Strata Logging Service
Onboard Firewalls to Strata Logging Service without Panorama
Table of Contents
Expand All
|
Collapse All
Onboard Firewalls to Strata Logging Service without Panorama
Onboard Firewalls to Strata Logging Service without Panorama.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
After you Activate Strata Logging Service,
onboard your devices to the service. How you do this depends on the a PAN-OS version of your devices. Ensure that
you have subscribed to a valid support license of Strata Logging Service(90
days software warranty is not counted as a valid support license).
Beginning with PAN-OS 10.1, you can install a device certificate on your firewalls
to simplify the onboarding process. Before you start sending logs to Strata Logging Service, you must install device certificates on as many firewalls
as you’d like to onboard. After you’ve installed the certificates, use the Strata Logging Service app to complete the onboarding process.
To start sending logs to Strata Logging Service, you must
generate the key that enables firewalls to securely connect to Strata Logging Service. Onboarding keys are valid for 24 hours and you can use a
single key for as many firewalls as you’d like to onboard during that 24-hour
period.
After you use the Strata Logging Service app to generate the
key, copy the key and save it for future reference. You cannot reference it again after
you close out of the Strata Logging Service app and you will need to add the key
to each firewall that you want to connect to Strata Logging Service. Generating a
new key invalidates any other keys that were generated in the previous 24 hours.
10.0 or Earlier
Directly onboard your firewalls running PAN-OS 10.1 or earlier to Strata Logging Service.
- On your firewalls, allow access to the ports and FQDNs required
to connect to Strata Logging Service. If you are using a proxy server,
allow the same ports and FQDNs on the server without SSL decryption. Ensure that you are not decrypting traffic to Strata Logging Service.
- (Optional) To configure firewall to connect to Strata Logging Service through a proxy server, select DeviceSetupServicesUse proxy to send logs to Strata Logging Service.
- By default, the management interface is used to forward logs to Strata Logging Service. If you choose not to use the management
interface, use a data interface by configuring destination service routes for the following
FQDNs: api.paloaltonetworks.com, apitrusted.paloaltonetworks.com,
lic.lc.prod.us.cs.paloaltonetworks.com,certificatetrusted.paloaltonetworks.com,
certificate.paloaltonetworks.com.
-
Select DeviceSetupServicesGlobal. Global on a firewall without multiple virtual system (multi-vsys) capability.
-
Under Services Features, click Service Route Configuration.
-
Select Customize.
-
Under Service, select the following:
-
Palo Alto Networks Services
-
CRL status
-
DNS
-
HTTP
-
NTP
-
-
Set Selected Service Routes.
-
Select the Source Interface you want to use for activation and then select a Source Address from that interface and click OK.
- Select Destination and Add a destination.
- Enter any of the FQDNs above as Destination.
- Select the same Source Interface and Source Address that you selected for activation and click OK.
- Add two more destinations for the same interface using the remaining FQDNs.
- Click OK again to exit Service Route Configuration.
- Update the access rules required to connect to Strata Logging Service for the new interface IP address.
-
- Configure NTP so that the firewall stays in sync with Strata Logging Service. Ignore this step if you have enabled proxy
configuration:
- On firewall, click DeviceSetupServices
- On firewall, click DeviceSetupServices
- Onboard the firewalls to a Strata Logging Service instance.Ignore this step if you don't have a Strata Logging Service license and want to send logs to Cortex XDR only.
- Log in to the hub and open the Strata Logging Service app.
- Select InventoryFirewallsGenerate PSK to generate the onboarding key. Copy or save the key so that you can use it in later steps.
If you have already connected the firewall to a Strata Logging Service instance and want to connect it to a new instance, first issue the following command from the firewall CLI:admin@PA-220> request logging-service-forwarding certificate delete
This will serve the connection between the firewall and the current Strata Logging Service instance. Then, simply follow the below procedure to connect to the new Strata Logging Service instance. - Log in to the firewall that you want to connect to Strata Logging Service.
- Select DeviceLicenses and confirm that the Strata Logging Service license is
active. Ensure that you have subscribed to a valid support license of Strata Logging Service(90 days software warranty is not counted as a
valid support license).When you purchased your Strata Logging Service license, all firewalls registered to your support account received a Strata Logging Service license. If you don’t see the Strata Logging Service license, Retrieve license keys from license server to manually refresh the firewall licenses.
- Set up the connection to Strata Logging Service and check connection
status:
- Select DeviceSetupManagement and find the Logging Service settings.
- (Important) Before you populate any other settings, find the
Onboard to Cloud option. Click
Connect and enter the
PSK (onboarding key) in the Strata Logging Service app. Then click
Connect again.After you connect you should see a pop-up dialog that confirms that the firewall is equipped with the certificate it needs to authenticate to Strata Logging Service. You can also check the Task Manager to confirm that the firewall successfully authenticated to Strata Logging Service.
- Enable Logging Service to connect the firewall
to Strata Logging Service. If you want the firewall to collect
data that increases visibility for Palo Alto Networks applications, like
Cortex XDR, you can also
Enable Enhanced Application Logging.Strata Logging Service logging doesn’t start until after you’ve specified the log types you want to forward. Complete these steps and then start sending logs to Strata Logging Service.Do not Enable Duplicate Logging. This option applies only to Panorama-managed firewalls.
- Select the geographic Region of the Strata Logging Service instance to which you want to forward logs. This is the region you chose when you activated Strata Logging Service.
- Commit and push the config to firewalls.
- Show Status to check Logging Service
Status. The status for License, Certificate, and
Customer Info should be green. You can also use this command to check
the certificate status along with other details related to Strata Logging Service:request logging-service-forwarding
status.There is a known issue where device connectivity does not display a green status indicator even when the firewall is successfully connected to Strata Logging Service.
- The firewall is now connected to Strata Logging Service but is not yet forwarding logs. Follow these steps to start sending logs and to best secure traffic between the firewall and Strata Logging Service.
10.1 or Later
Directly onboard your firewalls running PAN-OS 10.1 or later to Strata Logging Service.
Beginning with PAN-OS 10.1, you can install a device certificate on your
firewalls to simplify the onboarding process. Before you start sending logs to
Strata Logging Service, you must install device certificates on as
many firewalls as you’d like to onboard. After you’ve installed the certificates,
use the Strata Logging Service app to complete the onboarding
process.
Before you begin, ensure that your firewalls are running PAN-OS 10.1 or later and
that they have the device certificate installed.
- On your firewalls, allow access to the ports and FQDNs required
to connect to Strata Logging Service. If you are using a proxy
server, allow the same ports and FQDNs on the server without SSL decryption. Ensure that you are not decrypting traffic to Strata Logging Service.
- (Optional) To configure firewall to connect to Strata Logging Service through a proxy server, select DeviceSetupServicesUse proxy to send logs to Strata Logging Service.
- By default, the management interface is used to forward logs to Strata Logging Service. If you choose not to use the management
interface, use a data interface by configuring destination service routes for the following
FQDNs: api.paloaltonetworks.com, apitrusted.paloaltonetworks.com,
lic.lc.prod.us.cs.paloaltonetworks.com,certificatetrusted.paloaltonetworks.com,
certificate.paloaltonetworks.com.
-
Select DeviceSetupServicesGlobal. Global on a firewall without multiple virtual system (multi-vsys) capability.
-
Under Services Features, click Service Route Configuration.
-
Select Customize.
-
Under Service, select the following:
-
Palo Alto Networks Services
-
CRL status
-
DNS
-
HTTP
-
NTP
-
-
Set Selected Service Routes.
-
Select the Source Interface you want to use for activation and then select a Source Address from that interface and click OK.
- Select Destination and Add a destination.
- Enter any of the FQDNs above as Destination.
- Select the same Source Interface and Source Address that you selected for activation and click OK.
- Add two more destinations for the same interface using the remaining two FQDNs.
- Click OK again to exit Service Route Configuration.
- Update the access rules required to connect to Strata Logging Service for the new interface IP address.
-
- Configure NTP so that the firewall stays in sync with Strata Logging Service. Ignore this step if you have enabled proxy
configuration:
- On firewall, click DeviceSetupServices
- On firewall, click DeviceSetupServices
- Install a device certificate on the
firewalls that you want to connect to Strata Logging Service. If you
are switching from Strata Logging Service certificate to device
certificate, run the following command to restart management-server:
> debug software restart process management-server
- Restarting the management server process does not impact the packet forwarding except that the logged-in user will be signed out from the web interface and CLI.
- It is recommended to perform any process restart during non-peak hours or during a maintenance window.
- Onboard the firewalls to a Strata Logging Service instance.Ignore this step if you don't have a Strata Logging Service license and want to send logs to Cortex XDR only.
- Log in to the hub and open the Strata Logging Service app to the instance to which you are onboarding.
- Select InventoryFirewallsAdd.
- Select New and Next.
- Select the firewalls to connect to Strata Logging Service and choose whether Strata Logging Service will store or only ingest their data.
- Submit your choices.
- Select DeviceLicenses and confirm that the Strata Logging Service license
is active. Ensure that you have subscribed to a valid support license of
Strata Logging Service(90 days software warranty is not counted
as a valid support license).When you purchased your Strata Logging Service license, all firewalls registered to your support account received a Strata Logging Service license. If you don’t see the Strata Logging Service license, Retrieve license keys from license server to manually refresh the firewall licenses.
- Set up the connection to Strata Logging Service and check
connection status:
- Select DeviceSetupManagement and find the Logging Service settings.
- Enable Logging Service to connect the firewall
to Strata Logging Service. If you want the firewall to
collect data that increases visibility for Palo Alto Networks
applications, like Cortex XDR, you can also
Enable Enhanced Application Logging.Strata Logging Service logging doesn’t start until after you’ve specified the log types you want to forward. Complete these steps and then start sending logs to Strata Logging Service.Do not Enable Duplicate Logging. This option applies only to Panorama-managed firewalls.
- Commit and push the config to firewalls.
- Show Status to check Logging Service
Status (Strata Logging Service). The status
for License, Certificate, and Customer Info should be green.You can also use this command to check the certificate status along with other details related to Strata Logging Service:request logging-service-forwarding status
- The firewall is now connected to Strata Logging Service but is not yet forwarding logs. Follow these steps to start sending logs and to best secure traffic between the firewall and Strata Logging Service.