- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Disclaimer: This doc was created using PAN-OS version 11.2. If you are using PAN-OS versions earlier than 10.1, please refer to official documentation for steps. Also, In previous PAN-OS versions, you may see older naming conventions like “Cortex Data Lake” or “Logging Service” instead of “Cloud Logging”.
[Note: This Step is needed if you need to activate a new Strata logging Service instance]
2. Once Strata Logging Service is activated, it takes 10-15 Mins to provision the tenant, until then Strata logging Service app on the Hub shows “In Progress”
3. Once Provisioning is completed, the App becomes available on Hub and once its clicked it will take you to Strata Logging Service. You will also receive an email upon successful provisioning.
c. Select the Option1: Generate OTP for Next Generation Firewall(PanOS) . If installing a Device certificate for Panorama, then use Option 2 : Generate OTP for a Panorama. Select the Serial number and Click Next.
d. Copy the OTP
2. Update the OTP on Firewall:
a. Go to Device → Setup → Device Certificate → Get Certificate
[Note: This Step is not needed if you don’t have Strata Logging Service subscription and only have XSIAM with XDR PRO GB license. ]
4. Now filter the firewall with the serial number and select the firewalls you want to add and hit Submit.
[Note: If License is not seen on the Firewall check on adminsite for PAN-LGS-DL]
b. Enable Cloud Logging: Go to DEVICE > Setup > Management > Cloud Logging and Select Enable Cloud logging for logging to Strata logging service
[Cloud Logging is referred as Cortex Data Lake or Logging Service if you are running older Panos versions]
c. Optional: Enable Enhanced Application logging [Needed for IOT and Cortex XDR]
d. Select the Region from the drop down and Commit the configuration
e. To check connection to Strata logging service/ Cloud logging: Go to DEVICE > Setup > Management > Cloud Logging and click on Show Status
f. You can also Check the status of Firewalls to strata logging Service on Strata Logging Service UI. Go to Inventory > Firewalls > Check the connection status
[Cloud Logging is referred as Cortex Data Lake or Logging Service if you are running older Panos versions]
Optional: Use Filter to filter specific log to send to Strata Logging Service
d. Similarly Repeat step b and c for the log types that you want to forward to Strata logging service/Cloud Logging
2. Optional : Enable Enhanced Application Logging [EAL] Required for Cortex XDR or IOT Subscriptions
Enable EAL : Go to Device > Setup > Management > Logging Service
3. Optional: Create Log forwarding profile for Enhanced Application logging [Needed for IOT and Cortex XDR]
4. Attach the Log forwarding profile or Enhanced log forwarding profile to Security rules :
Go to Security policy Rule > Actions > Log Forwarding > <profile-name>
5. Follow the steps below to forward the rest of the logs: System logs, Configuration logs, User-ID logs, HIP Match logs, Global Protect logs and IP-tag logs to Cloud Logging
a. Create profile for System logs : Go to Device > Log Settings > System > + Add > Select Cloud Logging
[Cloud Logging is referred as Cortex Data Lake or Logging Service if you are running older PanOS versions]
b. Similarly create profile for Configuration, User-ID, HIP Match, Global Protect and IP tags
6. After the configuration is completed, Commit the configuration and you should start seeing logs on Strata logging Service UI > Explore
[Note: This Step is needed if you need to activate a new Strata logging Service instance]
2. Once Strata Logging Service is activated, it takes 10-15 Mins to provision the tenant and the Strata logging Service app on the Hub shows “In Progress”
3. Once Provisioning is completed, the App becomes available on Hub and once its clicked it will take you to Strata Logging Service. You will also receive an email upon successful provisioning.
c. Select the Option2: Generate OTP for Panorama
d. Select the serial number of Panorama and generate the OTP. Copy the OTP
e. Paste the OTP on Panorama UI. Go to PANORAMA > Setup > Management > Device Certificate >Get Certificate
2. Log in to CSP, and Select Products > Device Certificates and Generate OTP.
3. For the Device Type, select Generate OTP for Panorama managed firewalls and click Next.
4. Once OTP is generated you will get the below confirmation.
5. Go to Products > Device Certificates > View OTP History. Wait for the OTP status to complete and then copy the OTP
6. Paste the OTP on the panorama: Go to Panorama > Managed Devices > Summary > Upload OTP
[Note: This Step is not needed if you don’t have Strata Logging Service subscription and only have XSIAM with XDR PRO GB license. ]
4. Now filter the Panorama with the serial number and select the Panorama you want to add and hit Submit.
[Note: This Step is not needed if you don’t have Strata Logging Service subscription and only have XSIAM with XDR PRO GB license. ]
4. Now filter the firewall with the serial number and select the firewalls you want to add and hit Submit.
Panorama needs a Strata logging service license on it, so that it can connect to Strata logging service. It is not a separate license, After adding Panorama on Strata logging service.
Go to Panorama UI, Click on Panorama > Licenses > Retrieve license Keys from License Server.
[Note: If License is not seen on the Panorama check on adminsite for PAN-LGS-DL]
2. Download and Install latest Cloud Services Plugin:
b. Generate the OTP from the Strata logging Service UI portal. Go To Inventory > Panorama Appliances > Generate OTP. Copy the OTP
c. Go to Panorama > Cloud Services > Status. Paste the OTP. Ensure NTP is configured on Firewalls and Panorama, otherwise you will not be allowed to proceed.
d. Once you paste the OTP, you will see the status of the Strata logging service.
> >
2. Enable Cloud Logging for Managed Firewalls: Templates > DEVICE > Setup > Management > Cloud Logging. Enable Cloud Logging and Select the Region, from the drop down list.
Optional: Enable Enhanced Application logging[Required for Cortex XSIAM and IOT]
[Note: Cloud Logging is referred as Cortex Data Lake or Logging Service if you are running older PanOS versions]
3. Create Log Forwarding profile from Panorama and push it to Firewalls: Go to Device Groups > Objects > Log Forwarding > + Add [New Log forwarding profile].
4. Add the log forwarding profile match list for each log type, by Clicking on Add > Log Forwarding profile Match List > Select the log type you want to forward and Select Panorama/Cloud Logging.
[Note: Cloud Logging is referred as Cortex Data Lake or Logging Service if you are running older PanOS versions]
5. Similarly repeat the step 3 and 4 for all log types that you like to forward
6. Associate the Log forwarding profile to the security rule.
7. Commit and Push the configuration to the firewalls
8. Optional: Enable EAL [Enhanced Application logging ] Needed for IOT and Cortex XDR
c. Associate the Log forwarding profile to the security rule
d. Commit and Push the configuration to the firewalls
9. Forward rest of the Device logs:
[Note: Cloud Logging is referred as Cortex Data Lake or Logging Service if you are running older Panos versions]
c. Similarly follow same steps as <a> and <b> for Configuration, User-ID, IP-tag, HIP Match, Global Protect, Correlation logs
d. Commit and Push the configuration to the firewalls
10. Verify the log ingestion on Strata Logging Service UI > Explore
You can also view on Panorama > Monitor page
[Note: This Step is needed if you need to activate a new Strata logging Service instance]
f. Select your CSP Account from the “Customer Support Account” dropdown
g. Specify the Tenant or TSG under “Specify the Recipient” where you want to deploy the strata logging service or create a new TSG/tenant from the dropdown if needed
h. Select the Region where you want your logs to be stored from “Select Region” dropdown
i. Under “Add Strata Logging Service” select, “Create New” and specify the log storage that you have purchased and Click on Activate
2. Once Strata Logging Service is activated, it takes 10-15 Mins to provision the tenant and the Strata logging Service app on the Hub shows “In Progress”
3. Once Provisioning is completed, the App becomes available on Hub and once its clicked it will take you to Strata Logging Service. You will also receive an email upon successful provisioning.
Add Firewalls to Strata Logging Service UI
[Note: Firewalls that are managed by Strata Cloud Manager, will automatically get default Log forwarding profiles to Strata Logging service and have Cloud logging enabled]
2. Device logs like System, Configuration, User-ID, HIP Match, Global Protect, IP-Tag logs are forwarded to Strata logging Service by default
3. EAL logs are forwarded to strata logging service by default
2. Select the Firewall serial number from the drop down list and hit next
3. If you also have Panorama, the you can also add Panorama Instance:
1. For Self Managed Firewalls, follow the below steps:
a. Configure Firewalls to Connect to Cloud Logging
b. Forward Firewall logs to Cloud Logging
2. If Firewalls are managed by Panorama, follow these steps instead of 1:
a. Configure Panorama Managed Firewalls to connect to Cloud Logging
3. For Firewalls managed by Strata Cloud Manager: Firewalls managed by Strata Cloud Manager
4. Verify the logs on XSIAM. Go to Cortex XSIAM UI, Incident Response > Investigation > Query Center > + New XQL Query and use the query below:
dataset = panw_ngfw_system_raw| filter log_source_id = "[NGFW device SN]
[Note: This Step is needed if you need to activate a new Strata logging Service instance]
2. Once Strata Logging Service is activated, it takes 10-15 Mins to provision the tenant and the Strata logging Service app on the Hub shows “In Progress”
3. Once Provisioning is completed, the App becomes available on Hub and once its clicked it will take you to Strata Logging Service. You will also receive an email upon successful provisioning.
c. Install Device certificate on Panorama: Install Device Certificate for Panorama
d. Install Device Certificate on panorama managed firewalls: Device certificates for Panorama Managed Firewalls
2. Select the Firewall serial number from the drop down list and hit next
3. If you also have Panorama, the you can also add Panorama Instance:
2. For Firewalls managed by Panorama:
a. Configure Panorama Managed Firewalls to connect to Cloud Logging
3. For Firewalls managed by Strata Cloud Manager: Firewalls managed by Strata Cloud Manager
4. Verify the Logs on Strata Logging Service UI> Explore.
5. Verify the logs on XSIAM. Go to Cortex XSIAM UI, Incident Response > Investigation > Query Center > + New XQL Query and use the query below:
dataset = panw_ngfw_system_raw| filter log_source_id = "[NGFW device SN]
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
5 Likes | |
3 Likes | |
2 Likes | |
1 Like | |
1 Like |