configuration to get traffic logs from a Palo Alto firewall into Panorama without directly adding it as a managed device

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

configuration to get traffic logs from a Palo Alto firewall into Panorama without directly adding it as a managed device

L1 Bithead

I need help to configure log forwarding on firewall to Panorama but I dont want to add the firewalls to Panorama

configuration to get traffic logs from a Palo Alto firewall into Panorama without directly adding it as a managed device

8 REPLIES 8

Cyber Elite
Cyber Elite

The firewall needs to be connected to panorama to receive the correct log collector configuration.

The log collector get's a list of firewalls that are allowed to send log to it from the managed devices, and managed devices are instructed which collector is their primary log forwarding target etc.

 

This cannot be achieved without attaching a firewall to panorama managed devices (you are not required to push any configuration onto the managed firewall, if that is your worry)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks Reaper, due to some restriction in our environment we are not allowed to add few firewalls to Panorama as managed devices.

I know is not a normal practice and its an exceptional configuration we need to achieve the goal. 

L1 Bithead

You can do it but you still need to add the firewall as a managed device but don't add it to any templates or device-groups. I've done this recently for the same purpose of getting the logs into Panorama without managing it.

Hi Vsurresh,
thank you for your response. 

So to accomplish the requirement, I need to add the firewall under Panorama > Managed devices 

But I should not add the firewall in any template or device groups

Correct !

I can't remember exactly what I did but these are the steps I took looking at my notes.

  • Add both Panorama IPs to the firewall and leave all other settings at default
  • Add the firewall serials to Panorama
  • Add the firewall to the log collector group
  • Create a log forwarding profile called ‘default’ which forwards all the traffic logs to Panorama.
  • Add the log forwarding profile to all the security rules
  • A firewall is not added to any device groups or templates on Panorama

Cyber Elite
Cyber Elite

indeed, the firewall does not need to be member of a device group or template, but it does need to be in 'managed devices' to get the colector configuration sent to it

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thank you Vsurresh

Got it Tom Piens

  • 2138 Views
  • 8 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!