean I need to add this to all the policies on the Firewall? This firewall has 78 policies. or do I simply create a policy for traffic to Panorama and add it to that one so all logs are sent?
10-30-2023 10:30 PM
Hello @PaulTowns
you should add log forwarding profile to all 78 policies. If you create log forwarding profile with name "default" it will be automatically added to every new security policy you create. Here is a link in documentation for reference: Configure Log Forwarding.
For all existing security policies you will have to add log forwarding profile. Starting with PAN-OS 10.2 you can add log forwarding profile to all policies in bulk. Here is a link for reference: How to Add Log Forwarding Profiles in All Security Policies.
Lastly, predefined policies: “intrazone-default” or “interzone-default” have to be overridden to make changes to add log forwarding profile. Link for reference: What are Universal, Intrazone and Interzone Rules
Kind Regards
Pavel
11-05-2023 11:14 PM
Thank you sir for the link, please mark it as a solution.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
