10.0 or Earlier

1. On your firewalls, allow access to the ports and FQDNs required to connect to Strata Logging Service. If you are using a proxy server, allow the same ports and FQDNs on the server without SSL decryption.
   Ensure that you are not decrypting traffic to Strata Logging Service.
2. (Optional) To configure firewall to connect to Strata Logging Service through a proxy server:
   • On firewall, select DeviceSetupServicesUse proxy to send logs to Strata Logging Service
   • On Panorama, select SetupServicesUse proxy to send logs to Strata Logging Service
3. By default, the management interface is used to forward logs to Strata Logging Service. If you choose not to use the management interface, use a data interface by configuring destination service routes for the following FQDNs: api.paloaltonetworks.com, apitrusted.paloaltonetworks.com, lic.lc.prod.us.cs.paloaltonetworks.com,certificatetrusted.paloaltonetworks.com, certificate.paloaltonetworks.com.
   1. Select DeviceSetupServicesGlobal. Global on a firewall without multiple virtual system (multi-vsys) capability.
   2. Under Services Features, click Service Route Configuration.
   3. Select Customize.
   4. Under Service, select the following:
      • Palo Alto Networks Services
      • CRL status
      • DNS
      • HTTP
      • NTP
   5. Set Selected Service Routes.
   6. Select the Source Interface you want to use for activation and then select a Source Address from that interface and click OK.

   7. Select Destination and Add a destination.
   8. Enter any of the FQDNs above as Destination.

   9. Select the same Source Interface and Source Address that you selected for activation and click OK.
   10. Add two more destinations for the same interface using the remaining two FQDNs.

   11. Click OK again to exit Service Route Configuration.
   12. Update the access rules required to connect to Strata Logging Service for the new interface IP address.
4. Configure NTP so that the firewall stays in sync with Strata Logging Service. Ignore this step if you have enabled proxy configuration:
   • On firewall, click DeviceSetupServices
     and set it to the same NTP Server Address on Panorama. For example: pool.ntp.org.
5. Add the firewall as a managed device on Panorama.
6. Retrieve and push the Strata Logging Service licenses for managed firewalls. Ensure that you have subscribed to a valid support license of Strata Logging Service(90 days software warranty is not counted as a valid support license).
   1. From Panorama, select PanoramaDevice DeploymentLicense.
   2. First Refresh and then select the firewalls from the list. Panorama retrieves the licenses, deploys them to the selected firewalls, and updates the licensing status on the Panorama web interface.
      Make sure you see that Panorama successfully installed the Strata Logging Service license on the firewall.

      Do not Refresh again until the first refresh completes. When the refresh completes, you will see that Status shows Completed and Progress is 100%. There are also Details about whether the refresh succeeded.
7. (Optional)If you have not created a template and a device group, from Panorama create a template and a device group to push log forwarding settings to the firewalls from which you want to forward logs to Strata Logging Service.
8. Enable the firewalls in the template to send logs to Strata Logging Service and select the region where you want the logs stored.
   • If some firewalls in your deployment are sending logs to dedicated Log Collectors or to Panorama with a local Log Collector, only firewalls that belong to the template with the Enable Strata Logging Service option selected can send logs to Strata Logging Service.
   • You cannot onboard firewalls to send logs to Strata Logging Service hosted in China region.
   1. Select DeviceSetupManagement.
   2. Select the Template that contains the firewalls from which you want to forward logs to Strata Logging Service.
   3. Edit the Strata Logging Service settings.
   4. Enable either of the two following options:
      • Enable Logging Service—Send and save logs to Strata Logging Service only. With this option, use Explore or Panorama to see and interact with your log data.
      • Enable Duplicate Logging—For firewalls running PAN-OS 8.1 and later releases, you can send and save logs both to Strata Logging Service and to your Panorama and log collection setup. Firewalls save a copy of all log data to both Panorama and Strata Logging Service except for system and config logs, which are sent to Panorama only.

      To forward logs to Strata Logging Service with Duplicate Logging enabled, you must add the firewalls with the option enabled to a Collector Group.
   5. Enable Enhanced Application Logging to allow the firewall to collect data for apps running the Palo Alto Networks Cloud Services environment. These logs provide Palo Alto Networks Cloud services apps increased visibility into network activity and, in some cases, are required to support app features.
   6. Select the Region where you want to forward logs for the firewalls associated with this template and then click OK.
      Starting with PAN-OS 9.0.2, there is an option to Onboard Without Panorama. This setting is used only for firewalls that are not managed by Panorama; there’s no need to populate it when you’re enabling Panorama-managed firewalls to forward logs to Strata Logging Service.
   7. (Panorama 9.0 or later releases only) Specify the Connection count to Strata Logging Service for PA-7000s and PA-5200s.
      Specify the number of connections that are established between the firewalls and Strata Logging Service for forwarding logs to Strata Logging Service (range is 1 to 20; default is 5).
   8. (Optional) Configure interfaces and zones in the template.
   9. Commit and push the config to the firewalls.
9. Firewall fetches a certificate automatically after pushing the configuration. To check the certificate status:
   • On Panorama, click Panorama > Managed Devices > Troubleshooting > Test Cloud Logging Service Status.
   • On firewall, click Device > Setup > Management and find the Logging Service settings. Show Status to check Strata Logging Service status.
   • Run the command locally:

     request logging-service-forwarding status

   If a certificate was not fetched for a firewall, run this command locally to fetch a certificate:

   request logging-service-forwarding certificate fetch

10. Enable Panorama-managed firewalls to send logs to Strata Logging Service.
    Remember that for any firewalls from which you want to forward logs to Strata Logging Service and that are not already managed by Panorama, you first need to add the firewalls to Panorama as managed devices.