>
    Onboard Firewalls to Strata Logging Service without Panorama
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Logging Service
    3. Strata Logging Service Administration
    4. Deploy Strata Logging Service
    5. Onboard Firewalls to Strata Logging Service without Panorama
    Download PDF
    Strata Logging Service

    Onboard Firewalls to Strata Logging Service without Panorama

    Table of Contents

    Onboard Firewalls to Strata Logging Service without Panorama

    Onboard Firewalls to Strata Logging Service without Panorama.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by PAN-OS or Panorama)
    • NGFW (Managed by Strata Cloud Manager)
    • Strata Logging Service
    • AIOps for NGFW Premium
    After you Activate Strata Logging Service, onboard your devices to the service. How you do this depends on the a PAN-OS version of your devices. Ensure that you have subscribed to a valid support license of Strata Logging Service(90 days software warranty is not counted as a valid support license).
    Beginning with PAN-OS 10.1, you can install a device certificate on your firewalls to simplify the onboarding process. Before you start sending logs to Strata Logging Service, you must install device certificates on as many firewalls as you’d like to onboard. After you’ve installed the certificates, use the Strata Logging Service app to complete the onboarding process.
    To start sending logs to Strata Logging Service, you must generate the key that enables firewalls to securely connect to Strata Logging Service. Onboarding keys are valid for 24 hours and you can use a single key for as many firewalls as you’d like to onboard during that 24-hour period.
    After you use the Strata Logging Service app to generate the key, copy the key and save it for future reference. You cannot reference it again after you close out of the Strata Logging Service app and you will need to add the key to each firewall that you want to connect to Strata Logging Service. Generating a new key invalidates any other keys that were generated in the previous 24 hours.

    10.0 or Earlier

    Directly onboard your firewalls running PAN-OS 10.1 or earlier to Strata Logging Service.
    1. On your firewalls, allow access to the ports and FQDNs required to connect to Strata Logging Service. If you are using a proxy server, allow the same ports and FQDNs on the server without SSL decryption.
      Ensure that you are not decrypting traffic to Strata Logging Service.
    2. (Optional) To configure firewall to connect to Strata Logging Service through a proxy server, select DeviceSetupServicesUse proxy to send logs to Strata Logging Service.
    3. By default, the management interface is used to forward logs to Strata Logging Service. If you choose not to use the management interface, use a data interface by configuring destination service routes for the following FQDNs: api.paloaltonetworks.com, apitrusted.paloaltonetworks.com, lic.lc.prod.us.cs.paloaltonetworks.com,certificatetrusted.paloaltonetworks.com, certificate.paloaltonetworks.com.
      1. Select DeviceSetupServicesGlobal. Global on a firewall without multiple virtual system (multi-vsys) capability.
      2. Under Services Features, click Service Route Configuration.
      3. Select Customize.
      4. Under Service, select the following:
        • Palo Alto Networks Services
        • CRL status
        • DNS
        • HTTP
        • NTP
      5. Set Selected Service Routes.
      6. Select the Source Interface you want to use for activation and then select a Source Address from that interface and click OK.
      7. Select Destination and Add a destination.
      8. Enter any of the FQDNs above as Destination.
      9. Select the same Source Interface and Source Address that you selected for activation and click OK.
      10. Add two more destinations for the same interface using the remaining FQDNs.
      11. Click OK again to exit Service Route Configuration.
      12. Update the access rules required to connect to Strata Logging Service for the new interface IP address.
    4. Configure NTP so that the firewall stays in sync with Strata Logging Service. Ignore this step if you have enabled proxy configuration:
      • On firewall, click DeviceSetupServices
         and set the NTP Server Address. For example: pool.ntp.org.
    5. Onboard the firewalls to a Strata Logging Service instance.
      Ignore this step if you don't have a Strata Logging Service license and want to send logs to Cortex XDR only.
      1. Log in to the hub and open the Strata Logging Service app.
      2. Select InventoryFirewallsGenerate PSK to generate the onboarding key. Copy or save the key so that you can use it in later steps.
      If you have already connected the firewall to a Strata Logging Service instance and want to connect it to a new instance, first issue the following command from the firewall CLI:
      admin@PA-220> request logging-service-forwarding certificate delete
      This will serve the connection between the firewall and the current Strata Logging Service instance. Then, simply follow the below procedure to connect to the new Strata Logging Service instance.
    6. Log in to the firewall that you want to connect to Strata Logging Service.
    7. Select DeviceLicenses and confirm that the Strata Logging Service license is active. Ensure that you have subscribed to a valid support license of Strata Logging Service(90 days software warranty is not counted as a valid support license).
      When you purchased your Strata Logging Service license, all firewalls registered to your support account received a Strata Logging Service license. If you don’t see the Strata Logging Service license, Retrieve license keys from license server to manually refresh the firewall licenses.
    8. Set up the connection to Strata Logging Service and check connection status:
      1. Select DeviceSetupManagement and find the Logging Service settings.
      2. (Important) Before you populate any other settings, find the Onboard to Cloud option. Click Connect and enter the PSK (onboarding key) in the Strata Logging Service app. Then click Connect again.
        After you connect you should see a pop-up dialog that confirms that the firewall is equipped with the certificate it needs to authenticate to Strata Logging Service. You can also check the Task Manager to confirm that the firewall successfully authenticated to Strata Logging Service.
      3. Enable Logging Service to connect the firewall to Strata Logging Service. If you want the firewall to collect data that increases visibility for Palo Alto Networks applications, like Cortex XDR, you can also Enable Enhanced Application Logging.
        Strata Logging Service logging doesn’t start until after you’ve specified the log types you want to forward. Complete these steps and then start sending logs to Strata Logging Service.
        Do not Enable Duplicate Logging. This option applies only to Panorama-managed firewalls.
      4. Select the geographic Region of the Strata Logging Service instance to which you want to forward logs. This is the region you chose when you activated Strata Logging Service.
      5. Commit and push the config to firewalls.
      6. Show Status to check Logging Service Status. The status for License, Certificate, and Customer Info should be green. You can also use this command to check the certificate status along with other details related to Strata Logging Service:request logging-service-forwarding status.
        There is a known issue where device connectivity does not display a green status indicator even when the firewall is successfully connected to Strata Logging Service.
    9. The firewall is now connected to Strata Logging Service but is not yet forwarding logs. Follow these steps to start sending logs and to best secure traffic between the firewall and Strata Logging Service.

    10.1 or Later

    Directly onboard your firewalls running PAN-OS 10.1 or later to Strata Logging Service.
    Beginning with PAN-OS 10.1, you can install a device certificate on your firewalls to simplify the onboarding process. Before you start sending logs to Strata Logging Service, you must install device certificates on as many firewalls as you’d like to onboard. After you’ve installed the certificates, use the Strata Logging Service app to complete the onboarding process.
    Before you begin, ensure that your firewalls are running PAN-OS 10.1 or later and that they have the device certificate installed.
    1. On your firewalls, allow access to the ports and FQDNs required to connect to Strata Logging Service. If you are using a proxy server, allow the same ports and FQDNs on the server without SSL decryption.
      Ensure that you are not decrypting traffic to Strata Logging Service.
    2. (Optional) To configure firewall to connect to Strata Logging Service through a proxy server, select DeviceSetupServicesUse proxy to send logs to Strata Logging Service.
    3. By default, the management interface is used to forward logs to Strata Logging Service. If you choose not to use the management interface, use a data interface by configuring destination service routes for the following FQDNs: api.paloaltonetworks.com, apitrusted.paloaltonetworks.com, lic.lc.prod.us.cs.paloaltonetworks.com,certificatetrusted.paloaltonetworks.com, certificate.paloaltonetworks.com.
      1. Select DeviceSetupServicesGlobal. Global on a firewall without multiple virtual system (multi-vsys) capability.
      2. Under Services Features, click Service Route Configuration.
      3. Select Customize.
      4. Under Service, select the following:
        • Palo Alto Networks Services
        • CRL status
        • DNS
        • HTTP
        • NTP
      5. Set Selected Service Routes.
      6. Select the Source Interface you want to use for activation and then select a Source Address from that interface and click OK.
      7. Select Destination and Add a destination.
      8. Enter any of the FQDNs above as Destination.
      9. Select the same Source Interface and Source Address that you selected for activation and click OK.
      10. Add two more destinations for the same interface using the remaining two FQDNs.
      11. Click OK again to exit Service Route Configuration.
      12. Update the access rules required to connect to Strata Logging Service for the new interface IP address.
    4. Configure NTP so that the firewall stays in sync with Strata Logging Service. Ignore this step if you have enabled proxy configuration:
      • On firewall, click DeviceSetupServices
         and set the NTP Server Address. For example: pool.ntp.org.
    5. Install a device certificate on the firewalls that you want to connect to Strata Logging Service. If you are switching from Strata Logging Service certificate to device certificate, run the following command to restart management-server: 
      > debug software restart process management-server
      • Restarting the management server process does not impact the packet forwarding except that the logged-in user will be signed out from the web interface and CLI.
      • It is recommended to perform any process restart during non-peak hours or during a maintenance window.
    6. Onboard the firewalls to a Strata Logging Service instance.
      Ignore this step if you don't have a Strata Logging Service license and want to send logs to Cortex XDR only.
      1. Log in to the hub and open the Strata Logging Service app to the instance to which you are onboarding.
      2. Select InventoryFirewallsAdd.
      3. Select New and Next.
      4. Select the firewalls to connect to Strata Logging Service and choose whether Strata Logging Service will store or only ingest their data.
      5. Submit your choices.
    7. Select DeviceLicenses and confirm that the Strata Logging Service license is active. Ensure that you have subscribed to a valid support license of Strata Logging Service(90 days software warranty is not counted as a valid support license).
      When you purchased your Strata Logging Service license, all firewalls registered to your support account received a Strata Logging Service license. If you don’t see the Strata Logging Service license, Retrieve license keys from license server to manually refresh the firewall licenses.
    8. Set up the connection to Strata Logging Service and check connection status:
      1. Select DeviceSetupManagement and find the Logging Service settings.
      2. Enable Logging Service to connect the firewall to Strata Logging Service. If you want the firewall to collect data that increases visibility for Palo Alto Networks applications, like Cortex XDR, you can also Enable Enhanced Application Logging.
        Strata Logging Service logging doesn’t start until after you’ve specified the log types you want to forward. Complete these steps and then start sending logs to Strata Logging Service.
        Do not Enable Duplicate Logging. This option applies only to Panorama-managed firewalls.
      3. Commit and push the config to firewalls.
      4. Show Status to check Logging Service Status (Strata Logging Service). The status for License, Certificate, and Customer Info should be green.
        You can also use this command to check the certificate status along with other details related to Strata Logging Service:request logging-service-forwarding status
    9. The firewall is now connected to Strata Logging Service but is not yet forwarding logs. Follow these steps to start sending logs and to best secure traffic between the firewall and Strata Logging Service.

    © 2024 Palo Alto Networks, Inc. All rights reserved.