>
    Onboard Devices to Your Strata Logging Service Instance
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Logging Service
    3. Onboard Firewalls to Strata Logging Service
    4. Onboard Devices to Your Strata Logging Service Instance
    Download PDF
    Strata Logging Service

    Onboard Devices to Your Strata Logging Service Instance

    Table of Contents

    Onboard Devices to Your Strata Logging Service Instance

    Manage the devices connected to Strata Logging Service from the Inventory tab.
    Where Can I Use This?What Do I Need?
    One of these:
    The procedure to onboard devices to your Strata Logging Service tenant depends on the device type and the Strata Logging Service license scheme you are using. You must have enough licenses to add devices to tenant.
    All the devices (except VM-Flex devices) are onboarded through the Device Associations page, which can be accessed in two ways:
    • From the standalone app Inventory menu
    • From the Strata Cloud Manager Settings > Device Associations menu.
    If you are using Strata Cloud Manager to manage Strata Logging Service, click Settings > Device Associations page to add or remove devices onboarded to your Strata Logging Service instance.
    After you add devices to your Strata Logging Service tenant, continue to associate the devices to your Strata Logging Service license. You also have the option to remove the device associated with your Strata Logging Service tenant and add it to another tenant containing the desired Strata Logging Service instance.

    Panorama

    Onboard Panorama devices
    The devices are not onboarded automatically while activating Panorama. Use the Strata Logging Service standalone app or Strata Cloud Manager to onboard Panorama devices.
    You can perform the following actions.

    Add a Panorama Appliance

    1. Log in to hub and launch Strata Logging Service app.
    2. Select the Strata Logging Service instance to which you would like to move the devices.
    3. Click InventoryPanorama AppliancesManage Panorama Inventory.
      • If you are using Strata Cloud Manager to manage Strata Logging Service, click Settings > Device Associations page to add devices to your Strata Logging Service instance.
      • You must onboard Panorama devices with IoT enabled to Strata Logging Service through Device Associations page only and not from standalone app.
    4. In the Device Associations page, click Add Device.
    5. Select the device you want to onboard and save changes.
    6. In the Licensed Products selection column, select Strata Logging Service.
    7. Continue to associate product with devices:
      1. In the Device Association page, select Associate Products.
      2. In the Licensed Products selection column, select Strata Logging Service.
      3. Select the devices you want to associate with the product and save the changes.

    Generate OTP

    Click InventoryPanorama AppliancesGenerate OTP to create the one-time password used to onboard Panorama-managed firewalls to your Strata Logging Service instance. Panorama uses this OTP to install the logging service certificate. Alternatively, for Panorama 10.1 or later, go to the Customer Support Portal to get the OTP for installing the device certificate
    You can Generate OTP and Add devices only in Standalone Strata Logging Service app. When you select these options in Strata Cloud Manager, you will be automatically redirected to Strata Logging Service app.

    Move a Panorama Appliance

    To move a Panorama Appliance from one Strata Logging Service to another, remove the associated appliance from the tenant and add it to the new tenant. The destination Strata Logging Service instance must be in the same customer support account as the original instance.
    To move a Panorama appliance to another Strata Logging Service instance, ensure that the appliance:
    1. Navigate to Strata Cloud ManagerSettingsDevice Associations.
    2. Select the device you want to disassociate from Strata Logging Service and other products.
    3. Click Remove Associations Remove product association and click Remove.
    4. Select the device you want to disassociate from the tenant.
    5. Click Remove Associations Remove tenant associationRemove.

    View Onboarded Panorama Appliances

    Click Inventory Panorama Appliances to view the onboarded Panorama appliances. This list does not show the mapping of a Panorama to its managed firewalls.
    NameThe name under which the Customer Support Portal registered the Panorama. If unnamed, then the name appears as Panorama.
    You can change this name in the Customer Support Portal.
    ModelThe model of the Panorama
    Serial NumberThe unique serial number of the Panorama
    PAN-OS VersionThe version of PAN-OS that the Panorama is running
    Last Contact TimeThe last time that the Panorama communicated with Strata Logging Service to query logs.
    Certificate StatusWhether the Panorama has the certificate necessary to connect to Strata Logging Service. Hover over the certificate status to see which certificate the Panorama is using to connect to Strata Logging Service: logging service certificate or device certificate.
    • Needs Certificate—The certificate is missing. This device can't connect to Strata Logging Service.
    • Activated—This device has the certificate necessary to connect to Strata Logging Service
    • Expired—The certificate has expired. The device is unable to connect to Strata Logging Service until you renew the certificate.
    • Expiring in 7 Days—The certificate will expire in 7 days. Renew the certificate as soon as possible to remain connected to Strata Logging Service
    You can have up to 20 Panorama devices associated with your instance at a time.

    Firewalls

    Onboard firewalls to Strata Logging Service.
    You can onboard both software firewalls and hardware firewalls. The process to onboard hardware firewalls and software firewalls varies for qualifying and non-qualifying users of the new Strata Logging Service and Strata Cloud Manager Pro licenses.

    Add a Hardware Firewall

    1. Log in to hub and launch Strata Logging Service app.
    2. Select the Strata Logging Service instance to which you would like to add the devices.
    3. Click InventoryFirewalls Manage Firewall InventoryManage other firewalls.
      If you are using Strata Cloud Manager to manage Strata Logging Service, click Settings > Device Associations page to add devices to your Strata Logging Service instance.
    4. In the Device Associations page, click Add Device.
    5. Select the device you want to onboard and save changes.
    6. In the Licensed Products selection column, select Strata Logging Service.
    7. Continue to associate product with devices:
      1. In the Device Association page, select Associate Products.
      2. In the Licensed Products selection column, select Strata Logging Service.
      3. Select the devices you want to associate with the product and save the changes.

    Add a Software Firewall

    Add a VM-Flex device to your Strata Logging Service instance.
    • For qualifying user of Strata Logging Service - VM-Flex devices are automatically onboarded when you select Strata Logging Service or Strata Cloud Manager Pro (new license) on the deployment profile and have associated the deployment profile to the TSG in which Strata Logging Service resides.
    • If you are a non-qualifying user and are not enabling the new Strata Logging Service or Strata Cloud Manager Pro services on the deployment profile:
      1. Log in to the Strata Logging Service standalone app.
      2. Click InventoryFirewalls.
      3. Click Manage Firewall InventoryManage flexible VM-Series firewalls Add.
      4. Select the firewalls to associate to Strata Logging Service instance and click Submit.
      Onboarding of VM-Flex device is not enabled from the Strata Cloud Manager Device Associations page.

    Generate Pre-shared Key

    Click InventoryFirewallsGenerate PSK to create the pre-shared key used to onboard a firewall running PAN-OS 10.0 or earlier to your Strata Logging Service instance.
    You can Generate PSK only in Standalone Strata Logging Service app. When you select this option in Strata Cloud Manager, you will be automatically redirected to Strata Logging Service app.

    Move a Firewall

    To move a firewall from one Strata Logging Service instance to another, the destination Strata Logging Service instance must be in the same customer support account as the original instance.
    To move a firewall to another Strata Logging Service instance, ensure that the firewall:

    Move a Hardware Firewall

    To move a hardware device from one Strata Logging Service instance to another, remove the associated device from the tenant and add it to the new tenant.
    1. Navigate to Strata Cloud ManagerSettingsDevice Associations
    2. Select the device you want to disassociate from Strata Logging Service and other products.
    3. Click Remove Associations Remove product association and click Remove.
    4. Select the device you want to disassociate from the tenant.
    5. Click Remove Associations Remove tenant association and click Remove.

    Move a Software Firewall

    Move a VM-Flex device from one Strata Logging Service instance to another.
    • For qualifying user of Strata Logging Service- refer to the VM-series deployment guide.
    • For non-qualifying user of Strata Logging Service-
      1. In Strata Logging Service standalone app, navigate to InventoryFirewallsManage Firewall Inventory Manage flexible VM-Series firewallsMove.
      2. Select the firewall to connect to your Strata Logging Service instance.
      3. Submit the changes.

    View Onboarded Firewalls

    • Check the connection status- Above the firewalls table, you can see the number of firewalls with each connection status. Select the chart icon (
      ) on any table row to view a chart of the incoming log rate and connectivity history for the firewall:
      NameThe name under which the Customer Support Portal registered the Firewall. If unnamed, then the name appears as Firewall.
      You can change the firewall name in the Customer Support Portal.
      ModelThe model of the firewall
      Serial NumberThe unique serial number of the firewall
      PAN-OS VersionThe version of PAN-OS that the firewall is running
      Managed By PanoramaWhether a Panorama manages the firewall or not
      Connection Status
      Whether the firewall can connect to Strata Logging Service. This can have four different values:
      • Connected—The firewall has an active channel through which it's sending session logs to Strata Logging Service.
      • Partially Connected—The firewall does not have an active channel through which it's sending session logs to Strata Logging Service. However, it's sending Enhanced Application logs on a second channel.
      • Disconnected—The firewall does not have an active channel through which to send sessions logs to Strata Logging Service, and it's not sending Enhanced Application logs.
      • Need Certificate—The firewall does not have the certificate to connect to Strata Logging Service
      Ingestion Rate
      The rate, in logs per second, at which the firewall is sending logs to Strata Logging Service
      (Non-qualifying users only) Storage Used
      The amount of your Strata Logging Service storage capacity that a firewall is using at this point in time
      Apps Using Log DataAll apps that consume data from the firewall
      (Non-qualifying users only)Store Log DataChoose whether Strata Logging Service stores firewall data or only ingests it.
      • OnStrata Logging Service will store the log data.
      • OffStrata Logging Service will only ingest the log data.
      After you toggle On, Strata Logging Service can take up to 15 minutes to start storing log data for the firewall.
      If toggled On and grayed out, this switch means that the IoT Security package to which you subscribe requires that you store log data.
      You can set log retention policy for your entire Strata Logging Service instance from StorageConfiguration.
      Last Contact TimeThe last time that the device communicated with Strata Logging Service, either to send logs or to report telemetry
      Certificate StatusWhether the firewall has the certificate necessary to connect to Strata Logging Service. Hover over the certificate status to see which certificate the Panorama is using to connect to Strata Logging Service: logging service certificate or device certificate
      • Needs Certificate—The certificate is missing. This device can't connect to Strata Logging Service.
      • Activated—This device has the certificate necessary to connect to Strata Logging Service
      • Expired—The certificate has expired. The device is unable to connect to Strata Logging Service until you renew the certificate.
      • Expiring in 7 Days—The certificate will expire in 7 days. Renew the certificate as soon as possible to remain connected to Strata Logging Service
    • Check only show firewalls that are storing logs to hide the firewalls that send data to Strata Logging Service only for ingestion and further streaming to other Palo Alto Networks applications.

    Cloud NGFW

    View Cloud NGFW resources associated with your Strata Logging Service instance.
    View Cloud NGFW resources associated with your Strata Logging Service instance.
    IDThe ID of the Cloud NGFW resource.
    Ingestion Rate
    The rate, in logs per second, at which Strata Logging Service is ingesting logs from a Cloud NGFW resource. This is a sum across all devices with the same resource ID.
    (Non-qualifying users only) Storage Used
    The amount of your Strata Logging Service storage capacity that the Cloud NGFW resource is using. This is a sum across all devices with the same resource ID.
    Last Contact TimeThe last time that the Cloud NGFW resource communicated with Strata Logging Service

    Prisma Access

    View Prisma Access instances associated with your Strata Logging Service.
    View the Prisma Access instances associated with your Strata Logging Service instance.
    Instance NameThe name under which the Customer Support Portal registered the Prisma Access instance. If unnamed, then the name appears as Prisma Access.
    Ingestion Rate
    The rate, in logs per second, at which Prisma Access is sending logs to Strata Logging Service
    (Non-qualifying users only) Storage Used
    The amount of your Strata Logging Service storage capacity that the Prisma Access instance is using at this point in time.
    Last Contact TimeThe last time that the Prisma Access instance communicated with Strata Logging Service

    © 2024 Palo Alto Networks, Inc. All rights reserved.